Firefox addon signing

drago01 drago01 at gmail.com
Thu Feb 12 11:47:27 UTC 2015


On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
<comzeradd at fedoraproject.org> wrote:
> On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike at cchtml.com>
> wrote:
>
> I'm sure those that need to know, know, but for those that haven't heard[1]
> Mozilla's official Firefox build will enforce addons to contain a Mozilla
> signature without any runtime option to disable the check. Initially this
> prevents Fedora packaged addons since they are unsigned. The Mozilla signing
> process takes time and can't be part of a package building process. Is
> Fedora going to get authorization to build Firefox with a runtime disable
> option?
>
>
> If the only way is to completely disable this feature, I'd prefer we don't.
> I wouldn't like for us to ship a less secure build of Firefox.

A better way would be to add a "Fedora Signature" in addition to
mozilla's and use that for packaged extensions.
But that would require work on the build system (koji) side.


More information about the devel mailing list