1283475 - provide signature verification for downloaded Windows executables on Mac and Linux

Status: REOPENED

(Toolkit :: Safe Browsing, defect, P5)

Description

[Jordi]

signature verification for downloaded Windows executables is currently unsupported on Mac and Linux.

Firefox for Mac and Linux does malware detection on downloaded Windows executables since FF 39, but doesn't check the signatures of Windows executables against a whitelist in order to avoid remote lookups for known good publishers (which is done on the Windows platform, avoiding unnecessary lookups, which is better for privacy).

mozilla should provide support for Windows executable signature (authenticode) verification to Mac and Linux users.

signature extraction is done here:
https://dxr.mozilla.org/mozilla-central/source/netwerk/base/BackgroundFileSaver.cpp?q=ExtractSignatureInfo&redirect_type=direct#808

ExtractSignatureInfo could be modified to support extraction on Mac and Linux ...

osslsigncode (https://sourceforge.net/projects/osslsigncode/) is a GPL3 tool which provides this functionality. However, it's not clear to me whether Mozilla could distribute this alongside e.g. Firefox due to the license. An alternative could be for ExtractSignatureInfo to use osslsigncode if it is installed on the system.

Another option is to implement support using a combination of pefile (MIT-licensed) and Disitool (https://blog.didierstevens.com/programs/disitool/), which has been committed to the public domain (https://blog.didierstevens.com/programs/disitool/#comment-89888).

Disitool extracts a PKCS7 signature in DER format.

There's more information about how the signature is extracted here:
https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/

Comment 1

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.