Bug 1988841

Summary: Allow unsigned extensions when installed under non-user-writable dirs, via --with-unsigned-addon-scopes=apps,system build flag
Product: [Fedora] Fedora Reporter: fednuc <fedora2021q2>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 34CC: erack, gecko-bugs-nobody, jhorak, kai-engert-fedora, klaas, pjasicek, rhughes, rstrode, sandmann, stransky, xq7wcfbv
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firefox-90.0.2-2.fc34 firefox-91.0.1-2.fc33 firefox-105.0.2-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-07 01:09:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description fednuc 2021-08-01 15:30:20 UTC 
Description of problem:

Per https://bugzilla.redhat.com/show_bug.cgi?id=1983505, as of Firefox 90, Mozilla has broken the ability for users to be in control their browser on Linux unless Mozilla gives permission, namely the ability to install unsigned extensions.

Given this, can you please add the following build flag to Fedora's build flags, and rebuild:

  --with-unsigned-addon-scopes=apps,system

This will allow the installation of extensions that have been placed in non-user-writable dirs (under /usr/lib*/firefox), and so is not a security risk unless an attacker already has root privileges, in which case it is game over anyway.

References:

  https://bugs.gentoo.org/show_bug.cgi?id=802285
  https://bugs.archlinux.org/task/63075


Version-Release number of selected component (if applicable):

90


Steps to Reproduce:

1. Set xpinstall.signatures.required=false in about:config
2. Via about:addons, try to install an unsigned addon from a file.

Actual results:

Firefox refuses to install it as it has "not been verified".


Expected results:

Firefox installs the addon.
Comment 1 Martin Stransky 2021-08-04 06:45:30 UTC 
*** Bug 1983505 has been marked as a duplicate of this bug. ***
Comment 2 Martin Stransky 2021-08-04 06:46:39 UTC 
Added to firefox-90.0.2-2.*
Comment 3 fednuc 2021-08-04 07:16:33 UTC 
Thank you Martin, you are a gentleman and a scholar!

Unfortunately, I made a mistake in the scopes, and presumably that's why the build with the option above failed - it should have been app, singular, not apps:

  --with-unsigned-addon-scopes=app,system
Comment 4 Martin Stransky 2021-08-04 07:56:10 UTC 
Updated, Thanks.
Comment 5 Fedora Update System 2021-08-05 09:28:32 UTC 
FEDORA-2021-db36d5f8a6 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-db36d5f8a6
Comment 6 Fedora Update System 2021-08-05 09:28:33 UTC 
FEDORA-2021-7ceff45f20 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7ceff45f20
Comment 7 fednuc 2021-08-06 11:54:32 UTC 
I've tested the updated package and can confirm system-dir. unsigned extensions now work, thanks Martin!

For any others reading, unsigned extensions can now be installed as follows:

* Create a /usr/lib64/firefox/browser/extensions dir.
* Rename the extension to <extension-id>.xpi and place in the above dir. (extension ID is per manifest.json).
* Restart Firefox.
* Manually enable the extension from about:addons.
Comment 8 Fedora Update System 2021-08-07 01:09:50 UTC 
FEDORA-2021-7ceff45f20 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-08-07 01:35:11 UTC 
FEDORA-2021-db36d5f8a6 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-db36d5f8a6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-db36d5f8a6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2021-08-15 01:16:49 UTC 
FEDORA-2021-0446705d87 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0446705d87`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0446705d87

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2021-08-25 20:50:38 UTC 
FEDORA-2021-ca8368f328 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ca8368f328`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ca8368f328

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2021-08-29 18:49:41 UTC 
FEDORA-2021-ca8368f328 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2022-10-05 12:46:27 UTC 
FEDORA-2022-f0988ea008 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f0988ea008
Comment 14 Fedora Update System 2022-10-05 12:57:18 UTC 
FEDORA-2022-f0988ea008 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.