Closed Bug 892288 Opened 9 years ago Closed 8 years ago
Remove ability to trust user-added certificates for code signing
I just found out that Android implemented the ability to install certificates, for example by clicking this link: http://www.cacert.org/certs/root.der. The dialog box offers the user to trust the certificate for code signing. With the MOZ_B2G_CERTDATA hack, we aren't supposed to ever trust any certificate for code signing except the Mozilla Marketplace root certificate. So, we need to change that dialog box so that it doesn't offer the ability to import certs for code signing. And, we need to somehow deal with existing user-added code signing certificates so that we don't trust them for code signing. And, we should probably prevent extensions from adding new code signing certificates.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.