NoScript Not A Signed Add On (Yet)?

[thebeesknees]

Hi,

My first post here. I had a general peruse, but could not see if this question was asked already.

With the introduction of FF 41 in November Mozilla will only except verified/signed add ons. So far NS, amongst quite a lot of other extensions, are not signed yet.

So when is this going to happen?. We obviously want to keep using NS after the introduction of FF41.

Thanks.

[therube]

> NoScript Not A Signed Add On (Yet)?

Where?

AMO is signed.

Here is not.

[thebeesknees]

Hi,

I'm sorry Mr Ambassador but I do not understand your answer

Just to illustrate what I mean can be seen in the part screen shot of my FF add-ons.

http:// imgmega.com/hjikaf3u282z/Signed_and_Unsigned_add_ons.JPG.html

Thanks.

[DJ-Leith]

All my Release Candidate (RC) versions of NoScript (on many Profiles)
that were installed from addons.mozilla.org (AMO) have been signed
by Mozilla since Mon Jul 27, 2015. That is, from NoScript 2.6.9.32rc4 onwards.

How do I know?

I have Classic Theme Restorer (CRT) on all of the Profiles.
There is an option to show the 'full version' in about:addons
and in Fx 40 + you can easily see which Extensions, and which versions, are signed (and which are not).
Until 2015-07-27 I don't recall seeing a signed NoScript (but there may have been some).

References:

https://wiki.mozilla.org/Addons/Extension_Signing

https://wiki.mozilla.org/AMO/SigningService


In the thread,
[RESOLVED] New Development Build Version 2.6.9.32rc3?
viewtopic.php?f=7&t=21079

I said, in order to help the OP Gari - and all readers,

I think it's legit (there is indeed a 2.6.9.32rc3 on AMO) - looks like Giorgio just hasn't
uploaded it to secure.informaction.com yet...

I thought so too.
There is now a 2.6.9.32rc4 on AMO. This is 'signed by Mozilla' (some previous rc builds were not).
The feed is now also updated (https://noscript.net/feed?c=200&t=a). All good.

------
I speculate, from observation of Giorgio's hard work over many years,
that he may have had to change is work flow to accommodate Mozilla's signing of Extensions.

Old work flow:

A. Work on next RC (to reflect new vulnerabilities, changes in Mozilla code base, RFEs etc).

B. Make XPI.

C. Update Getit
C1. Point https://noscript.net/getit#devel to the new XPI.
C2. Update the text (to show the new features / changes).

D. Update the Feed.
https://noscript.net/feed?c=200&t=a
Here you can see the 200 most recent builds (out of nearly 900!).

E. Update the changelog https://noscript.net/changelog

F. Submit the XPI to AMO for review.

RCs will be available from AMO quickly. Full versions may take longer to review and
become Public.

If you 'update from AMO' then you will not 'see updates' or get automatically updated
until 'AMO is ready'. I generally have all my Profiles (more then 30 have NoScript)
point to AMO (I support several users).

I have, over the years, seen some discussion here at the Forum of new versions that were not at AMO. When that happened, I have then 'collected them via the feed' direct from secure.informaction.com

I have seen the occasional typo or 'delay in updating' in C and D.
These have all been sorted quickly - once people have reported them.

I've also seen issues at AMO - which took MUCH longer to solve!


New work flow:

A. Work on next RC (to reflect new vulnerabilities, changes in Mozilla code base, RFEs etc).

B. Make XPI.

So far - same as before

F. Submit the XPI to AMO for review and signing.

Once it has been signed, collect the signed XPI from AMO
(or wait for it to come back from AMO)
to host it at secure.informaction.com

C. Update Getit
C1. Point https://noscript.net/getit#devel to the new signed XPI.
C2. Update the text (to show the new features / changes).

D. Update the Feed.
https://noscript.net/feed?c=200&t=a

E. Update the changelog https://noscript.net/changelog

I repeat, both work flows are 'my speculation' - I don't know.
However, if I'm close, this may account for some recent reports:

[Resolved] NoScript 2.6.9.33rc1 pointing to wrong file
viewtopic.php?f=10&t=21087
and
[RESOLVED] New Development Build Version 2.6.9.32rc3?
viewtopic.php?f=7&t=21079
already cited in this post.

So, I advocate waiting for the process to complete before 'reporting too soon'.

If you have an 'unsigned NoScript', where did you get it?
From AMO?
From the feed?
From Getit?

If readers have an 'unsigned NoScript', I think that would be good to report
(version and 'where you got it from').

DJ-Leith

[DJ-Leith]

http:// imgmega.com/hjikaf3u282z/Signed_and_Unsigned_add_ons.JPG.html

You can't tell from this screenshot if the Extensions are signed.
When Mozilla did a 'bulk signing of all Extensions at AMO' they got a new name
that ends "-signed", like the "BetterPrivacy 1.68.1-signed" in the screenshot.

