600034 - Ensure that only add-ons approved by Mozilla Labs are auto-installed

Status: RESOLVED FIXED

(Mozilla Labs :: Labs Pack, defect)

Description

[Ed Lee :Mardak]

Currently the add-on will follow the manifest install rules to find url/xpis to install.

Comment 1

[Ed Lee :Mardak]

Various notes: before doing addon.install():

addon.addListener({
  onDownloadEnded: function() {
    let cert = addon.certificate;
    if (cert == null) FAIL; // only allow with cert
    if (cert.sha1Fingerprint != "labs pubkey") FAIL; // make sure it's labs
    // maybe additionally check cert.md5Fingerprint ?
  }
});

http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIX509Cert.idl

FAIL = addon.cancel(); return false;

Note bote cancel and false until bug 599509 is fixed.

Comment 2

[Ed Lee :Mardak]

Add-on manager will do the cert check to make sure the signatures match up. We're just adding extra logic to make sure the signing was verified by our pubkey.

Comment 3

[Ed Lee :Mardak]

Instead of signing add-ons, we can sign/verify the manifest that contains hashes of the add-ons being installed. This makes sure Labs Pack only processes instructions coming from Labs and only installs add-ons that matches what was expected.

Comment 4

[Ed Lee :Mardak]

warner pointed out a neat optimization that the manifest shouldn't need to be fetched if the signature is the same.

Comment 5

[Ed Lee :Mardak]

http://hg.mozilla.org/labs/sigma/rev/5fdf58f823bd
Fetch a .sig signature file and use the embedded pubkey to verify that the manifest is from Mozilla. Cache the successful signature to avoid refetching unmodified manifests.