Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

How To Override The Firefox Add-on Signing Requirement

vissha

By vissha
in Guides & Tutorials

Recommended Posts

vissha

vissha

Posted
Posted

How To Override The Firefox Add-on Signing Requirement

 

Find out how to override the add-on signing enforcement in Firefox Stable and Beta versions to install unsigned add-ons in those web browsers.

 

The following guide walks you through the steps of overriding the add-on signing enforcement in Firefox Stable and Beta. You will be able to install unsigned add-ons in Firefox version where this should not be possible afterwards.

 

Mozilla implemented the add-on signing security feature in Firefox some time ago, and made it mandatory in Firefox 48 for the Stable and Beta channel.

 

This means that Firefox users who run Stable or Beta versions of the browser can only install signed add-ons in the browser.

 

All add-ons submitted to Mozilla's main add-on repository are signed, but that is not necessarily the case for add-ons distributed through other channels.

 

Add-ons provided by applications, security software comes to mind, on development platforms like Github, and old add-ons that are not in development anymore, may not be signed. These add-ons cannot be installed in Firefox Stable or Beta in that case.

 

Override the Firefox Add-on Signing enforcement

 

The method requires that you create two new files and place them in the main Firefox installation / run folder.

 

Step 1: Create config.js file

 

firefox-override-add-on-signing.png

 

  • Create a config.js file first. You can do so on Windows by right-clicking on the desktop and selecting New > Text Document.
  • Leave the name for the time being, and open the text document afterwards by double-clicking on it.
  • Paste the following code into the document: 
    //
try {
Components.utils.import("resource://gre/modules/addons/XPIProvider.jsm", {})
.eval("SIGNED_TYPES.clear()");
}
catch(ex) {}

     

  • Save the document afterwards.
  • Right-click on it, and select rename.
  • Name it config.js. Make sure it is called config.js and not config.js.txt.
  • Move the config.js file in the Firefox installation folder.
  • On Windows, this is either C:\Program Files\Mozilla Firefox\ or C:\Program Files (x86)\Mozilla Firefox\.
  • On Linux, it is /usr/lib/firefox-<version> or /usr/lib64/firefox-<version>
  • On Mac, it is /Applications/Firefox.app

Please note that you are free to select any installation directory, and that you may run Firefox as a portable program as well. Adjust the program path accordingly. Make sure you place the file in the root program folder of Firefox.

 

Step 2:  Create config-prefs.js

 

firefox-bypass-add-on-signing.png

 

  • Create a second text document on the desktop and open it afterwards in an editor.
  • Paste the following lines into it: 
    pref("general.config.obscure_value", 0);
pref("general.config.filename", "config.js");

     

  • Rename the file to config-prefs.js.
  • Move the file into the defaults\pref folder of the Firefox program folder, e.g. C:\Program Files\Mozilla Firefox\defaults\pref

Restart Firefox.

 

Step 3: Install unsigned add-ons in Firefox Stable or Beta.

 

Once done, you may once again install any add-on, signed or unsigned, in Firefox Stable or Beta just like before.

 

What happens in the background

 

firefox-signed-types.png

 

You are probably wondering what the few lines of code do, and whether it is save or dangerous.

 

Without going into too many details, here is what is happening:

 

The first bits of code, those added to the config.js file, load one of Firefox's configuration files to and removes information from the Signed_Types constant in that file. It so happens that this constant defines the types of add-ons and extensions that need to be signed for be installed.

 

You may remember that some extensions, themes for instance, don't need to be signed. So, the code clears the constant from all types of add-ons so that none requires signing.

 

The preferences in the second file tell Firefox to load the config.js file on start.

 

Closing Words

 

The method removes the add-on signing enforcement in Firefox. It is rather surprising that it is this easy, considering that one of the main arguments for enforcing add-on signing is security.

 

Thanks to Howard and Michel who notified me about the trick.

 

Source

Link to comment
Share on other sites
  • Replies 3
  • Views 1.6k
  • Created
  • Last Reply
straycat19

straycat19

Posted
Posted
18 hours ago, vissha said:

How To Override The Firefox Add-on Signing Requirement

 

Seems like a lot of work when you only need to change the preference 'xpinstall.signatures.required' to false in the Firefox Configuration Editor (about:config page).

Link to comment
Share on other sites
worldsdream

worldsdream

Posted
Posted
1 hour ago, straycat19 said:

 

Seems like a lot of work when you only need to change the preference 'xpinstall.signatures.required' to false in the Firefox Configuration Editor (about:config page).

That did not work in firefox stable version

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...