On Thu, Feb 12, 2015 at 1:53 PM, Daniel P. Berrange <berrange(a)redhat.com> wrote:
On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> On Thu, Feb 12, 2015 at 11:15 AM, Nikos Roussos
> <comzeradd(a)fedoraproject.org> wrote:
> > On Thu, Feb 12, 2015 at 6:30 AM, Michael Cronenworth <mike(a)cchtml.com>
> > wrote:
> >
> > I'm sure those that need to know, know, but for those that haven't
heard[1]
> > Mozilla's official Firefox build will enforce addons to contain a Mozilla
> > signature without any runtime option to disable the check. Initially this
> > prevents Fedora packaged addons since they are unsigned. The Mozilla signing
> > process takes time and can't be part of a package building process. Is
> > Fedora going to get authorization to build Firefox with a runtime disable
> > option?
> >
> >
> > If the only way is to completely disable this feature, I'd prefer we
don't.
> > I wouldn't like for us to ship a less secure build of Firefox.
>
> A better way would be to add a "Fedora Signature" in addition to
> mozilla's and use that for packaged extensions.
> But that would require work on the build system (koji) side.
The RPMs deploying the packaged extension are already signed and those
signatures are checked at time of package install. So it seems like
firefox merely needs to be taught that the pre-packaged extensions
deployed by RPM are pre-verified, so it can skip its verification
for those, while still doing verification for stuff that is live
downloaded
Oh indeed. It is probably sufficient to just check the signature of
non system wide extensions.