Mandatory signing requirement for add-ons is coming

[patrickjdempsey]

As they said in their statements, anything that is uploaded and passes preliminary review is automatically signed. AMO also tends to fast track existing extensions by trusted authors. Remember, they can run a diff on your code and see exactly what you changed very quickly. The real question is whether a brand new extension from a new author will go as easily.

[KilliK]

The thing is that I don't think Mozilla's goal here has ever been to prevent genuinely "rogue" extensions from some theoretical future... but to prevent the incursion of lazily-written, quasi-legal, "unwanted" extensions as they exist today. I don't even want to know what kind of nightmare series of foot guns these cats would come up with to try to tackle a genuine threat.

exactamundo.
here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth

There is a Hola FF extension but you can only install it from their official site.
Mozilla is doing the right thing for not hosting it in their AMO, to the dissatisfaction of many users.
Now they are going one step further to prevent it from being installed by the unsuspected average user.
Of course, he still has the option to do it with the unbranded versions.

This measure is not aiming to eliminate the danger of "bad" addons, only to reduce it.

[Frank Lion]

here is a recent example of that:
http://www.theverge.com/2015/5/29/86852 ... -bandwidth

Here is a recent example by me as how Firefox could stop that -

#1. Take one existing Firefox blocklist.xml.
#2. Add the Hola entry to it.
#3. You're done.

Your point again was what exactly?

[rsx11m]

Yes, such things can be prevented with the existing blocklist mechanism. The only argument they might have is that users may run into the trap between the time that an add-on is offered and when it is blacklisted (which means their sledgehammer solution to assume that all non-AMO extensions are malicious by definition).

[Frank Lion]

The only argument they might have is...

They might indeed.

I, of course, would then immediately point out that if the new signing system had been up and running a year ago, then Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.

You would then have a signed malicious extension in the wild for up to a year that could be installed on any current Firefox version, until such time that the signing midsum rejection bug for that extension had been fixed or, er, it had been added to the blockfile.

This remains the case. In other words, Mozilla will have to approve and sign non-AMO addons based on multi criteria including acceptable Privacy clauses, which can later be abused.

To catch a thief, you have to think like a thief.

[rsx11m]

Hola could have submitted their extension and it would have been successfully been signed as recently as 4 days ago, as the abuse has only come to light since then.

Sure, if the review process doesn't work (and apparently isn't followed up upon as in this case), the signing requirement doesn't help a bit either...

[therube]

What about a "self-signed" extension?
Will that fly?
Should Hola sign their extension themselves (which they are able to do), not listed on AMO, will someone attempting to install that signed extension, from Hola, be hit?

And if so, what is the whole purpose of this "exercise"?

[LoudNoise]

Sound and fury?

[rsx11m]

What about a "self-signed" extension?
Will that fly?

I'd think that you'll have to obey a certain certificate chain, so that shouldn't work unless you get some key (or whatever) from Mozilla to sign it yourself or your own key is accepted by the application.

[patrickjdempsey]

I believe that "self signed" extensions have still been required to pass an AMO review since 3.6 days.

[patrickjdempsey]

Here's an interesting edge case where signing isn't going to work: The author of this extension has been version-bumping the extension since *before* Firefox 4.0. Because of this, the install.rdf has a maximum compatibility from before Firefox 4.0. Which means that Firefox will *not* automatically accept it as compatible without the version compatibility download from AMO. Which means this extension cannot be installed from a file, but can only be installed from AMO directly.

viewtopic.php?f=38&t=2938349&p=14179895#p14179895

[rsx11m]

That's confusing - on both Firefox 38.0.1 and SeaMonkey 2.33.1 Windows installations, all add-ons have now a "-signed" added, except for NoScript which stays at version 2.6.9.26 (last update on Friday, 29th) without the "-signed" in the displayed extension name.

So, what's special about NoScript, or came that update after the signing was performed and wiped out the signature? I'm rather confident that I've installed it from AMO and not any "unofficial" source.

[Frank Lion]

So, what's special about NoScript

Nothing and it's also signed - https://addons.mozilla.org/ru/firefox/f ... est.mf#top

[rsx11m]

Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).

[Frank Lion]

Ok, the manifest.mf is the same, thus it's just a matter of the naming being inconsistent (and hence implying that "something" is different).

Sorry, I thought you had been following this stuff. Don't you recall this extension being one of them that was done on the failed AMO 'Black Friday' fiasco, when they were originally planning to swing over?

This one (version 2.6.9.25.1-signed) was suffixed back then - https://addons.mozilla.org/en-US/firefo ... /versions/