Mozilla Connect

superkuh · ‎03-12-2025

Recently Firefox has been approaching the date when expiration of CA TLS certs will break much of the browser's functionality for many users. https://support.mozilla.org/en-US/questions/1468274 . This is caused by the baking-in of CA TLS certs for the add-ons site (and DRM? And ...?). CA TLS certs have an inherently short lifetime and consideration should be made for the ability to replace/update them when they expire as is done in other parts of Firefox.

We can't go back and fix the past so the problems above cannot really be fixed (except by providing unbranded builds of older versions, which should also happen). But we can avoid these inevitable issues in the future. CA TLS certs should be made replaceable. Is there any reason why this is not the case?

As it is now, without changing this, Firefox becomes shareware/trialware of a sort with a built in limited lifetime.

p.s. locking the public facing thread for policy discussion on the topic on the blog post 2 days before it happens could be interpreted as a sleezy move. Effectively no one will read *this* thread.

superkuh · ‎03-14-2025

Someone found the actual problem and how it can be fixed in both pre-existing Firefox installs and future Firefox releases if the changes, https://rentry.org/disableaddonsigning

Basically, unpacking omni.ja and editing the code therein.

In AppConstants.jsm, I've changed from true
MOZ_REQUIRE_SIGNING:
//@line 287 "$SRCDIR/toolkit/modules/AppConstants.jsm"
false,
//@line 291 "$SRCDIR/toolkit/modules/AppConstants.jsm"

to false,
MOZ_ALLOW_ADDON_SIDELOAD: to true

in modules\addons\XPIDatabase.json:
/**

* Returns true if signing is required for the given add-on type.
*

* @Param {string} aType

* The add-on type to check.

* @returns {boolean}
*/
mustSign(aType) {
return false;

Very cool.

Mozilla Connect

Baked-in CA TLS certs: a bad idea. Policy proposal/debate to not do it.