On 02/12/2015 04:53 PM, Simo Sorce wrote:
On Thu, 2015-02-12 at 09:54 -0500, Miloslav Trmač wrote:
>> or simply exempt signature checking if
>> the extension is on disk. They should check on download only.
>
> That would defeat the entire purpose; malware is very commonly sideloading
extensions.
Malware can easily binary patch firefox to ignore verification,
Windows has Authenticode, which may change the equation somewhat.
I do not
think trying to defeat sideloading with this kind of verification makes
much sense.
Maybe it is only about preventing people from bundling the official
Firefox version with dodgy add-ons. Not downright malware, but things
users may not actually want without realizing it. The signature
checking means that those who prepare the downloads can no longer use
the unmodified upstream binary. Which in turn might force them not to
use Mozilla brands.
Maybe this is a bit far-fetched, but after hours of staring at other
people's code today, it seems pretty reasonable to me.
But what do add-on developers do? Surely there is a way to disable this
somehow?
--
Florian Weimer / Red Hat Product Security