Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

will a signed version of keysnail be made available before firefox pulls the plug #168

Closed
millwood opened this issue Jul 5, 2015 · 22 comments
Closed

will a signed version of keysnail be made available before firefox pulls the plug #168

millwood opened this issue Jul 5, 2015 · 22 comments

Comments

@millwood
Copy link

millwood commented Jul 5, 2015

firefox plans to enforce their add-on verification through a signing mechanism with no way to bypass it. They say 42 will kill unsigned add-ons. https://wiki.mozilla.org/Addons/Extension_Signing. Will keysnail put up with this nonsense and get signed?
@hosaka
Copy link

hosaka commented Jul 9, 2015

Very good question, would be great to hear the developers opinion.

@unmanbearpig
Copy link

Addon signatures are now required in Nightly by default. Its possible to disable it by setting xpinstall.signatures.required to false, but it would be great if this addon was signed none the less.

@thapakazi
Copy link

yep, lets get it signed... such an awesome stuff.
giphy

@mooz
Copy link
Owner

mooz commented Aug 12, 2015

KeySnail is now under the review for add-on signing. Please wait for further information.

@mooz
Copy link
Owner

mooz commented Aug 19, 2015

Unfortunately, KeySnail was rejected to get to be signed by the review. The reviewer complains about the use of eval, which can be dangerous. However, eval is essential for KeySnail to realize plugin and init file feature. Since high customizability through plugins is the identity of KeySnail, we don't want to remove those features.

We'll make best effort to persuade the reviewer, but we're not sure whether our request will be accepted or not.

@hosaka
Copy link

hosaka commented Aug 19, 2015

@mooz that is unfortunate, but security is impacted by flexibility, thank you for your efforts in negotiating with the reviewers

for the time being, the users can keep the xpinstall.signatures.required flag disabled until Firefox 42 comes around

@millwood
Copy link
Author

Note that you set xpinstall.signatures.required to the string value false to turn off the check. By default it has a url.

@deadcyclo
Copy link

This really sucks. I simply cannot live without keysnail and my custom macros. So I guess when 42 comes around I'll have to ditch the firefox in my distro and go with the unbranded one.

I really really hope that this will not result in keysnail being abandoned or dev work slowing down since I can potentially see the user mass dropping when this is enforced.

I'm also 99.9% sure that keysnail will never pass. There simply is no way they will pass something that uses eval. Eval is and will always be a security risk. Specially for "dumb" users that need to be protected from themselves (which are the users Mozilla are targeting with this action), but it can also be very dangarous when combined with buffer overflow vulnerabilities.

@mooz I really hope this doesn't influence you to discontinue your great work on the most essential extension in existings which is bascially omnipresent in my life ;)

Edit: Just realized that my post could be interpreted as being negative to the use of eval in keysnail. I'm not. It is essential. Keysnail without eval would be almost as worthless as no keysnail at all. Powerusers using eval and knowing the risks involved is a great thing, but it cannot realistically be allowed by the signing process.

@mooz
Copy link
Owner

mooz commented Aug 21, 2015

Here's a good news. I found that vimperator, which also has eval and that usage is completely same with keysnail's one (actually keysnail borrowed it), has already been signed.

I've already provided this information to the reviewer. Now waiting for a response.

@hosaka
Copy link

hosaka commented Aug 21, 2015

Perhaps it comes down to a reviewer and one may be more lenient than another.
@mooz it's a very good argument against their decision, I think we stand a good chance

@deadcyclo
Copy link

That is really strange, and makes me wonder even more if they really have thought through what they are doing. But it's good news as well. Now at least you have leverage.

@mooz
Copy link
Owner

mooz commented Aug 22, 2015

Finally KeySnail has been signed! Thank you for your concern.

https://github.com/mooz/keysnail/releases/tag/v2.1.6

@mooz mooz closed this as completed Aug 22, 2015
@myuhe
Copy link

myuhe commented Aug 22, 2015

Congrats!! 👍

@deadcyclo
Copy link

That is awesome news. Will each new release have to go through a manual process like this?

@mooz
Copy link
Owner

mooz commented Aug 22, 2015

@deadcyclo Yes. It's somewhat tedious. Perhaps we can refer to the previous review, and it'll take shorter.

@deadcyclo deadcyclo mentioned this issue Aug 23, 2015
Closed
@nekowasabi
Copy link

Awesome!!

@thapakazi
Copy link

hurray,
thanks @mooz for saving us 👍

@gardejo
Copy link
Contributor

gardejo commented Aug 23, 2015

Wonderful. I'm glad you got the sign!

@ghost
Copy link

ghost commented Aug 26, 2015

Cool, will it actually appear in https://addons.mozilla.org/en-US/firefox/ someday or is there some further action needed?

@EvaparotangCote
Copy link

@rgh36167

Cool, will it actually appear in https://addons.mozilla.org/en-US/firefox/ someday or is there some further action needed?

It seems to at one point have been listed. Quote by /u/mooz from forums.mozillazine.org:

Download from KeySnail AMO page.

But now the link returns "404 Not found". Also /u/mooz has a profile on AMO, but KeySnail is not listed among his add-ons.
Not sure why it's not listed. From the top of my head the only other examples I can think of is dorando's keyconfig and HTTPS Everywhere. I don't currently remember dorando's reason for not listing on AMO and HTTPS Everywhere has recently made the listing on AMO.

@mooz: Why isn't KeySnail listed on AMO?

@EvaparotangCote EvaparotangCote mentioned this issue Oct 2, 2015
Open
@ghost
Copy link

ghost commented Oct 12, 2015

have submitted a few extensions myself - they do get listed unless you explicitly set the "Do not list my add-on on this site (beta)" checkbox in step 1. of submission.

Such submissions are immediately viewable (by direct link only) after submission even before they are reviewed.

So it is a mystery for me how this addon can be signed but not accessible from AMO.

Also - the link previously given (https://github.com/mooz/keysnail/releases/tag/v2.1.6) points to the source but no installable xpi?

@EvaparotangCote
Copy link

@rgh36167:
Interesting, thanks for info.

As for:

Also - the link previously given (https://github.com/mooz/keysnail/releases/tag/v2.1.6) points to the source but no installable xpi?

No installable xpi still seems to be the case regarding: https://github.com/mooz/keysnail/releases/

Though going to: https://github.com/mooz/keysnail/wiki#installation
I tried saving and unpacking: https://github.com/mooz/keysnail/raw/master/keysnail.xpi
In install.rdf it says "2.1.7" as version - so there's that - hope that solves your issue, if you had any (finding proper installable xpi).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@myuhe @mooz @gardejo @hosaka @millwood @unmanbearpig @deadcyclo @thapakazi @nekowasabi @EvaparotangCote