Feature #96
Facilitate checking that extension contents haven't been replaced by Mozilla during signing
80%
Description
I see no reason we should blindly trust another party here, be it Mozilla or someone else. Right now it seems Mozilla reconstructs manifest.json (i.e. strips comments, reindents) and leaves other files unchanged while also adding some of its own
Files
History
Updated by jahoti almost 2 years ago
- % Done changed from 0 to 80
- File credenza.sh credenza.sh added
Definitely not!
The attached script should be able to confirm whether the workings of the extension have been modified. Usage: credenza.sh /path/to/unpacked/extension /path/to/signed/extension.
Applied to the extension you just uploaded, it reveals no differences from the current koszko branch except the fact that the copyright information for upload_to_amo.sh did not make it into the signed extension (I would guess that was just not committed at the time).
Updated by koszko almost 2 years ago
jahoti wrote:
The attached script should be able to confirm whether the workings of the extension have been modified. Usage:
credenza.sh /path/to/unpacked/extension /path/to/signed/extension.
Thanks a lot! How do you come up with such cool names like credanza or mozoid? :o
Btw, I think I know how to avoid the dependency on python:
unzip -p ./haketilo-0.1.xpi manifest.json | grep -vE '[[:space:]]*//' | sed 's/[[:space:]]*\(.\|"\([^\\"]\|\\u[a-fA-F0-9]{4}\|\\.\)*"\)/\1/g' | tr -d '\n' | sha256sum
The grep, sed and tr commands remove comments and whitespace (but not that in strings)
Updated by jahoti almost 2 years ago
- File credenza.sh credenza.sh added
Btw, I think I know how to avoid the dependency on python:
Ah, thank you! I've updated the script to reflect that (and a couple of other minor changes).
Thanks a lot! How do you come up with such cool names like credanza or mozoid? :o
Not very often, unfortunately! In this case I had luckily just read about how a "credenza" was historically a piece of furniture for holding food/drink that was to be tested for poison, which seemed like a very good analogy for what the /tmp/credenza folder does :|.