Signature warnings on extensions

Board for discussions around the Basilisk web browser.

Moderator: Basilisk-Dev

ianas

Signature warnings on extensions

Unread post by ianas » 2018-01-04, 23:13

I think I'm having a similar issue with one difference instead of warning that the addon might be unsafe I get a not signed warning
Image
it is a bit annoying afaik the mega addon is signed as I got it from mega
http://mega.nz/meganz-legacy.xpi
I get the same warning for ublock-origin from github ublock origin updater and Greasemonkey for Pale Moon
this is relativly new as I don't remember these warnings a few days ago when I updated Basilisk and did an update check for my addons
disabling then re-enabling the affected addons does not help I didn't try removing the blocklist xml file
I'm on Windows 7 x64 Basilisk 2017.12.28 x64

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2852
Joined: 2012-06-28, 01:20

Re: More about blocklist setting in Basilisk

Unread post by ron_1 » 2018-01-05, 16:31

I just installed version 2018.01.05. It was a complete install from scratch, I deleted everything (what I could find) concerning Basilisk from my previous install. But I am still experiencing this extension problem in Basilisk Linux. I thought this was fixed in the new version? Or did I misunderstand? In the meantime, I once again disabled the blocklist.

Also, I'm getting the same problem ianas is. I'm getting the warning for uBlock Origin; I'm pretty sure I didn't get it with the previous version of Basilisk.
Last edited by ron_1 on 2018-01-05, 16:37, edited 1 time in total.

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: More about blocklist setting in Basilisk

Unread post by coffeebreak » 2018-01-05, 18:29

ianas wrote:I think I'm having a similar issue with one difference instead of warning that the addon might be unsafe I get a not signed warning
helloimustbegoing wrote:Also, I'm getting the same problem ianas is. I'm getting the warning for uBlock Origin; I'm pretty sure I didn't get it with the previous version of Basilisk.

I get this now too, warnings specifically for unsigned add-ons - First time I saw them was yesterday Jan. 04 (using Basilisk-20171228).
Deleted the blocklist to no effect.
Edit: Tried downgrading to Basilisk-20171201: The warnings remained. End of Edit.
Updated today to Basilisk-20180105, set up new, fresh profile: The warnings remain.

The warnings I see are exclusively related to signing.

EDIT:(If add-on has META-INF + was never edited by me = no warning;
/But if add-on is not signed/no META-INF = warning;
/And if add-on was signed/has META-INF but was edited = warning.) /END OF EDIT

Disabling/enabling affected add-ons had no effect.
Seems unrelated to the blocklist: Disabling it had no effect at all, nor did deleting it and (eventually) having a fresh copy downloaded.
(Basilisk-20171228, 20180105. Win 7 x86)
Basilisk-20171228
Bsk-20171228-addon-signing-warnings.png

Basilisk-20180105
Bsk-20180105-addon-signing-warnings.png
Last edited by coffeebreak on 2018-01-05, 20:34, edited 3 times in total.

New Tobin Paradigm

Re: More about blocklist setting in Basilisk

Unread post by New Tobin Paradigm » 2018-01-05, 18:34

Alright.. So is it disabling add-ons? Or just bitching it couldn't verify the signature?

Sigh.. Perhaps we should just rip out signing entirely..
Last edited by New Tobin Paradigm on 2018-01-05, 18:34, edited 1 time in total.

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: More about blocklist setting in Basilisk

Unread post by coffeebreak » 2018-01-05, 18:37

New Tobin Paradigm wrote:So is it disabling add-ons? Or just bitching it couldn't verify the signature?

Just bitching.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: More about blocklist setting in Basilisk

Unread post by Moonchild » 2018-01-05, 18:57

I'm sorry but if you edited a signed add-on, it is correct that it bitches if files have been changed.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

New Tobin Paradigm

Re: More about blocklist setting in Basilisk

Unread post by New Tobin Paradigm » 2018-01-05, 19:00

Oh, edited add-ons? Strange.. It should be rejecting those on install like Pale Moon does unless you blow away meta-inf.. Unless, JustOff's "Installer/Updater" on-the-fly editing is bypassing OTHER security checks.. Still, this has nothing to do with blocklist..

