On 24/09/15 17:24, Kai Engert wrote: > In past versions of Firefox, there was code that checked for a signature in > the > Add-On, and the user interface that asked for permission to install displayed > information found in the signature (the name of the owner of the code signing > certificate).
Yes; although this ability was used very rarely in public add-ons. > I understand that Firefox nowadays requires Add-Ons to be signed by Mozilla. > How > does that work? Does Mozilla use a code-signing certificate? Yes, but it has to be a specific one - we don't trust just any cert which chains up to a root with the code signing bit. So the addons system no longer (or very soon will no longer) uses the code signing bit in the NSS store. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
