Firefox addon signing
Daniel P. Berrange
berrange at redhat.com
Thu Feb 12 12:53:27 UTC 2015
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
> <comzeradd at fedoraproject.org> wrote:
> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike at cchtml.com>
> > wrote:
> >
> > I'm sure those that need to know, know, but for those that haven't heard[1]
> > Mozilla's official Firefox build will enforce addons to contain a Mozilla
> > signature without any runtime option to disable the check. Initially this
> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing
> > process takes time and can't be part of a package building process. Is
> > Fedora going to get authorization to build Firefox with a runtime disable
> > option?
> >
> >
> > If the only way is to completely disable this feature, I'd prefer we don't.
> > I wouldn't like for us to ship a less secure build of Firefox.
>
> A better way would be to add a "Fedora Signature" in addition to
> mozilla's and use that for packaged extensions.
> But that would require work on the build system (koji) side.
The RPMs deploying the packaged extension are already signed and those
signatures are checked at time of package install. So it seems like
firefox merely needs to be taught that the pre-packaged extensions
deployed by RPM are pre-verified, so it can skip its verification
for those, while still doing verification for stuff that is live
downloaded
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the devel
mailing list