Closed Bug 1545836 Opened 5 years ago Closed 4 years ago

Require COSE signatures for extensions

Categories

(Core :: Security: PSM, enhancement, P2)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dveditz, Unassigned)

References

Details

(Whiteboard: [psm-blocked])

Currently the value of "security.signed_app_signatures.policy" is "2", which will verify COSE extensions if present but accepts weak SHA-1 file hashes for PKCS#7 signatures.

We've had a long transition period and would like to now require the use of COSE signatures by changing the value of that pref to "4".

We're still confirming (though sounds very close) - that this should not land until Firefox 70. Will update bug title to include that to avoid landing in an earlier version of Firefox.

Priority: -- → P2
Whiteboard: [psm-blocked]

(In reply to :shell escalante from comment #1)

We're still confirming (though sounds very close) - that this should not land until Firefox 70. Will update bug title to include that to avoid landing in an earlier version of Firefox.

I'm currently asking around to try and figure out where we are on this. Requiring COSE will not ship in 70. Good to get the validation out in 69 for testing.

This has been on hold for a while, so I'm going to wontfix this for now.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
No longer blocks: 1403838
See Also: → 1403838
You need to log in before you can comment on or make changes to this bug.