How to sign plug-ins for Pale Moon

Add-ons for Pale Moon and other applications
General discussion, compatibility, contributed extensions, themes, plugins, and more.

Moderators: FranklinDM, Lootyhoof

jb_wisemo
Moonbather
Moonbather
Posts: 56
Joined: 2016-01-27, 02:09

How to sign plug-ins for Pale Moon

Unread post by jb_wisemo » 2018-09-21, 11:07

Now that Mozilla has shut down signing for plugins packaged in XPI (extension) files (that contain just the plugin and install.rdf) :cry: , is there a recommended way to sign such XPI files for use with Pale Moon (or other browsers with ongoing support for real plugins)?

We could of cause install with an unsigned XPI and let the user ignore the "author not verified", but maybe there is some variation of XPI signing which actually works with Pale Moon. Note that we already have real code signing certificates and sign the plugin DLL file, so a way to sign the XPI with a CA-issued cert would be the easiest solution.

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: How to sign plug-ins for Pale Moon

Unread post by vannilla » 2018-09-21, 11:16

If I'm not mistaken, there were a couple of articles about self-signing add-ons, but I can't find them right now.
Anyway, personally I think that signing the single files is a perfectly valid alternative, and ideally a user that gets the add-on from Pale Moon's official repository would trust it since it has been approved by the people in charge.
Yeah, there's a lot of implied trust, but it's not too different than CAs.

yami_

Re: How to sign plug-ins for Pale Moon

Unread post by yami_ » 2018-09-21, 11:47

Add-on signing is broken in Tycho and UXP: viewtopic.php?p=131558#p131558.

jb_wisemo
Moonbather
Moonbather
Posts: 56
Joined: 2016-01-27, 02:09

Re: How to sign plug-ins for Pale Moon

Unread post by jb_wisemo » 2018-09-21, 13:04

The plugin will be distributed directly from the site(s) that need it, as it is rather purpose specific (it is not a generic thing like Java or Flash). So little point in putting it on the add-ons site.

I saw that old discussion from February but couldn't tell if it was outdated and things had changed in the past 7 months.

yami_

Re: How to sign plug-ins for Pale Moon

Unread post by yami_ » 2018-09-21, 14:35

Currently it seem that both Pale Moon and Basilisk will simply ignore the signature.

New Tobin Paradigm

Re: How to sign plug-ins for Pale Moon

Unread post by New Tobin Paradigm » 2018-09-21, 14:45

Pale Moon should respect signatures if existent and reject if not valid assuming that was true in Tycho since the entirety of the Tycho Add-ons Manager was ported to UXP.. Basilisk however may just ignore them because it uses the WebExtensions enabled Add-ons Manager that came with the codebase when it was forked away from ESR52.

Easy enough test is to grab a signed extension from AMO and then modify some files in it and seeing if it installs or is rejected. However, as stated it may be busted. Not like it matters, neither application requires signed extensions nor will they.
Last edited by New Tobin Paradigm on 2018-09-21, 14:46, edited 1 time in total.

jb_wisemo
Moonbather
Moonbather
Posts: 56
Joined: 2016-01-27, 02:09

Re: How to sign plug-ins for Pale Moon

Unread post by jb_wisemo » 2018-09-21, 15:35

One point of signatures is to convince the user the plugin is from a known source (company name and address) and mostly harmless (which it is).

Another point is to simply detect corrupted downloads (signature hashes don't match file contents, as an additional check beyond the ZIP CRCs).

Those are separate goals from walled garden blocking of unsigned plugins.

yami_

Re: How to sign plug-ins for Pale Moon

Unread post by yami_ » 2018-09-21, 17:10

This is what happened when I tried to install a modified Mozilla-signed overlay extension in Basilisk UXP, Firefox 52, and Pale Moon 26/27/28:
Pale Moon 26:

Code: Select all

Signature Verification Error: the signature on this .jar archive is invalid because the digital signature (*.RSA) file is not a valid signature of the signature instruction file (*.SF).
Pale Moon 27:

Code: Select all

Signature Verification Error: the signature on this .jar archive is invalid because the certificate used to sign this file has an unrecognized issuer.
Pale Moon 28:

Code: Select all

Signature Verification Error: the signature on this .jar archive is invalid because the certificate used to sign this file has an unrecognized issuer.
Basilisk UXP: Nothing about add-on signing will show up in Error Console
Firefox 52:

Code: Select all

1537544760672	addons.xpi	WARN	Add-on test-2.0@disconnect.me is not correctly signed.
and

Code: Select all

1537544760674	addons.xpi	WARN	Invalid XPI: signature verification failed
Looks like it is busted in Pale Moon...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: How to sign plug-ins for Pale Moon

Unread post by Moonchild » 2018-09-21, 17:36

jb_wisemo wrote:One point of signatures is to convince the user the plugin is from a known source (company name and address) and mostly harmless (which it is).
99.9% of extensions are not distributed by companies, and when they are, they tend to be distributed in their own installer along with the companion product they are for.

To get organization signing in a signed XPI (which uses JAR-style signing), you would also need an (expensive) EV code signing certificate.
Another point is to simply detect corrupted downloads (signature hashes don't match file contents, as an additional check beyond the ZIP CRCs).
ZIP archive checksums are enough. If any corruption occurs there it will fail extraction and the extension won't be installed. The only added "integrity" check with JAR-style signing beyond that is if an extension has deliberately been tampered with.
Those are separate goals from walled garden blocking of unsigned plugins.
Not really. The 1st one simply doesn't apply, also because signing has been broken by Mozilla (see below). And the 2nd one is very much in the realm of protecting extensions from "unauthorized modifications" (so only if redistribution happens with a signature attached but the files were altered...). Since author-signing isn't enforced, this is moot because the signature meta data can simply be removed and it will install as unsigned.
yami_ wrote:Looks like it is busted in Pale Moon...
It is, and it has been. It is also busted in Firefox. Why? Because Mozilla busted it on purpose! I've had a rather extensive discussion with mozilla about this and they basically redefined what "extension signing" meant in terms of treating the manifest differently and tying it to a Mozilla CA cert instead of independent certification per-extension. All this to enforce their "the publisher signs the extension, not the author" angle.

We need to simply remove JAR signature checking altogether because it has been broken for years. After that, if needed, we can look into creating a different way of doing authentication of extensions.
Last edited by Moonchild on 2018-09-21, 17:39, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

jb_wisemo
Moonbather
Moonbather
Posts: 56
Joined: 2016-01-27, 02:09

Re: How to sign plug-ins for Pale Moon

Unread post by jb_wisemo » 2018-09-24, 21:00

Note that while enforcing signing by some official entity is very much the walled garden, telling the user about broken signatures is all about protecting the user.

The key difference is who makes the decision to accept a plugin or not: A dictator (like Mozilla) or the user.

A user is also free to accept something weaker than EV, such as the traditional cheap code signing certificates from StartCom (RIP) or even self-signed extensions.

yami_

Re: How to sign plug-ins for Pale Moon

Unread post by yami_ » 2018-09-24, 21:37

Off-topic:
jb_wisemo wrote:telling the user about broken signatures is all about protecting the user
You know that right now this would mean showing "broken signature" warning on every signed add-on installation?

Locked