bea OP wrote
if you're concerned about this addon's security:
The only thing it's doing is adding a bundled base64 encoded certificate and forcing a re-verification:
async doTheThing() {
// first inject the new cert
try {
let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
certDB.addCertFromBase64(intermediate, ",,");
console.log("new intermediate certificate added");
} catch (e) {
console.error("failed to add new intermediate certificate:", e);
}
// Second, force a re-verify of signatures
try {
XPIDatabase.verifySignatures();
console.log("signatures re-verified");
} catch (e) {
console.error("failed to re-verify signatures:", e);
}
}
and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )
Viewing a single comment thread. View all comments