Firefox 48 and Unsigned Add-ons
Firefox 48.0 was released. That means the Mozilla developers no longer allow unsigned add-ons.
This is one of those policies with the proverbial road to Hell being paved with good intentions. Conflict arises when people become self-appointed nannies rather than treat others with respect.
Should installing unsigned add-ons be cumbersome? Sure, why not. Impossible? No. Let users decide.
I believe there never was a real problem with alleged rogue add-ons and the requirements for signing is mostly soap opera drama.
Then again, I do not use Windows, where perhaps that kind of thing might actually occur more often. If so, then perhaps only Firefox Windows should be restricted.
I have been using
xpinstall.signatures.required=false since the whole signing nonsense started.
I install all extensions in the Firefox system directory. That is, add-ons are global. This simplifies my administration as the extensions are available to all user accounts on any computer in my LAN.
With this approach Firefox would not validate the Neo Diggler extension when installed in the Firefox system directory. I discovered I long ago had installed the extension expanded rather than as an archived xpi file. I reinstalled the extension and the proverbial Hell broke loose. Firefox would not recognize the extension at all and fully disabled the extension.
Eventually I resolved the problem by adding the following preference:
Strange that the somebody took time to get the add-on signed but not update the compatibility information.
I use NewsFox. I unzip the xpi container into individual files to modify the css files. The default fonts are too small for my readability comfort. The problem with my modifications is Firefox will not validate the NewsFox extension with the modified files. I was stuck with tiny fonts, an epidemic among software developers.
Eventually a combination of fiddling with Firefox minimum font sizes, NoSquint Plus, and a custom userContent.css got me sufficiently close to what I wanted.
Simple font size controls in NewsFox would be so much saner and pleasant.
On the living room media player I use the original keyconfig add-on as part of a way to prevent users from modifying Firefox. I treat the media player as an appliance and keep the desktop and apps locked, including the Firefox interface. The original add-on works fine in Firefox but without being signed is now useless. I found a replacement add-on. The add-on is supposed to be a drop-in replacement for the original add-on. There remains my wasting time testing the new add-on to ensure my original usage intent is satisfied.
With 48.0 I expected to lose an extension called FirstField. I have been using this extension since about Firefox 1.0. The extension provides me a
Alt+I. With a dozen years or more of using the FirstField add-on I will stumble for a while remapping my memory muscle to the new shortcut.
Long-term solutions? Currently I am not screaming or hollering over lost extensions. I seem to have escaped that predicament. For now.
Otherwise the ESR version could be an option. Theoretically the ESR version is less secure than the mainline version because not all security patches are backported to the ESR version. Conversely, ESR seems sufficient for IT professionals in the enterprise. Important to the topic of signed extension enforcement, my understanding is ESR builds will default to enforcing signatures but always will support disabling enforcement. I would need to write an install script wrapper because ESR is not supported in the Ubuntu ecosystem, not even in a PPA. I would want to automate downloading and creating packages. Not a big deal but irksome. As I use Slackware and Ubuntu MATE, I could modify a Slackware build script to provide a package for both systems. As I would be installing outside of the Debian/Ubuntu package management, a tgz file is sufficient.
Another option is using a developer version, but that comes with additional overhead and a different end user focus in terms of unneeded features.
Another option might be unbranded releases, although that too requires me to write that wrapper script and requires sleuthing through the Mozilla web site to find the appropriate file.
Another option proved futile. Installing unsigned non Mozilla extensions in /usr/lib/firefox/browser/features does not succeed. This is where Mozilla developers install internal extensions — those packaged with Firefox. I tried installing the FirstField extension there but to no avail.
Enforcing extension signatures should be ignored for any extension installed in the Firefox system directory. In Linux at least, files there cannot be manipulated without admin privileges. Such files should be presumed safe. This seems to be the presumption with extensions prepackaged with Firefox by the Mozilla developers. They seem to trust themselves.
Would be nice if the developers treated users with respect.
Even in the dismal world of Windows where most users run with admin privileges, a User Account Control (UAC) mechanism exists to get users to think before installing software.
The usability footprint here is the time wasted finding and testing replacement add-ons, not to mention the irritant factor.
Good intentions, perhaps, but this add-ons policy is bullying. I have no idea how enterprise administrators are coping with their internal private extensions. Perhaps they all are using the ESR version.
Captain: You gonna get used to wearin’ them chains afer a while, Luke. Don’t you never stop listenin’ to them clinking. ‘Cause they gonna remind you of what I been saying. For your own good.
Cool Hand Luke: Wish you'd stop being so good to me, Captain.