On Thu, 2015-02-12 at 09:16 -0500, Miloslav Trmač wrote:
> On Thu, Feb 12, 2015 at 12:47:27PM +0100, drago01 wrote:
> > A better way would be to add a "Fedora Signature" in addition to
> > mozilla's and use that for packaged extensions.
> > But that would require work on the build system (koji) side.
> The RPMs deploying the packaged extension are already signed and those
> signatures are checked at time of package install. So it seems like
> firefox merely needs to be taught that the pre-packaged extensions
> deployed by RPM are pre-verified, so it can skip its verification
> for those, while still doing verification for stuff that is live
Yes, that does seem like the most practical way and reasonably secure
way to handle this; it might make Mozilla unhappy anyway.
Firefox is really doing this to fight malware that has probably
actually received (possibly unintended) permission from the user to
install itself into the system, which often includes getting
Administrator rights. So, to mirror that Mozilla intent exactly, even
RPM-deployed extensions should require a Mozilla signature.
OTOH, once you give malware root rights, it can in principle modify
Firefox to skip the check, so this is only a hurdle, not a reliable
feature. Equally, verifying the RPM extension contents against the
RPM database and checking the RPM signature would be useless because
the malware can just add its key to the keys RPM uses for
The Mozilla blog also mentions some “third option” for “extensions
that will never be publicly distributed and will never leave an
internal network”, presumably bypassing the need to have them signed
by Mozilla. Could that be used by Fedora?
There is a forum/faq answer somewhere that they will provide a signing
server where you have to go through the same process as for normal
extensions, only you do not end up publishing them.
I am not convinced this is a good idea, some people may simply not want
to trust even mozilla (may have secrets stored in the extension or
something), so I think mozilla should be smarter and allow people to
install their own signing keys, or simply exempt signature checking if
the extension is on disk. They should check on download only.
Simo Sorce * Red Hat, Inc * New York