Firefox addon signing

Simo Sorce simo at redhat.com
Thu Feb 12 14:30:02 UTC 2015


On Thu, 2015-02-12 at 09:16 -0500, Miloslav Trmač wrote:
> > On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > > A better way would be to add a "Fedora Signature" in addition to
> > > mozilla's and use that for packaged extensions.
> > > But that would require work on the build system (koji) side.
> > 
> > The RPMs deploying the packaged extension are already signed and those
> > signatures are checked at time of package install. So it seems like
> > firefox merely needs to be taught that the pre-packaged extensions
> > deployed by RPM are pre-verified, so it can skip its verification
> > for those, while still doing verification for stuff that is live
> > downloaded
> 
> Yes, that does seem like the most practical way and reasonably secure
> way to handle this; it might make Mozilla unhappy anyway.
> 
> Firefox is really doing this to fight malware that has probably
> actually received (possibly unintended) permission from the user to
> install itself into the system, which often includes getting
> Administrator rights.  So, to mirror that Mozilla intent exactly, even
> RPM-deployed extensions should require a Mozilla signature.
> 
> OTOH, once you give malware root rights, it can in principle modify
> Firefox to skip the check, so this is only a hurdle, not a reliable
> feature.  Equally, verifying the RPM extension contents against the
> RPM database and checking the RPM signature would be useless because
> the malware can just add its key to the keys RPM uses for
> verification.
> 
> The Mozilla blog also mentions some “third option” for “extensions
> that will never be publicly distributed and will never leave an
> internal network”, presumably bypassing the need to have them signed
> by Mozilla.  Could that be used by Fedora?

There is a forum/faq answer somewhere that they will provide a signing
server where you have to go through the same process as for normal
extensions, only you do not end up publishing them.

I am not convinced this is a good idea, some people may simply not want
to trust even mozilla (may have secrets stored in the extension or
something), so I think mozilla should be smarter and allow people to
install their own signing keys, or simply exempt signature checking if
the extension is on disk. They should check on download only.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the devel mailing list