provide signature verification for downloaded Windows executables on Mac and Linux

REOPENED
Unassigned

Status

()

P5
normal
REOPENED
2 years ago
5 months ago

People

(Reporter: azzichau, Unassigned)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
signature verification for downloaded Windows executables is currently unsupported on Mac and Linux.

Firefox for Mac and Linux does malware detection on downloaded Windows executables since FF 39, but doesn't check the signatures of Windows executables against a whitelist in order to avoid remote lookups for known good publishers (which is done on the Windows platform, avoiding unnecessary lookups, which is better for privacy).

mozilla should provide support for Windows executable signature (authenticode) verification to Mac and Linux users.

signature extraction is done here:
https://dxr.mozilla.org/mozilla-central/source/netwerk/base/BackgroundFileSaver.cpp?q=ExtractSignatureInfo&redirect_type=direct#808

ExtractSignatureInfo could be modified to support extraction on Mac and Linux ...

osslsigncode (https://sourceforge.net/projects/osslsigncode/) is a GPL3 tool which provides this functionality. However, it's not clear to me whether Mozilla could distribute this alongside e.g. Firefox due to the license. An alternative could be for ExtractSignatureInfo to use osslsigncode if it is installed on the system.

Another option is to implement support using a combination of pefile (MIT-licensed) and Disitool (https://blog.didierstevens.com/programs/disitool/), which has been committed to the public domain (https://blog.didierstevens.com/programs/disitool/#comment-89888).

Disitool extracts a PKCS7 signature in DER format.

There's more information about how the signature is extracted here:
https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/
Priority: -- → P5

Comment 1

5 months ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → INACTIVE
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INACTIVE → ---
You need to log in before you can comment on or make changes to this bug.