Firefox addon signing
Simo Sorce
simo at redhat.com
Thu Feb 12 15:53:05 UTC 2015
On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
> > or simply exempt signature checking if
> > the extension is on disk. They should check on download only.
>
> That would defeat the entire purpose; malware is very commonly sideloading extensions.
Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on Linux and the Firefox binary is read-only for
the user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list