Firefox addon signing
drago01 at gmail.com
Thu Feb 12 12:57:23 UTC 2015
On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
>> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
>> <comzeradd at fedoraproject.org> wrote:
>> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike at cchtml.com>
>> > wrote:
>> > I'm sure those that need to know, know, but for those that haven't heard
>> > Mozilla's official Firefox build will enforce addons to contain a Mozilla
>> > signature without any runtime option to disable the check. Initially this
>> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing
>> > process takes time and can't be part of a package building process. Is
>> > Fedora going to get authorization to build Firefox with a runtime disable
>> > option?
>> > If the only way is to completely disable this feature, I'd prefer we don't.
>> > I wouldn't like for us to ship a less secure build of Firefox.
>> A better way would be to add a "Fedora Signature" in addition to
>> mozilla's and use that for packaged extensions.
>> But that would require work on the build system (koji) side.
> The RPMs deploying the packaged extension are already signed and those
> signatures are checked at time of package install. So it seems like
> firefox merely needs to be taught that the pre-packaged extensions
> deployed by RPM are pre-verified, so it can skip its verification
> for those, while still doing verification for stuff that is live
Oh indeed. It is probably sufficient to just check the signature of
non system wide extensions.
More information about the devel