FS#47432 - [firefox] Disable signature verification for globally installed extensions.
Attached to Project:
Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Friday, 18 December 2015, 09:51 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 18 December 2015, 12:13 GMT
Opened by Chih-Hsuan Yen (yan12125) - Friday, 18 December 2015, 09:51 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 18 December 2015, 12:13 GMT
|
Details
Description:
Ref: https://bugs.archlinux.org/task/47395 Since Firefox 43, signature verification is enforced for stable and beta flavors. This change breaks some firefox extension packages in the official repo and AUR. Here I have a patch that disables signature verification for global extensions, or extensions installed under /usr/lib/firefox/browser. Please consider include it. Additional info: extra/firefox 43.0-2 Steps to reproduce: |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Friday, 18 December 2015, 12:13 GMT
Reason for closing: Won't implement
Additional comments about closing: Packaged add-ons should be fixed to have signatures or dropped. (That is tracked in FS#47395 .)
Friday, 18 December 2015, 12:13 GMT
Reason for closing: Won't implement
Additional comments about closing: Packaged add-ons should be fixed to have signatures or dropped. (That is tracked in
1. Uninstall affected extensions with pacman
2. Run Firefox to clear the cache
3. Install the extensions
4. Run Firefox again
For firefox-adblock-plus, the binary from adblockplus.org uses its own private key for signing XPIs. Seems it's difficult to import external certificates to the XPI verification module without complicated patches.
[1] https://hg.mozilla.org/mozilla-central/file/tip/toolkit/mozapps/extensions/internal/XPIProvider.jsm#l1722
[2] https://hg.mozilla.org/mozilla-central/file/tip/security/apps/AppTrustDomain.cpp#l60
I personally do not see the point of packaging Firefox extensions or distributing them via other means besides https://addons.mozilla.org/.
FS#47395is the way to go.