Mandatory signing requirement for add-ons is coming
- therube
- Posts: 21685
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Mandatory signing requirement for add-ons is coming
Bug 1159055 - tampered XPIs with old-style signatures accepted as "unsigned" rather than "corrupt"
What a confusing mess (as always).
What a confusing mess (as always).
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
https://bugzilla.mozilla.org/show_bug.c ... 159055#c13
One would think that that is something that probably should have a very clear policy considering signing is going to be enforced in 3 more versions.
What I'm trying to say is that if an XPI is signed and matches the signature then clearly it should install cleanly and we could tell the user who signed it. If an XPI is unsigned then again it should install and we shouldn't give any assertion that someone signed it. In other cases (broken/untrusted cert, changed/added/removed files) we shouldn't assert that someone signed it but whether it should install or not is a bit of a grey area, I don't think there is a particularly right choice.
One would think that that is something that probably should have a very clear policy considering signing is going to be enforced in 3 more versions.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
- LoudNoise
- New Member
- Posts: 39900
- Joined: October 18th, 2007, 1:45 pm
- Location: Next door to the west
Re: Mandatory signing requirement for add-ons is coming
patrickjdempsey wrote:The children should be safe enough running Aurora... Developer Edition or whatever they call it now.
I don't give a flying damn about the children and I would suspect you and Frank are being purposely thick. The pre-release stuff often has something that will cause one hell of a lot of folks to have problems -- that is sort of the point of the exercise.
The "Children" crap is tiresome. It is more or less a flag noting that you are cool enough to be the sort of folk who can handle the problems. Everyone who wants to have a stable browser is a child since they are not nearly as cool as you about dealing problems.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
-
- Posts: 1504
- Joined: October 1st, 2014, 3:25 pm
Re: Mandatory signing requirement for add-ons is coming
And even some of us who are "adult" enough to run Nightly/Aurora wouldn't let either on our main machine(s) without a LOT of prior testing per specific build...
- therube
- Posts: 21685
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Mandatory signing requirement for add-ons is coming
FF 41, xpinstall.signatures.required;true.
So self-signed is out of the question.
Are not allowed. Has to be signed by Mozilla.
A purposely corrupted, signed restartless extension (Tab Stats) also fails to install, expected behavior (& different from an attempt in FF 32.0.3, where it did install, unexpected behavior).
So it seems that by the time FF 41 rolls around (or is it 40, but anyhow) a corrupted extension will not install, as expected.
Now, the only thing left is if they're going to fix anything for FF 39, to at least get the old expected behavior working? But considering things have been broken for so long as it is, can't see why they'd bother. But hey, "security" after all is not as important as "pockets".
So self-signed is out of the question.
Are not allowed. Has to be signed by Mozilla.
A purposely corrupted, signed restartless extension (Tab Stats) also fails to install, expected behavior (& different from an attempt in FF 32.0.3, where it did install, unexpected behavior).
So it seems that by the time FF 41 rolls around (or is it 40, but anyhow) a corrupted extension will not install, as expected.
Now, the only thing left is if they're going to fix anything for FF 39, to at least get the old expected behavior working? But considering things have been broken for so long as it is, can't see why they'd bother. But hey, "security" after all is not as important as "pockets".
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- LoudNoise
- New Member
- Posts: 39900
- Joined: October 18th, 2007, 1:45 pm
- Location: Next door to the west
Re: Mandatory signing requirement for add-ons is coming
Actually, there is nothing more important than to be proactive against things. Having a rich history of allowing crap to be installed without the user's ok an over reaction isn't to be unexpected. While it is admittedly fun to watch headless chickens run around you have to admit that the good butcher does a better of it.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
- Frank Lion
- Posts: 21172
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: Mandatory signing requirement for add-ons is coming
patrickjdempsey wrote:The children should be safe enough running Aurora... Developer Edition or whatever they call it now.
I would have thought that the best bet would be the unbranded version and perhaps Mozilla will tout that more nearer the time.
When people search for the terms 'firefox extension signing', then the second Google result is this - https://wiki.mozilla.org/Addons/Extension_Signing
What are my options if I want to install unsigned extensions in Firefox?
The Developer Edition and Nightly versions of Firefox will have a setting to disable signature checks. There will also be special unbranded versions of Release and Beta that will have this setting, so that add-on developers can work on their add-ons without having to sign every build.
