Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
User avatar
therube
Posts: 21685
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Mandatory signing requirement for add-ons is coming

Post by therube »

Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

https://bugzilla.mozilla.org/show_bug.c ... 159055#c13

What I'm trying to say is that if an XPI is signed and matches the signature then clearly it should install cleanly and we could tell the user who signed it. If an XPI is unsigned then again it should install and we shouldn't give any assertion that someone signed it. In other cases (broken/untrusted cert, changed/added/removed files) we shouldn't assert that someone signed it but whether it should install or not is a bit of a grey area, I don't think there is a particularly right choice.


One would think that that is something that probably should have a very clear policy considering signing is going to be enforced in 3 more versions.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons is coming

Post by LoudNoise »

patrickjdempsey wrote:The children should be safe enough running Aurora... Developer Edition or whatever they call it now.


I don't give a flying damn about the children and I would suspect you and Frank are being purposely thick. The pre-release stuff often has something that will cause one hell of a lot of folks to have problems -- that is sort of the point of the exercise.

The "Children" crap is tiresome. It is more or less a flag noting that you are cool enough to be the sort of folk who can handle the problems. Everyone who wants to have a stable browser is a child since they are not nearly as cool as you about dealing problems.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Mandatory signing requirement for add-ons is coming

Post by barbaz »

And even some of us who are "adult" enough to run Nightly/Aurora wouldn't let either on our main machine(s) without a LOT of prior testing per specific build... :wink:
User avatar
therube
Posts: 21685
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Mandatory signing requirement for add-ons is coming

Post by therube »

FF 41, xpinstall.signatures.required;true.

So self-signed is out of the question.
Are not allowed. Has to be signed by Mozilla.

A purposely corrupted, signed restartless extension (Tab Stats) also fails to install, expected behavior (& different from an attempt in FF 32.0.3, where it did install, unexpected behavior).

So it seems that by the time FF 41 rolls around (or is it 40, but anyhow) a corrupted extension will not install, as expected.


Now, the only thing left is if they're going to fix anything for FF 39, to at least get the old expected behavior working? But considering things have been broken for so long as it is, can't see why they'd bother. But hey, "security" after all is not as important as "pockets".
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Mandatory signing requirement for add-ons is coming

Post by LoudNoise »

Actually, there is nothing more important than to be proactive against things. Having a rich history of allowing crap to be installed without the user's ok an over reaction isn't to be unexpected. While it is admittedly fun to watch headless chickens run around you have to admit that the good butcher does a better of it.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

patrickjdempsey wrote:The children should be safe enough running Aurora... Developer Edition or whatever they call it now.

I would have thought that the best bet would be the unbranded version and perhaps Mozilla will tout that more nearer the time.

When people search for the terms 'firefox extension signing', then the second Google result is this - https://wiki.mozilla.org/Addons/Extension_Signing

What are my options if I want to install unsigned extensions in Firefox?

The Developer Edition and Nightly versions of Firefox will have a setting to disable signature checks. There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build.


Certainly I do expect to give my views on the same subject in a dedicated technical Extension Developer forum without people dashing about, like a man with his hair on fire, screaming 'He's suggesting it!! He's suggesting it!!'

What am I supposed to do, pretend that I haven't been continuously using Nightlies for 9 years without problems, when that isn't the case?

For those not familiar with the term, it is explained at length there. Meantime, how about we keep a technical discussion, er, technical?


Hmm, bit worrying. I was working on the assumption that the breaking of signing back in 33 was all part of a cunning plan. It would seem not. :shock:
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Philip Chee »

patrickjdempsey wrote:Thunderbird developers appear to be *wanting* the signing, and that's their choice.

One Thunderbird developer wants extension signing. The rest especially those who are also (or were) extension developers are less sanguine.

Phil
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Philip Chee »

jimfitter wrote:Patrick, LCD Clock is an extension that hasn't been supported in at least 7-8 years, yet still works fine today, with compatibility disabled. You won't find it on AMO.
It was originally made by Bloodeye. viewtopic.php?f=19&t=376281
I have version 0.3. PM me if you want it.

I have 0.4.2 on my website: http://xsidebar.mozdev.org/modifiedmisc.html#lcdclock
Phil
marty60
Posts: 475
Joined: March 21st, 2012, 7:09 am

Re: Mandatory signing requirement for add-ons is coming

Post by marty60 »

lithopsian wrote:I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.


Can I ask when you uploaded those? Yesterday, I did the same thing, uploaded some old addons no longer listed but that I want to keep using and they haven't moved in the queue. I realize it's been only one day but am wondering if I should resign myself to waiting weeks.
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

marty60 wrote:
lithopsian wrote:I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.


Can I ask when you uploaded those? Yesterday, I did the same thing, uploaded some old addons no longer listed but that I want to keep using and they haven't moved in the queue. I realize it's been only one day but am wondering if I should resign myself to waiting weeks.

No queue. Uploaded as a brand new addon (only possible if the UUID doesn't clash with an existing addon), prelimarily reviewed automatically, and it just sits there with no signature. Maybe this is how it is supposed to work, but it isn't exactly filling me with confidence.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

The automated review doesn't really count. You have to wait for the human preliminary review before it's considered "live". For first-time extensions the wait is longer than with established extensions. Unless in all of this signing mess they've actually broken AMO. Which I wouldn't doubt.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

patrickjdempsey wrote:The automated review doesn't really count. You have to wait for the human preliminary review before it's considered "live". For first-time extensions the wait is longer than with established extensions. Unless in all of this signing mess they've actually broken AMO. Which I wouldn't doubt.

I'm getting a sinking feeling. The email says it was signed. AMO says it has passed preliminary review and is signed. The xpi doesn't contain any signature files and the version does not include -signed. The wiki says:
Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days. This is not the same process that currently applies to AMO add-ons, which has been typically slower.
which is what appeared to happen except it didn't work. Possibly this isn't considered "released" yet since they haven't announced it in the blog.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

Yeah, maybe that feature isn't actually working yet. Also per some of the reports above... the signing itself is apparently failing in some cases so they might be working on fixing it.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Post Reply