Firefox addon signing

Simo Sorce simo at redhat.com
Thu Feb 12 15:53:05 UTC 2015


On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trma─Ź wrote:
> > or simply exempt signature checking if
> > the extension is on disk. They should check on download only.
> 
> That would defeat the entire purpose; malware is very commonly sideloading extensions.

Malware can easily binary patch firefox to ignore verification, I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Of course you may decide to exempt only extensions in non-user-writable
locations, if you are on Linux and the Firefox binary is read-only for
the user.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the devel mailing list