Open
Bug 1283475
Opened 9 years ago
Updated 2 years ago
provide signature verification for downloaded Windows executables on Mac and Linux
Categories
(Toolkit :: Safe Browsing, defect, P5)
Tracking
()
REOPENED
People
(Reporter: azzichau, Unassigned)
References
Details
signature verification for downloaded Windows executables is currently unsupported on Mac and Linux.
Firefox for Mac and Linux does malware detection on downloaded Windows executables since FF 39, but doesn't check the signatures of Windows executables against a whitelist in order to avoid remote lookups for known good publishers (which is done on the Windows platform, avoiding unnecessary lookups, which is better for privacy).
mozilla should provide support for Windows executable signature (authenticode) verification to Mac and Linux users.
signature extraction is done here:
https://dxr.mozilla.org/mozilla-central/source/netwerk/base/BackgroundFileSaver.cpp?q=ExtractSignatureInfo&redirect_type=direct#808
ExtractSignatureInfo could be modified to support extraction on Mac and Linux ...
osslsigncode (https://sourceforge.net/projects/osslsigncode/) is a GPL3 tool which provides this functionality. However, it's not clear to me whether Mozilla could distribute this alongside e.g. Firefox due to the license. An alternative could be for ExtractSignatureInfo to use osslsigncode if it is installed on the system.
Another option is to implement support using a combination of pefile (MIT-licensed) and Disitool (https://blog.didierstevens.com/programs/disitool/), which has been committed to the public domain (https://blog.didierstevens.com/programs/disitool/#comment-89888).
Disitool extracts a PKCS7 signature in DER format.
There's more information about how the signature is extracted here:
https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/
Updated•9 years ago
|
Priority: -- → P5
Comment 1•7 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INACTIVE
Updated•7 years ago
|
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INACTIVE → ---
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•