If an add-on's COSE signature is valid, don't check a SHA1 PKCS#7 signature
Categories
(Toolkit :: Add-ons Manager, task)
Tracking
()
People
(Reporter: dveditz, Unassigned)
References
(Blocks 1 open bug)
Details
Currently PSM's add-on signature verification code requires there to be a PKCS#7 signature that validates, and that the COSE signature is valid if present (the security.signed_app_signatures.policy setting). The add-on manager itself now enforces that add-ons have a valid COSE signature if they were installed in Firefox 127 or later, but the SHA signature is still being verified. More recently signed add-ons are using a SHA-256 PKCS#7 signature, but older ones use a SHA1 PKCS#7 signature. If corporate policy disables the use of SHA1 then this all breaks (see bug 1682613).
We either need a new mode for security.signed_app_signatures.policy (require COSE, ignore PKCS#7), or we need to change the API between the add-on manager and PSM so that the decision to accept the add-on anyway if the COSE signature is good but a SHA1-PKCS#7 signature fails is moved into the add-on manager and out of PSM.
I assume the add-on manager will want to continue supporting Enterprise Policy that allows specific internal SHA1-only add-ons for Enterprises who don't have such a "disable SHA1 everywhere" policy.
|
||
Comment 1•6 months ago
|
||
Is this a duplicate of bug 1792954 or one of the related bugs?
|
|
||
Comment 2•6 months ago
|
||
Dan, can we close this as a duplicate of bug 1792954 or one of the related bugs (e.g. bug 1772152)?
|
Reporter | |
Comment 3•6 months ago
|
||
Thanks. this is most closely a duplicate of bug 1772152 because it will require code changes in security/apps/AppSignatureVerification.cpp
Description
•