In this scenario, malware add-ons would be signed only for that particular Firefox installation.
Essentially, I am arguing that Firefox should let you create your own signing key pair (which would be valid only on that single Firefox installation) and sign any add-on using it.
It's a large enough hoop that most users would not jump over it, not least because they would not know what they're doing, but it would be there for those who need it and relinquish the central point of failure that is the AMO.
The current situation is basically the Secure Boot fiasco all over again.
