Couldn't those installers patch Firefox to remove the signing requirement? Or, if they don't get sufficient privileges to modify the executable, patch the user's Firefox process in memory?
Yeah, this might end up being just a salvo in a longer battle. But maybe part of the problem is that some of these malware authors are lying to themselves and believe they are just grayhat hackers, and once you start patching executables it becomes a bit clearer you are a blackhat. So far download.com isn't distributing actual rootkits. They could of course. And yet still they probably won't.
Relatedly I did notice when putting my own addon through the signing process that there was a checkbox specifically for sideloaded addons, with the implication that the checks would be even more stringent. I'm not sure if that's enforced or not, or how.
