FS#47432 - [firefox] Disable signature verification for globally installed extensions.

Attached to Project: Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Friday, 18 December 2015, 09:51 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 18 December 2015, 12:13 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Ref: https://bugs.archlinux.org/task/47395

Since Firefox 43, signature verification is enforced for stable and beta flavors. This change breaks some firefox extension packages in the official repo and AUR.

Here I have a patch that disables signature verification for global extensions, or extensions installed under /usr/lib/firefox/browser. Please consider include it.

Additional info:
extra/firefox 43.0-2

Steps to reproduce:
   disable-signature-verificatio... (0.5 KiB)
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Friday, 18 December 2015, 12:13 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Packaged add-ons should be fixed to have signatures or dropped. (That is tracked in  FS#47395 .)
Comment by Chih-Hsuan Yen (yan12125) - Friday, 18 December 2015, 10:06 GMT
Note even with this patch, previously disabled extensions are not enabled automatically due to Firefox's cache. Users need to:

1. Uninstall affected extensions with pacman
2. Run Firefox to clear the cache
3. Install the extensions
4. Run Firefox again

For firefox-adblock-plus, the binary from adblockplus.org uses its own private key for signing XPIs. Seems it's difficult to import external certificates to the XPI verification module without complicated patches.

[1] https://hg.mozilla.org/mozilla-central/file/tip/toolkit/mozapps/extensions/internal/XPIProvider.jsm#l1722
[2] https://hg.mozilla.org/mozilla-central/file/tip/security/apps/AppTrustDomain.cpp#l60
Comment by Evangelos Foutras (foutrelis) - Friday, 18 December 2015, 11:38 GMT
The point of making extension signing mandatory is to protect against malicious add-ons and those in /usr/lib/firefox/browser/extensions/ are not magically guaranteed to be non-malicious.

I personally do not see the point of packaging Firefox extensions or distributing them via other means besides https://addons.mozilla.org/.
Comment by Chih-Hsuan Yen (yan12125) - Friday, 18 December 2015, 12:07 GMT
Then as Eli Schwartz already said in https://bugs.archlinux.org/task/47395, firefox addons should be packaged with binaries from https://addons.mozilla.org/. I may provide this patch in an AUR package. Users can choose to disable this check if they are willing to risk malicious addons.
Comment by Evangelos Foutras (foutrelis) - Friday, 18 December 2015, 12:12 GMT
Indeed,  FS#47395  is the way to go.

Loading...