Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#50269 - [firefox] Arch build does not enforce addons' signature verification

Attached to Project: Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Friday, 05 August 2016, 15:01 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 07 August 2016, 13:56 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Evangelos Foutras (foutrelis)
Jan Alexander Steffens (heftig)
Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


Upstream Firefox 48 enforces signature verification. In Firefox's build system, forcing signature verification requires defining `MOZ_REQUIRE_SIGNING` in mozconfig. In Mozilla's official builds, this setting is in `build/mozconfig.common` and indirectly imported by `browser/config/mozconfigs/linux64/release`, the (seemingly) mozconfig file for official builds. However, Arch's mozconfig [1] does not include this setting, so Arch's version does not follow upstream's configurations in this case.

I choose severity high as I think it's a "less critical security issue". Sorry if I'm I misunderstand what the Wiki says.


Additional info:
extra/firefox 48.0-1

Steps to reproduce:
* Theoretical way: Run `7z x /usr/lib/firefox/omni.ja modules/addons/AddonConstants.jsm`, and check the value of `REQUIRE_SIGNING` in AddonConstants.jsm. Firefox's mozpack format causes errors and warnings in 7z. Those are non-fatal for just viewing files.
* Practical way: Install an unverified addon and check whether it works in Arch's build or not
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Sunday, 07 August 2016, 13:56 GMT
Reason for closing:  Fixed
Additional comments about closing:  firefox 48.0-2 enforces signatures, as intended for branded release builds.
Comment by Connor Behan (connorbehan) - Friday, 05 August 2016, 17:00 GMT
If the verification didn't work and mistook unsigned addons for being signed... that would be a security issue. Giving users the freedom to install unfinished addons if they want to test them is what Arch is all about.
Comment by Sven Karsten Greiner (SammysHP) - Friday, 05 August 2016, 18:28 GMT
The verification works. Unsigned add-ons can be installed only if xpinstall.signatures.required is set to false. If it is set to false and an unsigned add-on is installed, a warning is shown (the behavior of previous versions of Firefox). This option was removed with FF 48 by default, but the corresponding make option was not set for the Arch package.

> Giving users the freedom to install unfinished addons if they want to test them is what Arch is all about.

That is also my opinion. Most Arch users should be familiar with security and many are developer who might work on own add-ons. However people decided in  FS#45900  that Arch should follow the decisions of Mozilla.
Comment by Chih-Hsuan Yen (yan12125) - Friday, 05 August 2016, 18:39 GMT
The verification works but is not enforced, and the latter becomes the default in upstream builds since Firefox 48. If Arch developers decides to follow the upstream, they should set MOZ_REQUIRE_SIGNING in mozconfig. Otherwise, please add a comment in mozconfig or something like firefox.install that there's something different in Arch's version and Mozilla's. Personally I think Mozilla should give users the ability to install addons signed by third parties, just like pacman's signatures or Debian's PPA keys. However, it's an issue on the Mozilla end, not Arch.
Comment by Sven Karsten Greiner (SammysHP) - Sunday, 07 August 2016, 13:24 GMT
Are you sure that

ac_add_options --enable-update-channel=release

is necessary? In my understanding this would show update notifications inside of Firefox.
Comment by Jan Alexander Steffens (heftig) - Sunday, 07 August 2016, 13:51 GMT
That doesn't happen as we still have the updater disabled.

The update channel actually affects more things, like whether jemalloc assertions are fatal, whether shutdown check violations get recorded, whether "extensions.checkCompatibility.nightly" works.

Most other things are affected by the RELEASE_BUILD and NIGHTLY_BUILD defines, which get set depending on the version inside config/milestone.txt. This is static depending on the branch you build.

The configuration system is a goddamn mess.