Closed Bug 60096 Opened 24 years ago Closed 2 years ago

Official XPI packages should be signed

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: adamlock, Assigned: dveditz)

Details

(Keywords: topembed-, Whiteboard: [T2])

The official XPI packages that constitute Mozilla the application should be signed. This includes the PSM package. Mozilla should contain signature validation code (even if only for its own key) and the user should be presented with a dialog warning about security etc. whenever an XPI package is about to be installed and whether it is signed or not.
Agreed. We already have signature verification code, and it should be hooked up to the installer.
Status: NEW → ASSIGNED
QA > ckritzer
QA Contact: junruh → ckritzer
->Future, but I still think we should have this feature if we can make it practical.
Target Milestone: --- → Future
As I see it, xpi packages can install just about any files into your mozilla directory, this can be a major security risk. It seems like there is definatly an ability for someone to create a malisious xpi. We should atleast warn uses when installing an xpi, that this can install random files into your computer and can completly mess up your system (in nicerwords anyways) and if its signed, jsut give the description that comes with the signature of what the installer does :)
we *do* warn the user of the consequences before allowing an xpinstall to occur. We always have. What do you mena by "the description that comes with the signature of what the installer does." There's no such description. Signing just verifies the authorship of the xpi, not what it does.
Blocks: 105144
performance, footprint, feature work, and re-architecture bugs will be addressed in 0.9.8
Target Milestone: Future → mozilla0.9.8
I don't think we're going to have this done by Moz 1.0. If anyone thinks this is really needed by then, talk to me.
Target Milestone: mozilla0.9.8 → Future
QA Contact: ckritzer → bsharma
Keywords: topembed
Keywords: topembedtopembed-
No longer blocks: 105144
Corfirming topembed- [T2] per EDT triage.
Whiteboard: [T2]
On a related note, patches that come 'officially' from the Mozilla organization (like the recent fix for the shell: vulnerability) should be signed. Its actually incomprehensible to me how Mozilla could distribute an unsigned patch for a security vulnerability, to be applied to current versions of Firefox, Thunderbird, and Mozilla - especially in light of the most recent IE vulnerabilities, and CERT recommending Mozilla/Firefox over IE. This seems like a simple oversight that should be very easy to correct.
Is this bug obsolet and tracked anywhere else? I believe this is quite an issue..
Still not fixed: https://addons.mozilla.org/messages/307259.html Unsigned, huh?!
Assignee: security-bugs → dveditz
Status: ASSIGNED → NEW
QA Contact: bsharma → toolkit
Severity: normal → S3

This was long fixed. see bug 1038068 and bug 1186522, for example.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.