Liberte Linux has this nice tidbit on the website:
"Liberté Linux releases are signed with a designated PGP key (DSA-3072). During the build process, all downloaded files are automatically verified:" Emphasis mine.
Debian and Tor code is signed, Tail is signed too. But what about Firefox extensions? They aren't usually signed by the developer nor by Mozilla.
All authenticity is provided by the "https" of AMO. That's not really enough for someone like me to be comfortable with.
Do you audit them before putting them into tails or do you just trust AMO?
All non-custom iceweasel extensions currently shipped in Tails come from Debian. It has not always been the case, and our habit is to do our best with what upstream provides, and encourage them to do better; e.g. we suggested the HTTPS Everywhere authors to publish signed Git tags in the repository.