As of Firefox 48, it's impossible to disable mandatory addon signature
verification without monkey patching Firefox or recompiling with
MOZ_REQUIRE_SIGNING unset. Personally, I find this unacceptable as the user
should always be in charge. It's also completely useless as any party powerful
enough to disable the signature verification in
about:config could just as
easily sideload a powerful (but signed) extension like greasemonkey and then
install a malicious greasemonkey script.
Rants aside, the correct solution (for the user) is to either recompile Firefox with mandatory signature verification disabled or use the Firefox Developer build. Unfortunately, Firefox is a monster and recompiling it just isn't a viable option for me (or anyone with a laptop). Also unfortunately, prepackaged Firefox binaries are missing some useful security features like PIE and dynamic libraries. Finally, the Firefox Developer build is a bit too bleeding edge for my taste (I would like my primary browser to be relatively bug free).
So, I've written a (disgusting) script that monkey patches Firefox's
to make signature verification optional again. I've only tested it on Arch Linux
but it should work on all unix-like systems. However, if your
omni.ja file is
/usr/lib/firefox/, you'll have to tell the script where to find it
NOTE: This script does not disable addon signature verification, only
makes it optional. To turn it off, you still need to set
xpinstall.signatures.required to false in
WARNING: This script updates the
omni.ja file IN PLACE (using sudo).
WARNING: Use at your own risk.