Those still would have their certificates checked on installation.
And honestly, I think it is security theater to attempt to defend against attackers on the same or higher privilege level. If microsoft wants to force something down your throat on windows then there's not much you can do.
The problem is that mozilla turns the failures of others into their own problem and then they try to fix it themselves. That scope and responsibility creep leads us to the fallout we're seeing now.
> Those still would have their certificates checked on installation.
How? These extensions were not being installed through the normal mechanism. The malicious extension installer will just set the flag that says "this extension has been verified".
> And honestly, I think it is security theater to attempt to defend against attackers on the same or higher privilege level.
I understand that, and Mozilla does too: "By baking the signing requirement into the executable these programs will either have to submit to our review process or take the blatant malware step of replacing or altering Firefox." [1]
But that's the point. Either the installer does something malicious or it doesn't. If it does you lost the game. If it doesn't then a simple check is sufficient. Everything else is security theater which makes life worse for everyone.
Also, they could still run the verification and prompt the user instead of just forcing the decision.
I don't think that's necessarily true. After all, the policy is effective against undesirable-but-not-malicious extensions. Before signature verification I had extensions installed in Firefox that I didn't install; today I don't. [1]
And the clearly malicious action of modifying Firefox to disable signature verification can and should be flagged by anti-malware software, which runs at a higher privilege level.
[1] Putting aside for the moment the fact that most users now have no extensions installed due to the certificate expiration issue. No Firefox user, myself included, is happy about that.
I consider these to be mental acrobatics to find a position to justify wresting away any control from the user. It is not mozilla's responsibility to attempt to protect the user from the very slim line of "effectively malicious but still somehow principled" malware, picking a near-by line of verifying once would be far less problematic.
If the user does not want that crap on their machine they should remove the origin instead. We would not have the current situation if mozilla did not assume responsibility and control for problems outside their domain.
At least they could have made this opt-in by asking the user if they want an extra locked down version of firefox that might disable their addons if they are deemed malicious. Then the user could have made an informed choice.
On a typical Linux install, the Firefox binary is not writeable by a malicious extension installer that runs with user privileges. Thus baking the check into the binary fully protects the integrity.
And honestly, I think it is security theater to attempt to defend against attackers on the same or higher privilege level. If microsoft wants to force something down your throat on windows then there's not much you can do.
The problem is that mozilla turns the failures of others into their own problem and then they try to fix it themselves. That scope and responsibility creep leads us to the fallout we're seeing now.