jb_wisemo wrote:One point of signatures is to convince the user the plugin is from a known source (company name and address) and mostly harmless (which it is).
99.9% of extensions are not distributed by companies, and when they are, they tend to be distributed in their own installer along with the companion product they are for.
To get organization signing in a signed XPI (which uses JAR-style signing), you would also need an (expensive) EV code signing certificate.
Another point is to simply detect corrupted downloads (signature hashes don't match file contents, as an additional check beyond the ZIP CRCs).
ZIP archive checksums are enough. If any corruption occurs there it will fail extraction and the extension won't be installed. The only added "integrity" check with JAR-style signing beyond that is if an extension has deliberately been tampered with.
Those are separate goals from walled garden blocking of unsigned plugins.
Not really. The 1st one simply doesn't apply, also because signing has been broken by Mozilla (see below). And the 2nd one is very much in the realm of protecting extensions from "unauthorized modifications" (so only if redistribution happens with a signature attached but the files were altered...). Since author-signing isn't enforced, this is moot because the signature meta data can simply be removed and it will install as unsigned.
yami_ wrote:Looks like it is busted in Pale Moon...
It is, and it has been. It is also busted in Firefox. Why? Because Mozilla busted it on purpose! I've had a rather extensive discussion with mozilla about this and they basically redefined what "extension signing" meant in terms of treating the manifest differently and tying it to a Mozilla CA cert instead of independent certification per-extension. All this to enforce their "the publisher signs the extension, not the author" angle.
We need to simply remove JAR signature checking altogether because it has been broken for years. After that, if needed, we can look into creating a different way of doing authentication of extensions.