If there have been 'new versions submitted to AMO', since then, they get a
new version number (which does not include the "-signed").

So, how to tell if your Extensions are signed?

In Fx 40 + you will get a warning (in about:addons).

Here is an example:
https://bug1149702.bmoattachments.org/a ... id=8600642
From Bug 8600642 Display a note about add-ons that aren't properly signed in the add-ons manager

I'll try and find out how to do this in Fx 39 without CTR.

DJ-Leith

[DJ-Leith]

My Nightly 42.0a1 (2015-08-05)

In about:config
xpinstall.signatures.required needs to be false
This is still the default for Nightly (means Warn).
Correction: on checking again it is also "true" like Aurora (see next).

In my many Aurora (Developer Edition) Fx 41.0a2 (2015-08-05) Profiles
xpinstall.signatures.required was 'switched by Mozalla' to a new default of "true"
this means Disable - and RequestPolicy Continued 1.0.beta10 was disabled!

Setting it back to false (as explained in bug 1149702)
allows 'unsigned Extensions to run with Warnings'.

I half expected this change and it means that when Fx 41 becomes Beta
(where there will be no xpinstall.signatures.required setting on Release or Beta)
that the 'unsigned Extensions' will not work.

Since I noticed the above,
I have seen
http://www.ghacks.net/2015/08/04/fix-fo ... d-nightly/
which explains better than I can, and it includes pictures.

DJ-Leith

Edited to add that Nightly also flipped the setting (bug 1167652).

[barbaz]

Short expounding on therube's answer:

* If you want Mozilla-signed NoScript, you need to get it from https://addons.mozilla.org/addon/noscript/ (or https://addons.mozilla.org/addon/noscript/versions/ for other than latest stable release)

* If having NoScript signed does not matter to you, you can also download NoScript from https://noscript.net/getit or https://noscript.net/feed?t=a

[therube]

> You can't tell from this screenshot if the Extensions are signed.

That.
And why it that? Ask Mozilla why that is?
In any case, it won't matter - if you get the extension from AMO.

> So, how to tell if your Extensions are signed?

Doesn't matter - if you get the extension from AMO.


And what barbaz said.

[DJ-Leith]

While I was doing the tests (below) we got an excellent answer from barbaz.

Short expounding on therube's answer:

* If you want Mozilla-signed NoScript, you need to get it from https://addons.mozilla.org/addon/noscript/ (or https://addons.mozilla.org/addon/noscript/versions/ for other than latest stable release)

* If having NoScript signed does not matter to you, you can also download NoScript from https://noscript.net/getit or https://noscript.net/feed?t=a

Here are the test results that confirm this.

I'll try and find out how to do this in Fx 39 without CTR.

I haven't found a way (of seeing if Extensions are signed using Fx 39).
I think in Fx 40 + it will be easier to test.

However, it is easy for me to test today (just takes some time) - so here are some results.
Posting for future reference.

Summary
AMO all versions from 2015-05-29 onwards, that are Stable Release - that I installed, are signed.
AMO rc version since Version 2.6.9.32rc4 - that I installed, are signed.
From secure.informaction.com, via the feed, are not signed.

Method:

Browser: Firefox Developer Edition - Fx 41.0a2 (2015-08-05)

New Profile,
use about:config to set xpinstall.signatures.required to false
add CTR [Classic Theme Restorer 1.3.7beta1] (so that I can see full version in about:addons) and
RPC [RequestPoliciy Continued 1.0.beta10 (so that I have an unsigned Extension - to prove that
I can detect unsigned Extensions).

First,
check NoScript at AMO - (later I'll test using the feed)
https://addons.mozilla.org/en-US/firefo ... /versions/

I want to prove / test:
A. are the main releases signed?
B. are the rc versions signed?

I am going to 'go from older to newer' versions
(like a real updating) starting with an old version.


Note that AMO has
> Version 2.6.9.25.1-signed
> Released May 23, 2015 546.6 kB
> Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

There are a few other even older versions, on page 2, that also have ".1-signed" at the end.
Some old versions (April 2015) have a 'not available for 41.0' grey warning

Start with
> Version 2.6.9.26
> Released May 29, 2015 548.9 kB
> Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

This was the oldest one that would install.

Result: it is signed - Good (expected).

I have updated all of the main versions from Version 2.6.9.26 thru to Version 2.6.9.34
i.e. Version 2.6.9.27, Version 2.6.9.28, Version 2.6.9.29, Version 2.6.9.30,
Version 2.6.9.31, Version 2.6.9.32, Version 2.6.9.33 and Version 2.6.9.34.

All 9 versions of Stable Release are signed.

Second,
try RC from AMO. I removed NoScript.

