Firefox addon signing

Simo Sorce simo at
Thu Feb 12 15:53:05 UTC 2015

On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trma─Ź wrote:
> > or simply exempt signature checking if
> > the extension is on disk. They should check on download only.
> That would defeat the entire purpose; malware is very commonly sideloading extensions.

Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on Linux and the Firefox binary is read-only for
the user.


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list