I’m trying to confirm my understanding of recent signing changes for WebExtensions:
All Firefox add-ons (MV2 and MV3) must be signed by Mozilla via AMO (listed or unlisted).
Starting with Firefox 128 release, Mozilla switched to a new signing certificate chain.
As a result, regular Firefox builds 116–127 no longer accept newly signed .xpi files and show “The add-on downloaded from this site could not be installed because it appears to be corrupt”.
Meanwhile, Firefox 115 ESR still accepts these signatures (and will be supported until Sept 2024), while Firefox 128+ uses the new signature format and installs fine.
That seems to mean there’s no supported way to get a newly signed MV3 add-on working on old release versions below 128 — unless one uses Developer/Nightly builds (with xpinstall.signatures.required = false) or enterprise policies on ESR.
My questions:
Is my understanding correct that there’s no supported path to distribute a newly signed MV3 .xpi that will install on standard Firefox releases prior to 128?
For enterprises, am I correct that the only maintained ESR lines are 115 ESR (until September 2024) and 128 ESR onward — there is no “116 ESR” or similar?
If we need to support users on older releases (e.g. 116–127), is the official guidance simply to have them update, or are there any sanctioned alternatives?
But basically, all “Firefox supported” versions received the updated certificate, so they can install addons.
This includes Firefox ESR 115 (the latest one), Firefox ESR 128, Firefox ESR 140, and newer.
Note that Firefox ESR 128 will be replaced (auto-updated) by version 140 in a few weeks (16th September):
This means that even Firefox ESR 128 will become “unsupported” by Firefox, because it won’t receive any more (security) updates.
From the security point of view, you shouldn’t encourage users to use unsupported versions of Firefox. So 3 weeks from now, you should ideally target Firefox ESR 140 and above.
But if you have a lot of users on Windows 7/8.1, then you could target Firefox ESR 115, which will be receiving security updates even next year:
But again, from the security point of view, these users are using insecure OS that misses security updates for quite some time, so it’s in their best interest to upgrade.
That’s correct. More broadly, there’s no way to sign any add-on for use in older browsers.
You are correct that there’s no ESR 116. The currently supported ESR lines are 128 and 140. ESR 115 is only being extended for Windows 7, 8, and 8.1 (blog post). See the following documentation links for more background on the ESR release cycle and landing process.
To my knowledge the only supported versions of Firefox are the current major version (142) and the only supported versions of Firefox Extended Support release are the current major version (140), previous major version (128), and the previously mentioned 115 line for older versions of Windows (whattrainisitnow.com). I’d strongly recommend that everyone use a supported browser and install point release updates as soon as possible.
While AMO engineers do their best to maintain backwards compatibility with older browsers, the limitations of old releases may prevent that in some cases. The root certificate expiration you mentioned is one such case.
Given these limitations, I’d strongly recommend extension developers avoid guaranteeing that their products support Firefox releases that are not officially supported by Mozilla.
Just set xpinstall.signatures.required to false, upload the source code to GitHub or GitLab where people can read the source code for themselves and install the extension locally, and be done with the Web extension signing thing.
@guest271314, it sounds like @Nitesh_Meena is working with clients that use standard release versions of Firefox, in which case they can’t change that config flag.