Start with
> Version 2.6.9.32rc1
> Released July 22, 2015 548.2 kB
> Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Had a warning that it was NOT signed. Text is

"Caution: This site would like to install an unverified add-on
in Firefox Developer Edition. Proceed at your own risk."

After I installed it, I saw in about:addons that it was not signed
(expected because of the Warning).

I skipped on to
> Version 2.6.9.32rc4
> Released July 26, 2015 548.9 kB
> Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.6.9.32rc4 installed without a Warning and is signed - GOOD.
Expected, because - as I have already reported above - I noticed that this version
was signed when I installed it on many Profiles on 2015-07-27.

> Version 2.6.9.33rc1
> Released July 27, 2015 548.9 kB
> Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.6.9.33rc1 installed without a Warning and is signed - GOOD.

Version 2.6.9.33rc2, Version 2.6.9.34rc1 and Version 2.6.9.34rc2.

So, it looks as if all rc versions from
> Version 2.6.9.32rc4
> Released July 26, 2015 548.9 kB
are signed at AMO.

Third,
now look at versions from the feed, starting with some of the ones that are signed at AMO.

Remove NoScript and then use
the All Builds Feed: https://noscript.net/feed?c=200&t=a

Try 'the oldest one at AMO' that I documented above (when it came from AMO it was signed):
> NoScript 2.6.9.26
> 29 May 2015 11:56
This one is NOT signed (expected if my speculation about the change in work flow, above,
is approximately correct).

Try
> NoScript 2.6.9.31
> 15 July 2015 21:52
This one is NOT signed - expected.

Try
> NoScript 2.6.9.32
> 27 July 2015 06:10
This one is NOT signed - expected.

Try
> NoScript 2.6.9.34
> 02 August 2015 21:07
This one is NOT signed - expected.

Recall that therube said "Here is not."
and barbaz's clear points quoted at the top of this post.

DJ-Leith

[therube]

You don't have to actually install to see if an extension is signed.

You do have to download.

Once downloaded, simply open the XPI & see if it has a META-INF subdirectory.
If it does, it's signed.
And I'd expect anything that comes from AMO to be that way.

And (for the most part) anything that does not come from AMO, i.e. directly from the extension author (NoScript & FlashGot included) will not be signed (with exception). (And that may change, for some, as extension authors figure out what they may need local & what they can just say, "go to AMO".)

The fact that you can't tell one way or the other, particularly easily, shouldn't really matter as the whole matter should be transparent to the user (assuming you're downloading from AMO).

Now you could also install & check & run a Nightly & toggle & check & ... if you're so inclined, but in the end it doesn't matter - because AMO signs, & if you get from AMO, it is signed & will install.

And NoScript, from AMO, is signed, has been signed for some time now, & will install.

[DJ-Leith]

You don't have to actually install to see if an extension is signed.

You do have to download.

Once downloaded, simply open the XPI & see if it has a META-INF subdirectory.
If it does, it's signed.

Thanks, good to know.

And I'd expect anything that comes from AMO to be that way.

I was NOT confident of what was on AMO given that I had only seen rc versions, at AMO,
being signed since 2015-07-27.

It did not take too long to do the tests and my tests also test
* that you can install
* what you see when there is an unsigned version

Had a warning that it was NOT signed. Text is

"Caution: This site would like to install an unverified add-on
in Firefox Developer Edition. Proceed at your own risk."

* which versions, in particular which rc versions, are signed.

The fact that you can't tell one way or the other, particularly easily, shouldn't really matter as the whole matter should be transparent to the user (assuming you're downloading from AMO).

I agree. The thebeesknees' screenshot was a good example of how difficult it is to tell in Fx 39.
I also think it will be easier to 'see' in Fx 40 +.

DJ-Leith

[thebeesknees]

Thank you Mr DJ for that extensive song . I have to admit that most of it goes above my head as in that respect I am just an average Joe user of FF 39.

Only at the very end you say that it is difficult to see in FF 39 (as per my screenshot).

So more importantly does the word "signed" in the title of the add-on means that AMO has actually signed the add-on or not?????

Please keep it simple so that everyone understands this. Me no

Thanks a lot.

PS I had read the GHacks article.....but once again I only (as most of us) use FF 39!. So all that info does me no good

[barbaz]

So more importantly does the word "signed" in the title of the add-on means that AMO has actually signed the add-on or not?????

Please keep it simple so that everyone understands this. Me no

The simple answer to the question as you wrote it is "for addons on AMO, yes".

However, just because -signed is not on the end of the addon version, does *not* mean that the addon is *unsigned*; see my post above (which seems to have gotten a bit lost ). All AMO-hosted versions of an addon succeeding versions that have the -signed suffix, are also signed.

[thebeesknees]

Thank you barbar for the simple answer.

Basically a yes/no sitution currently. But fortunately next week with FF 40 launch it will be much clearer to see if a add-on is signed for us average Joe users.

Have a great day

[barbaz]

You're welcome