1047261 - Sign addons when add-ons are reviewed and made public

Status: RESOLVED DUPLICATE of bug 1070189

(addons.mozilla.org Graveyard :: Admin/Editor Tools, enhancement)

Description

[Daniel Veditz [:dveditz]]

As part of the final review step add-ons must be signed with a certificate obtained from our back-end certificate authority. If we sign too late in the process then our reviewers will have a harder time--they'd need a developer build to test and wouldnt be testing the actual bits we were going to publish. On the other hand we don't want preliminary addons to be signed, only fully reviewed and accepted ones.

Signing too early only makes it easy for malicious folks to avoid needing to pass muster in getting their own cert -- if they obfuscate the badness well enough they can use the copy we signed for them as long as they want until someone reports it to us. Maybe we can keep a signed copy for reviewers in a place accessible only to the reviewers while making the original unsigned copy available to the public.

It's probably safer to build the signing service as part of the back-end CA and then send over files to be signed rather than for AMO to handle the certs itself since AMO is publicly accessible. Whichever way we do it must be done carefully because we don't want to give hackers a free signing oracle.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

When you submit an add-on for review, a listing page is created and anyone with the link can install the unreviewed file (we show warnings on AMO explaining this). I agree that at this point we shouldn't be publishing the signed file. The unsigned file should be okay, since the purpose of the temporary listing page is so that the developer can share it with an early tester audience, who should be able to set things up to install the unsigned version.

As for preliminary vs fully reviewed, I think both need to be signed. Once an add-on file passes review at any of those levels, we should be offering the signed file. Preliminarily reviewed add-ons need to pass our security tests and should definitely pass anything that would otherwise warrant blocklisting.

We'll need to set up a way to offer the signed versions of the unreviewed files only to users within certain permission groups (reviewers and admins).

Comment 2

[Kris Maglione [:kmag]]

Signing preliminary reviewed add-ons is a definite requirement. While we definitely intend for them to be limited to a much narrower audience than fully reviewed add-ons, we definitely do not intend for them to be limited to people using developer/tester builds.

As for restricting access to unreviewed but signed versions, that's easily doable. We already have a mechanism to limit access to rejected versions, which are not published via CDN, to reviewers and admins. The same would apply here.