The plan is to turn this on around June 15th for Firefox 40 and later versions, that means an uplift to aurora at least.

Not planning on landing yet but might as well have the patch ready to go whenever we want.

Looks good for Firefox, but I thought we were not going to require signing on mobile at this point. Larissa, what's the plan for Fennec?

The plan changed recently and we're getting it for android too, see bug 1168570 and dependencies

yes, we're doing this for android as discussed.

Comment on attachment 8613559 [details] [diff] [review] patch r=dveditz

We're no longer tracking this for Firefox 40.

I only landed the pref change for Firefox not mobile since AMO hasn't yet enabled signing for mobile only add-ons.

Comment on attachment 8641751 [details] [diff] [review] patch Per the signed add-ons meeting we want to enable this on aurora and hopefully have the ride to beta at the next merge. Approval Request Comment [Feature/regressing bug #]: Signed add-ons [User impact if declined]: Users will be able to use unsigned add-ons by default [Describe test coverage new/current, TreeHerder]: Automated tests for signed add-ons have been in nightly for a couple of months [Risks and why]: This will disable add-ons not hosted on AMO that have yet to be signed [String/UUID change made/needed]: None

Comment on attachment 8641751 [details] [diff] [review] patch Let's turn on Add-ons signing to required by default in Aurora. End-users can pref-off if they'd like.

Tracked for FF41.

Dave, do you think this is something we need to add to FF41 release notes? If yes, please nominate by setting relnote-firefox -> "?" and filling out suggested wording, etc. Thanks!

(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #14) > https://hg.mozilla.org/releases/mozilla-aurora/rev/2ea47c7ed4e3 I think yes but I'm going to defer to Kev on wording. Release Note Request (optional, but appreciated) [Why is this notable]: Some user's add-ons will be disabled by default [Suggested wording]: Add-ons that haven't been verified by Mozilla will be disabled by default. [Links (documentation, blog post, etc)]: https://support.mozilla.org/en-US/kb/add-ons-signing-firefox?as=u&utm_source=inproduct

Like Dave's wording, would also add link to how to pref it off. Release Note Request (optional, but appreciated) [Why is this notable]: Some user's add-ons will be disabled by default [Suggested wording]: Type 2 Add-ons (Extensions) that have not been verified by Mozilla will be disabled by default. Users can re-enable unverified addons by setting xpinstall.signatures.required to "false". Future versions of Firefox will remove this preference. [Links (documentation, blog post, etc)]: https://support.mozilla.org/en-US/kb/add-ons-signing-firefox?as=u&utm_source=inproduct

The "Target Milestone" says 42 while the tracking flags says 41. Which one if the correct one? Thanks

(In reply to Sylvestre Ledru [:sylvestre] from comment #17) > The "Target Milestone" says 42 while the tracking flags says 41. Which one > if the correct one? Thanks It landed in Nightly 42 and was uplifted to 41, so the target milestone is correct unless we've changed what that means

Added relnote to FF41 in nucleus. I've trimmed the suggested wording as release notes are typically one-liners with links for further reading.

Pref xpinstall.signatures.required is set to true by default in Firefox 42.0a2 (2015-08-20) and Firefox 41 beta 3 (20150820142145). Verified fixed under Ubuntu 14.04 32-bit, Windows 7 64-bit and Mac OS X 10.10.4.