Firefox addon signing

Florian Weimer fweimer at redhat.com
Thu Feb 12 17:19:08 UTC 2015


On 02/12/2015 04:53 PM, Simo Sorce wrote:
> On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trma─Ź wrote:
>>> or simply exempt signature checking if
>>> the extension is on disk. They should check on download only.
>>
>> That would defeat the entire purpose; malware is very commonly sideloading extensions.
> 
> Malware can easily binary patch firefox to ignore verification,

Windows has Authenticode, which may change the equation somewhat.

> I do not
> think trying to defeat sideloading with this kind of verification makes
> much sense.

Maybe it is only about preventing people from bundling the official
Firefox version with dodgy add-ons.  Not downright malware, but things
users may not actually want without realizing it.  The signature
checking means that those who prepare the downloads can no longer use
the unmodified upstream binary.  Which in turn might force them not to
use Mozilla brands.

Maybe this is a bit far-fetched, but after hours of staring at other
people's code today, it seems pretty reasonable to me.

But what do add-on developers do?  Surely there is a way to disable this
somehow?

-- 
Florian Weimer / Red Hat Product Security


More information about the devel mailing list