Perhaps, this should be split off..
Last edited by New Tobin Paradigm on 2018-01-05, 19:04, edited 3 times in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Signature warnings on extensions

Unread post by Moonchild » 2018-01-05, 19:02

Split off to keep things focused.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: More about blocklist setting in Basilisk

Unread post by Moonchild » 2018-01-05, 19:03

New Tobin Paradigm wrote:Oh, edited add-ons? Strange.. It should be rejecting those on install like Pale Moon does unless you blow away meta-inf.. Unless, JustOff's "Installer/Updater" is bypassing OTHER security checks.. Still, this has nothing to do with blocklist..

Perhaps, this should be split off..
I think Mozilla half broke signing and it will allow anything with a mismatch when "signing required" is switched off, even for invalid signatures.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

New Tobin Paradigm

Re: Signature warnings on extensions

Unread post by New Tobin Paradigm » 2018-01-05, 19:06

If true, should we fix it or rip it out or something else?

I would lean more toward fixing it.

EDIT: Verified that signature checking when not enforced just allows install.

God I hate this "succeed at any cost" attitude..
Last edited by New Tobin Paradigm on 2018-01-05, 19:09, edited 1 time in total.

ianas

Re: More about blocklist setting in Basilisk

Unread post by ianas » 2018-01-05, 20:56

Moonchild wrote:I'm sorry but if you edited a signed add-on, it is correct that it bitches if files have been changed.
I did edit Mozila Archive format so it works with Basilisk and I changed Nuke Anything enhanced uuid so it doesn't update to the webext version
but I didn't touch the MEGA, ublock origin or Greasemonkey for Pale Moon maybe they weren't signed but I thought Basilisk doesn't check for signature?

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Signature warnings on extensions

Unread post by coffeebreak » 2018-01-05, 21:20

Moonchild wrote:I'm sorry but if you edited a signed add-on, it is correct that it bitches if files have been changed.
New Tobin Paradigm wrote:Oh, edited add-ons? Strange.. It should be rejecting those on install like Pale Moon does unless you blow away meta-inf..
ianas wrote:...but I didn't touch the MEGA, ublock origin or Greasemonkey for Pale Moon maybe they weren't signed but I thought Basilisk doesn't check for signature?

Same here as @ianas.
Most of my add-ons that got warnings, got them simply for being unsigned - they were not edited:
1. Unsigned add-ons got warnings;
2. Signed-but-edited add-ons got warnings;
3. Signed (and untouched) add-ons did not get warnings.
(Have edited my earlier post to make this more clear.)
And just for info, I had deleted META-INF from the extension that was edited.

I too was under the impression that Basilisk did not check for signatures.

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2852
Joined: 2012-06-28, 01:20

Re: Signature warnings on extensions

Unread post by ron_1 » 2018-01-05, 22:01

I didn't edit any extensions either.

New Tobin Paradigm

Re: Signature warnings on extensions

Unread post by New Tobin Paradigm » 2018-01-05, 22:24

coffeebreak wrote: Same here as @ianas.
Most of my add-ons that got warnings, got them simply for being unsigned - they were not edited:
1. Unsigned add-ons got warnings;
2. Signed-but-edited add-ons got warnings;
3. Signed (and untouched) add-ons did not get warnings.
(Have edited my earlier post to make this more clear.)
And just for info, I had deleted META-INF from the extension that was edited.

I too was under the impression that Basilisk did not check for signatures.
Constructive.. Thank you very much!

Yeah, it WILL check for signatures and like Pale Moon it SHOULD verify signatures if existent.. But obviously, Mozilla had different plans.. Assuming if not strictly enforcing signatures that signatures don't matter and of course warning people using scary language.. Totally consistent with Mozilla Political decisions driving development.. Everything is either strict or work at all costs.. Disgusting!

