Firefox addon signing

Daniel P. Berrange berrange at
Thu Feb 12 12:53:27 UTC 2015

On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
> <comzeradd at> wrote:
> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike at>
> > wrote:
> >
> > I'm sure those that need to know, know, but for those that haven't heard[1]
> > Mozilla's official Firefox build will enforce addons to contain a Mozilla
> > signature without any runtime option to disable the check. Initially this
> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing
> > process takes time and can't be part of a package building process. Is
> > Fedora going to get authorization to build Firefox with a runtime disable
> > option?
> >
> >
> > If the only way is to completely disable this feature, I'd prefer we don't.
> > I wouldn't like for us to ship a less secure build of Firefox.
> A better way would be to add a "Fedora Signature" in addition to
> mozilla's and use that for packaged extensions.
> But that would require work on the build system (koji) side.

The RPMs deploying the packaged extension are already signed and those
signatures are checked at time of package install. So it seems like
firefox merely needs to be taught that the pre-packaged extensions
deployed by RPM are pre-verified, so it can skip its verification
for those, while still doing verification for stuff that is live

|:      -o- :|
|:              -o-    :|
|:       -o- :|
|:       -o- :|

More information about the devel mailing list