Firefox addon signing

[drago01]

On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
>> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
>> <comzeradd at fedoraproject.org> wrote:
>> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike at cchtml.com>
>> > wrote:
>> >
>> > I'm sure those that need to know, know, but for those that haven't heard[1]
>> > Mozilla's official Firefox build will enforce addons to contain a Mozilla
>> > signature without any runtime option to disable the check. Initially this
>> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing
>> > process takes time and can't be part of a package building process. Is
>> > Fedora going to get authorization to build Firefox with a runtime disable
>> > option?
>> >
>> >
>> > If the only way is to completely disable this feature, I'd prefer we don't.
>> > I wouldn't like for us to ship a less secure build of Firefox.
>>
>> A better way would be to add a "Fedora Signature" in addition to
>> mozilla's and use that for packaged extensions.
>> But that would require work on the build system (koji) side.
>
> The RPMs deploying the packaged extension are already signed and those
> signatures are checked at time of package install. So it seems like
> firefox merely needs to be taught that the pre-packaged extensions
> deployed by RPM are pre-verified, so it can skip its verification
> for those, while still doing verification for stuff that is live
> downloaded

Oh indeed. It is probably sufficient to just check the signature of
non system wide extensions.