Project

General

Profile

Feature #96

Facilitate checking that extension contents haven't been replaced by Mozilla during signing

Added by koszko about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
10/01/2021
Due date:
% Done:

80%

Estimated time:

Description

I see no reason we should blindly trust another party here, be it Mozilla or someone else. Right now it seems Mozilla reconstructs manifest.json (i.e. strips comments, reindents) and leaves other files unchanged while also adding some of its own


Files

credenza.sh (2 KB) credenza.sh jahoti, 10/02/2021 03:52 AM
credenza.sh (2.04 KB) credenza.sh jahoti, 10/04/2021 05:57 AM

History

#1

Updated by jahoti about 2 months ago

Definitely not!

The attached script should be able to confirm whether the workings of the extension have been modified. Usage: credenza.sh /path/to/unpacked/extension /path/to/signed/extension.

Applied to the extension you just uploaded, it reveals no differences from the current koszko branch except the fact that the copyright information for upload_to_amo.sh did not make it into the signed extension (I would guess that was just not committed at the time).

#2

Updated by koszko about 2 months ago

jahoti wrote:

The attached script should be able to confirm whether the workings of the extension have been modified. Usage: credenza.sh /path/to/unpacked/extension /path/to/signed/extension.

Thanks a lot! How do you come up with such cool names like credanza or mozoid? :o

Btw, I think I know how to avoid the dependency on python:

unzip -p ./haketilo-0.1.xpi manifest.json | grep -vE '[[:space:]]*//' | sed 's/[[:space:]]*\(.\|"\([^\\"]\|\\u[a-fA-F0-9]{4}\|\\.\)*"\)/\1/g' | tr -d '\n' | sha256sum

The grep, sed and tr commands remove comments and whitespace (but not that in strings)

#3

Updated by jahoti about 2 months ago

Btw, I think I know how to avoid the dependency on python:

Ah, thank you! I've updated the script to reflect that (and a couple of other minor changes).

Thanks a lot! How do you come up with such cool names like credanza or mozoid? :o

Not very often, unfortunately! In this case I had luckily just read about how a "credenza" was historically a piece of furniture for holding food/drink that was to be tested for poison, which seemed like a very good analogy for what the /tmp/credenza folder does :|.

Also available in: Atom PDF