Obviously, the best solution is to reinstate and fix the behavior to match what we have now on Pale Moon. No signature should install (if not strictly enforcing -- which we don't enable) and Signature should be checked for validity and integrity if it exists. If it is not valid it should be rejected and installation blocked and if somehow slid in by some means should be disabled.
Last edited by New Tobin Paradigm on 2018-01-05, 22:40, edited 2 times in total.

ianas

Re: Signature warnings on extensions

Unread post by ianas » 2018-01-06, 01:42

New Tobin Paradigm wrote:
coffeebreak wrote: Same here as @ianas.
Most of my add-ons that got warnings, got them simply for being unsigned - they were not edited:
1. Unsigned add-ons got warnings;
2. Signed-but-edited add-ons got warnings;
3. Signed (and untouched) add-ons did not get warnings.
(Have edited my earlier post to make this more clear.)
And just for info, I had deleted META-INF from the extension that was edited.

I too was under the impression that Basilisk did not check for signatures.
Constructive.. Thank you very much!

Yeah, it WILL check for signatures and like Pale Moon it SHOULD verify signatures if existent.. But obviously, Mozilla had different plans.. Assuming if not strictly enforcing signatures that signatures don't matter and of course warning people using scary language.. Totally consistent with Mozilla Political decisions driving development.. Everything is either strict or work at all costs.. Disgusting!

Obviously, the best solution is to reinstate and fix the behavior to match what we have now on Pale Moon. No signature should install (if not strictly enforcing -- which we don't enable) and Signature should be checked for validity and integrity if it exists. If it is not valid it should be rejected and installation blocked and if somehow slid in by some means should be disabled.
I hope you don't do this as in that case I wouldn't be able to install edited addons like Mozilla Archive Format or I won't be able to tweak the install.rdf of some addons that went the webext route and I'd have to constantly reinstall old versions (Nuke Anything Enhanced, Popup Alt Attribute etc.) if you want to do signature verification then keep it as is just give a warning that a signature is invalid and let the users use their tweaked addons
As a user I'd suggest a new preference which could be turned off in about:config so people who know that they're using tweaked addons could disable this warning

New Tobin Paradigm

Re: Signature warnings on extensions

Unread post by New Tobin Paradigm » 2018-01-06, 06:13

So because you do not completely read what is written and do not understand what you are doing.. You want to have a knee-jerk reaction and be against fixing an issue and keep what is considered busted behavior as-is and put people's security at risk?

Okay.

The secret to YOUR issue is obvious. Reread my last post and try again. If you still can't work it out.. Ask someone or leave things beyond your understanding well enough alone.

The way it worked before (from Firefox's perspective) and how it works now (from Pale Moon's perspective) is the best compromise between an open system of choice and security and trust for users, add-on developers, and project developers.

Again, do not look upon this as a burdon but an opportunity to learn not only a bit about some technological bits and bobs but the concepts about why things are how they are.

Also remember Basilisk is perpetually in-development software and those bits like the add-ons manager which includes the xpiprovider and xpinstall components are cross-application features of the platform and the behavior of them inheirited from post-insanity Mozilla have not been fully fixed for undesirable funtioning and THAT is part of the reason why Basilisk is a rolling release browser. To not only show the platform off with an already existant application native to it but also FOR THE MOMENT highlight issues on a broad scale ahead of Pale Moon and other potential applications looking to build on and contribute to the development of the Unified XUL Platform at large.
Last edited by New Tobin Paradigm on 2018-01-06, 06:48, edited 6 times in total.

ianas

Re: Signature warnings on extensions

Unread post by ianas » 2018-01-06, 06:53

New Tobin Paradigm wrote:So because you do not completely read what is written and do not understand what you are doing.. You want to have a knee-jerk reaction and be against fixing an issue and keep what is considered busted behavior as-is and put people's security at risk?

Okay.

The secret to YOUR issue is obvious. Reread my last post and try again. If you still can't work it out.. Ask someone or leave things beyond your understanding well enough alone.

The way it worked before (from Firefox's perspective) and how it works now (from Pale Moon's perspective) is the best compromise between an open system of choice and security and trust for users, add-on developers, and project developers.

