Signing XUL-based add-on for Firefox

Question

Is it possible to sign an add-on based on XUL for Firefox, or signing only possible with the new SDK?

Answer 1

All extensions, be they Overlay, Restartless/Bootstrapped, Add-on SDK, or the new WebExtensions API based extensions, can be signed.

It used to be that individual extension authors could choose to sign their extension themselves. As of some time ago, Mozilla changed their policy to be that all extensions must be submitted to AMO and signed by Mozilla. Specifically, they say:

Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted.

As of Firefox 40, the user is warned about any extension that is not signed by Mozilla.

As of Firefox 43 the default is that unsigned extensions will not be permitted to be installed. However, a preference, (xpinstall.signatures.required in about:config), can be set to false to permit them to be installed.

Mozilla has stated, in more than one location, that as of Firefox 44 extensions must be signed to be installed in the release or beta versions of Firefox. However, contrary to what Mozilla has stated, in Firefox 44.0b1 (beta 1) setting xpinstall.signatures.required to false still permits unsigned extensions to be installed and operational (tested with FF 44.0b1 x64 on Win7x64).

Alternatives for development or extensions not listed on AMO:
The Firefox Developer Edition and Nightly builds will not require extensions to be signed.

For Fully Reviewed add-ons, the add-on's beta channel will be immediately signed without any manual review if they pass automatic validation.

For add-ons not listed on AMO, Mozilla will sign the add-on immediately as long as it passes an automatic code validator with no errors (warnings are OK).

Mozilla has released (more detail) an add-on signing API. This API permits you to programmatically submit an add-on (.xpi file, or Add-on SDK code) to be signed and receive back the signed add-on as long as it passes the automatic code validator with no errors (warnings are OK).

Mozilla has stated in various places that there will be unbranded versions of Firefox (beta and release) which permit installing unsigned add-ons. However, there has been no further information on this. With the release of the signing API, it appears less likely that Mozilla will follow through and actually make such unbranded versions available.