I think we're at the point where we need to ask, how the fsck supposedly "open browser" prohibits their own users from installing extensions they want to install? I mean, I get signing - if you want signing, you can use it. I even get the config option for enterprise setups, maybe - so if an org wants to standardize on Firefox and prohibit workers from installing unsigned extensions - fine. But when it comes to my own install, that's just bullshit.
It's a trade off between security for normies and power for technical users. I disagreed at the time (as an addon author) yet have come around to agreeing with the choice.
It's not IT. It's the "potentially unwanted software" installers they download. There's no way to distinguish a user installing an unsigned addon vs some malware doing so.
If you're already running an unverified third-party installer, your system is gone. There's nothing Firefox addon signing can do to save you at that moment. You are already at the "running arbitrary code" stage.
