Changing "xpinstall.signatures.required" to "false" will work on builds without MOZ_REQUIRE_SIGNING. This can be checking by going to resource://gre/modules/AppConstants.jsm and checking the value of MOZ_REQUIRE_SIGNING, if it is false, the signatures can be disabled with the above config.
Note it will not work on official mozilla builds. But it does on Debian.¹ There were a couple of upstream commits for working around the bug: https://hg.mozilla.org/releases/mozilla-beta/rev/d716b75b8ac3f4588061e720074c093dae08e43e https://hg.mozilla.org/releases/mozilla-beta/rev/f272348572e8160a73001b85013f35db51397064 although they later reverted them. The studies released by mozilla to fix this are: * hotfix-update-xpi-signing-intermediate-bug-1548973: https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi (sha256 b25031ac78020aad3be1fb8144cacbcf4a9b2d866585f066a577c10b835cd800, it's signed by mozilla like other xpis) * hotfix-reset-xpi-verification-timestamp-1548973 seems to be just a preference change for app.update.lastUpdateTime.xpi-signature-verification (in order to trigger a xpi recheck): "hotfix-reset-xpi-verification-timestamp-1548973": { "name": "hotfix-reset-xpi-verification-timestamp-1548973", "branch": "hotfix", "expired": false, "lastSeen": "2019-05-04T21:13:01.960Z", "preferenceName": "app.update.lastUpdateTime.xpi-signature-verification", "preferenceValue": 1556945257, "preferenceType": "integer", "previousPreferenceValue": 0, "preferenceBranchType": "user", "experimentType": "exp" }, Installing hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi manually also makes extension work on Debian. Disabled addons don't get reenabled, but resetting app.update.lastUpdateTime .xpi-signature-verification to an older value also makes them work again a little after restart. ¹ Also on Ubuntu, and probably on the rest of distros using a derivative package as well.
