This is simply not true. I've been using unsigned extensions for years. You drag-drop a zip file into the extensions window and it will let you install it.
I looked at this just a few months as I have a few extensions with some very me-specific stuff that I don't really need/want to distribute – it's just not going to be useful for anyone except me. I couldn't find a good way to permanently install an unsigned or self-signed extension.
You can temporarily add unsigned extensions in about:debugging, but those are lost on restarts, which is pretty annoying. I used this for a while until I got fed up and tried to find a better way.
"Unbranded" Firefox builds allow adding unsigned extensions, but then I need to either 1) compile my own Firefox, or 2) Use "Firefox Developer Edition", which is mostly just the same as regular Firefox but based on beta versions (I'd rather just use release versions). Neither really appeals to me.
So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.
And the requirement for extensions to be signed is fine; I have no problem with that. But it should allow adding my own signing key. Or something.
I kind of get why Mozilla is so restrictive about this; with banking and credit card stuff and whatnot all being browser-based, adding an extension is basically giving the keys to the castle. I can see some support scammer instructing someone to add some malicious signing key. But there does need to be some limit to how much we protect people from themselves, because at some point you just start making life hard for regular users.
> So my solution now is to just create "unlisted" extensions and sign them with the web-ext CLI. It works and it's not entirely horrible, but it's a lot more hassle than I'd like.
Wait. web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?
While I didn't come across web-ext, I also tried my hand at working around firefox's limitations for my own extensions, but eventually decided it would be easier to give up and switch to a chrome-based browser instead. To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser. Whatever it is, I no longer care.
> web-ext allows the signing of arbitrary extensions without review? Wouldn't that defeat the purpose Mozilla is sacrificing technical users for?
It takes about ten minutes to sign, and only seems like it uses automatic checks. I do get an email that "any extension may be reviewed by a human at any time".
I don't know if it matters that it's unlisted, or that they're all very simple extensions with very limited permissions. I'm not an expert on any of this and I've never published a public extension; I just have a few for my own use. But it does seem that they apply some heuristic to determine what is worth reviewing and what isn't.
> To this day, I still don't understand the "significant" threat that Mozilla sees (and other browser vendors apparently don't) that warrants such heavy-handed Apple-esque control over their users' ability to control their browser.
There are support scammers and such that will phone you with "hi, we are from Microsoft support to help you. You need to go to h4xx0r.ru to install an extension to protect your computer".
There are other ways of doing this of course, but an extension is a simple abd easy way.
I don't really know how to best solve this. I agree with your dislike of the current heavy-handed approach without escape hatch. But I also think the concerns are real, and you're being a bit too dismissive about that.
Given that 90% of normal people use browsers that don't have this restriction, I don't think Mozilla's threat model makes sense. Also, users who are susceptible to being tricked into installing an addon can just as easily be tricked into going to bank.com.h4xx0r.ru, editing hosts file, changing DNS settings, or even installing chrome or a different browser.
Franky, I don't think this move is motivated by security concerns at all. (Not that it matters anymore)
You must be using either the Developer Edition, ESR, nightly or some unbranded version. Vanilla Firefox doesn’t allow to install unsigned extensions permanently.
