Firefox addon signing
mitr at redhat.com
Thu Feb 12 14:16:04 UTC 2015
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > A better way would be to add a "Fedora Signature" in addition to
> > mozilla's and use that for packaged extensions.
> > But that would require work on the build system (koji) side.
> The RPMs deploying the packaged extension are already signed and those
> signatures are checked at time of package install. So it seems like
> firefox merely needs to be taught that the pre-packaged extensions
> deployed by RPM are pre-verified, so it can skip its verification
> for those, while still doing verification for stuff that is live
Yes, that does seem like the most practical way and reasonably secure way to handle this; it might make Mozilla unhappy anyway.
Firefox is really doing this to fight malware that has probably actually received (possibly unintended) permission from the user to install itself into the system, which often includes getting Administrator rights. So, to mirror that Mozilla intent exactly, even RPM-deployed extensions should require a Mozilla signature.
OTOH, once you give malware root rights, it can in principle modify Firefox to skip the check, so this is only a hurdle, not a reliable feature. Equally, verifying the RPM extension contents against the RPM database and checking the RPM signature would be useless because the malware can just add its key to the keys RPM uses for verification.
The Mozilla blog also mentions some “third option” for “extensions that will never be publicly distributed and will never leave an internal network”, presumably bypassing the need to have them signed by Mozilla. Could that be used by Fedora?
More information about the devel