Again, do not look upon this asa burdon but an opportunity to learn not only a bit about some technological bits and bobs but the concepts about why things are how they are.
I really don't think this is my issue but an issue
I don't use PM a lot and when I did try it out I was able to install the Mega-legacy addon (which it seams is unsigned) this sentence got me confused
Obviously, the best solution is to reinstate and fix the behavior to match what we have now on Pale Moon. No signature should install (if not strictly enforcing -- which we don't enable) and Signature should be checked for validity and integrity if it exists. If it is not valid it should be rejected and installation blocked and if somehow slid in by some means should be disabled.
I never liked the idea of Mozilla picking what I could or could not install on my browser and Basilisk doing the same is just as bad, I can understand the need to secure tech unsavy users but if you're going to go that road at least make it configurable (disable it) from about:config if not then this was the wrong browser for me as a lot of addons I use need to be locked to their xpcom version as Basilisk webext support is limited

New Tobin Paradigm

Re: Signature warnings on extensions

Unread post by New Tobin Paradigm » 2018-01-06, 07:09

Signature verification of add-ons that choose to be signed should be respected by the platform. But obviously as a policy of Pale Moon and Basilisk we do not want to enforce strict signing requirements and lock people into a walled garden.

Will you please think about that and reflect on it.

Keywords: add-ons that choose to be signed

Your issue is that rouge edited add-ons that ARE SIGNED would be rejected as they used to be on Firefox and are on Pale Moon.

Unsigned add-ons install regardless because we do not want to enforce a strict signing requirement.

So, try, what is the answer?
Last edited by New Tobin Paradigm on 2018-01-06, 07:20, edited 2 times in total.

ianas

Re: Signature warnings on extensions

Unread post by ianas » 2018-01-06, 07:29

I kind of get it ...
but if an attacker is good enough to maliciously edit a signed addon he (she) would be good enough to remove said key I'm really not sure how addons are signed but as they're a collection of javascripts in a zip an attacker could just as easy create a new unsigned xpi that being said if you're allowing unsigned addons modified tweaked addons should also be allowed, if you want to go the mozilla way you'd need your own garden wall and your own key policy the idea of blocking tweaked signed addons but not blocking unknown unsigned addons is simply bonkers

New Tobin Paradigm

Re: Signature warnings on extensions

Unread post by New Tobin Paradigm » 2018-01-06, 07:47

No.. It is called compromise. Compromise with a precident.

Good job though on working it out. I am legit proud of you for sticking with it.

Yes. Invalid add-ons with signatures are/should be rejected. Unsigned add-ons are allowed. But these really are two seperate issues.

Signed Add-ons vs Unsigned Add-ons.

We allow unsigned add-ons because it is an open system. This is a design and development decision of the projects.

Signed add-ons in and of them selves merely add trust and integrity that the add-on package is intact as the add-on developer intends. That is a design and development descision of the add-on developer that MUST BE RESPECTED and enforced regardless of the status of unsigned add-ons. Otherwise trust is lost.

Yes with removed signatures it will become unsigned.. So there is also a component of resposiblity on part of the user for the freedom they enjoy. They must be mindful of what they install.

While we don't want to use or create a browser that does the thinking for us we do want to ensure that trust is maintained if trust is indicated.

Think of it like this.. Unsigned Add-on is to http:// as Signed add-on is to https://

Some actors out there want to enforce https everywhere and start out by using scary language for not using https. (like the scary warning on Basilisk right now) but obviously can't outright block http yet. However, that is an agenda being pushed to do exactly that (like strict add-on signing already was/is in Firefox). But that has little to do with authinticating and enforcing trust with https. If you see where this is going.

AT MOST perhaps we should indicate if an extension is signed RATHER than if it is unsigned as we do with http and https because both are fine. THOUGH like https those signed extensions with invalid signatures still have to be rejected like the error page if https can't be validated.

Any less makes trust non-existant and any more starts infringing on an open and freedom based system AND has consiquences to trust as now coming to light with automated systems that take the work out of establishing trust without much if any oversight which is actually WORSE than having no trust at all by creating false trust.
Last edited by New Tobin Paradigm on 2018-01-06, 08:36, edited 9 times in total.

Locked