Viewing a single comment thread. View all comments

2

bea wrote

if you're concerned about this addon's security:

The only thing it's doing is adding a bundled base64 encoded certificate and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )