I doubt google has certificates that run out automatically. Rather, the best way is with each signing to include signing the date and not allow the certificate to expire retroactively.
All signing certificates expire. They must. It's a fundamental part of the security model, because otherwise a malicious actor could take an old, comprimised cert and inject it into Firefox, allowing them to run malicious 'signed' addons. This attack would work the exact same way in Chrome, so Chrome will expire it's certificates too.
Thanks for the explanation. Can you provide me with a link to learn more about how google manages extension certs? I am interested in learning how their system differs from Firefox, if at all.
