Add-ons have been (co-)signed using RSA and COSE for a long time. For MV2 add-ons, we want to change the order of signature verification to the following: 1. Check COSE a) If it succeeds, DONE b) If it is invalid, FAIL c) If it is non-existent, go to 2 2. Check RSA a) If it succeeds, DONE b) If it is invalid, FAIL c) If it is non-existent, FAIL d) If SHA1 is disabled, FAIL For MV3 add-ons, we will use a simplified process that no longer uses PKCS7: 1. Check COSE a) If it succeeds, DONE b) If it is invalid or non-existent, FAIL
Bug 1792954 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Add-ons have been (co-)signed using RSA and COSE for a long time. For MV2 add-ons, we want to change the order of signature verification to the following: 1. Check COSE a) If it succeeds, DONE b) If it is invalid, FAIL c) If it is non-existent, go to 2 2. Check RSA a) If it succeeds, DONE b) If it is invalid, FAIL c) If it is non-existent, FAIL d) If SHA1 is disabled, FAIL For MV3 add-ons, we will use a simplified process that no longer uses RSA: 1. Check COSE a) If it succeeds, DONE b) If it is invalid or non-existent, FAIL