Certainly I do expect to give my views on the same subject in a dedicated technical Extension Developer forum without people dashing about, like a man with his hair on fire, screaming 'He's suggesting it!! He's suggesting it!!'
What am I supposed to do, pretend that I haven't been continuously using Nightlies for 9 years without problems, when that isn't the case?
For those not familiar with the term, it is explained at length there. Meantime, how about we keep a technical discussion, er, technical?
therube wrote:Bug 1159055 - tampered XPIs with old-style signatures accepted as "unsigned" rather than "corrupt"
What a confusing mess (as always).
Hmm, bit worrying. I was working on the assumption that the breaking of signing back in 33 was all part of a cunning plan. It would seem not.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
- Philip Chee
- Posts: 6475
- Joined: March 1st, 2005, 3:03 pm
- Contact:
Re: Mandatory signing requirement for add-ons is coming
patrickjdempsey wrote:Thunderbird developers appear to be *wanting* the signing, and that's their choice.
One Thunderbird developer wants extension signing. The rest especially those who are also (or were) extension developers are less sanguine.
Phil
-
- Posts: 3664
- Joined: September 15th, 2010, 9:03 am
Re: Mandatory signing requirement for add-ons is coming
I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.
- Philip Chee
- Posts: 6475
- Joined: March 1st, 2005, 3:03 pm
- Contact:
Re: Mandatory signing requirement for add-ons is coming
jimfitter wrote:Patrick, LCD Clock is an extension that hasn't been supported in at least 7-8 years, yet still works fine today, with compatibility disabled. You won't find it on AMO.
It was originally made by Bloodeye. viewtopic.php?f=19&t=376281
I have version 0.3. PM me if you want it.
I have 0.4.2 on my website: http://xsidebar.mozdev.org/modifiedmisc.html#lcdclock
Phil
-
- Posts: 475
- Joined: March 21st, 2012, 7:09 am
Re: Mandatory signing requirement for add-ons is coming
lithopsian wrote:I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.
Can I ask when you uploaded those? Yesterday, I did the same thing, uploaded some old addons no longer listed but that I want to keep using and they haven't moved in the queue. I realize it's been only one day but am wondering if I should resign myself to waiting weeks.
-
- Posts: 3664
- Joined: September 15th, 2010, 9:03 am
Re: Mandatory signing requirement for add-ons is coming
marty60 wrote:lithopsian wrote:I uploaded an xpi file, unchecked "Yes, distribute my add-on on this site." , got myself a new AMO listing (that apparently nobody else sees), downloaded the xpi. Lo and behind, not signed. Does it have to be manually reviewed? Is the system just broken? I got an email saying it was signed, a link telling me where to download it, but it isn't signed.
Can I ask when you uploaded those? Yesterday, I did the same thing, uploaded some old addons no longer listed but that I want to keep using and they haven't moved in the queue. I realize it's been only one day but am wondering if I should resign myself to waiting weeks.
No queue. Uploaded as a brand new addon (only possible if the UUID doesn't clash with an existing addon), prelimarily reviewed automatically, and it just sits there with no signature. Maybe this is how it is supposed to work, but it isn't exactly filling me with confidence.
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
The automated review doesn't really count. You have to wait for the human preliminary review before it's considered "live". For first-time extensions the wait is longer than with established extensions. Unless in all of this signing mess they've actually broken AMO. Which I wouldn't doubt.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
-
- Posts: 3664
- Joined: September 15th, 2010, 9:03 am
Re: Mandatory signing requirement for add-ons is coming
patrickjdempsey wrote:The automated review doesn't really count. You have to wait for the human preliminary review before it's considered "live". For first-time extensions the wait is longer than with established extensions. Unless in all of this signing mess they've actually broken AMO. Which I wouldn't doubt.
I'm getting a sinking feeling. The email says it was signed. AMO says it has passed preliminary review and is signed. The xpi doesn't contain any signature files and the version does not include -signed. The wiki says:
which is what appeared to happen except it didn't work. Possibly this isn't considered "released" yet since they haven't announced it in the blog.Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn't pass review, the developer will have the option to request a manual review, which should take less than two days. This is not the same process that currently applies to AMO add-ons, which has been typically slower.
- patrickjdempsey
- Posts: 23686
- Joined: October 23rd, 2008, 11:43 am
- Location: Asheville NC
- Contact:
Re: Mandatory signing requirement for add-ons is coming
Yeah, maybe that feature isn't actually working yet. Also per some of the reports above... the signing itself is apparently failing in some cases so they might be working on fixing it.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/