Closed Bug 1692492 Opened 5 years ago Closed 5 years ago

Feature request: Provide procedure of accepting self-signed extensions

Categories

(WebExtensions :: General, enhancement)

Product:
WebExtensions
Component:
General
Version:
78 Branch
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: libreme, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

I have an extension that uses 'unsafe-eval' in order to use vuejs on the options page. It was rejected due to that. The suggestion was to introduce webpack to pre-render all components, which adds a lot of complexity to the project.

So, I tried to self-sign the extension and install the certificate in firefox.

Related topic on discourse.mozilla.org

Actual results:

The installation of the self-signed extension failed. Disabling the whitelist (xpinstall.whitelist.add=false) didn't help.

Only xpinstall.signatures.required=false, but I don't want to ask users to enable the installation of unsigned extensions.

Expected results:

The installation of the self-signed extension with the installed cert should've worked.

Or a method should exist to allow users to decide which extensions publishers they trust in order to install their extensions. Maybe even decide to trust specific extensions by certain publishers instead of all extensions by a publisher.

With such a method in place, it would be possible to have alternative extension source. Additionally Firefox would be be less iPhone-like where only the Apple Store is OK and any other source is considered "untrustworthy".

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → General
Product: Core → WebExtensions

So, the error I was receiving when trying to install a signed extension was

1613152249546	addons.xpi-utils	WARN	Add-on addon@test.test is not correctly signed. 2
1613152249546	addons.xpi	WARN	Invalid XPI: signature verification failed

Guided by that, it seems like the signature verification of the extension has a hard coded root certificate. If I understand correctly, it makes it impossible for custom distribution of self-signed addons even if the root certificate is installed.

Imo, this leads to the situation we are in now: if you want to use something none AMO, you have to open yourself up to installation of addons from any source otherwise you're stuck with AMO --> AMO lock-in.

It'd be great if we could remedy this.

The difficulty of installing unsigned or self-signed add-ons is a security feature.
It is not possible to import a random certificate in Firefox to "unlock" the ability to install arbitrary add-ons; if it were to exist, then the feature would be abused by third parties to install malicious add-ons.

unsafe-eval is not allowed for add-ons hosted on AMO, but you can still get is signed and self-host the add-on (including just installing the add-on in Firefox by opening the signed XPI file in Firefox). See https://extensionworkshop.com/documentation/publish/self-distribution/

FYI: bug 1685123 introduces support for sandboxed extension pages, which could make it more viable to safely using eval-based JS frameworks.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.