Does everything need to be signed? Use a tool to much and you end up becoming it's slave.

For a long time a had problems with some websites not loading videos when opened in background because I had an addon which disabled the page visibility api. So I download the source of the addon ( straight from the addons store right click the install button and save as..) changed the manifest to exclude the said sites, zip it back and install it again?

Well your addon needs to be signed to be installed permanent even when you manualy install it. I understand that this is to keep tech-illiterate users safe from malicious addons. So is there a flag/about:config setting for advanced users to enable which skips the check? Nope, there was one but not anymore. So what options do I have? Either use beta version of Firefox as my main browser (no thanks). Or create an account as a developer, upload my addon and wait for Mozzila to check and sign my addon (that I created for myself).

One thing I appreciate about being at Mozilla is that there are quite a few old-timers around, and that so much work always happens in public. A lot of institutional knowledge gets preserved that way!

Once upon a time circa 1997 I made a javascript based windows shell for kiosk mode public terminal across 15 odd campus libraries. I had to buy a signing certificate from some CA to use the API that let me get rid of the netscape navigator chrome. All you could do on the computers was run netscape navigator, and but there was a menu that popped up on the left that had a menu of different library related web pages, and you could not tell that was really a browser window. I also had over 100 plugins we needed to install for all the licensed databases. The terminals ran Novell Netware on NT. I forget what software we used now, but they booted from a read only partition, and we created a new boot image when we shipped updates and someone would have to walk around with CDs and upgrade each workstation. The department that ran the public computer labs on campus had to sign off on the security before they would let me put them on the campus network.

I also had a shrinkwrapped netscape enterprise server with its server side javascript, and bought a shrinkwrapped sybase -- both at the same time I bought a Sun desktop computer. I bought all 3 at the campus bookstore and paid with a G/L code. I learned solaris, web stuff, javascript, and databases on that job. The novell netware was a directory server based on LDAP or x.509.

Interesting history. Signing software is neat, but I wish there were a single standard like HTTP. Instead, we have a fractal mess of GPG, Sigstore, Cosign, and package-specific solutions (npm, PyPI, Maven, etc.), all doing their own thing.

This makes me doubt how often these signatures are actually verified on client machines. For example, I've never done it manually because the process is so tedious. Some tools automatically check signatures, but even that is fragmented.

Does anyone have a windows code signing system they like? Something on GitHub actions ideally.

I’m distributing unsigned binaries not because I care about the $200 for a cert, but I don’t want to spend hours figuring out a signing flow.

Hey Ben!

(I made and used to maintain Autograph at Mozilla)

Code signing is a trip alright. I make a build tool called Conveyor that simplifies all this way down for developers [1] as part of making shipping desktop apps a single command, and damn has it been a lot of work.

First challenge: the tools provided by the OS developers only run on their OS and are of questionable quality, with bad error messages, poor documentation and unintuitive defaults. So I used a mix of open source and custom code to make signing work for every OS on any OS with good errors, docs and sample apps. The open source libs out there are slowly catching up with this, but they don't solve every part of the task and aren't integrated with everything else you need to ship apps (like laying out a working app tree, adding a software update engine etc). It's nice because it lets you ship from cheap Linux CI workers.

Second challenge: you get a proliferation of private keys. Keys to sign your Mac and Windows binaries, keys to sign your Mac update feeds, keys to sign apt repositories. So, Conveyor can derive them all from a single root key that you can back up on paper with a pen. Except for Windows where this worked up until Microsoft started requiring all keys to be held in an HSM.

Third challenge: said HSMs. They're a pain. As the Mozilla blog alludes, some tools like to require things to be done with a GUI. So, Conveyor can detect PKCS#11 drivers and drive the signing process itself using passphrases supplied via CI secrets or similar. It can also store the root key in the Mac keychain if you want to use that, which is a pretty nice way to keep it secure as macOS will ensure that only Conveyor can read it.

Fourth challenge: Windows CAs decided to squeeze extra revenue from devs by exploiting the new HSM requirement's incompatibility with cloud CI. They started offering "cloud HSMs" that can be used without any hardware, just a textual credential again (so removing much of the security an HSM is supposed to create!) and these are popular because everyone wants to ship from CI. Unfortunately these services all charge extremely high prices per signature once you go over a fairly small monthly allowance. If you want to ship builds on a daily basis, for instance, you can easily blow hundreds or even thousands of dollars on signatures alone. So Conveyor has a disk cache that stores signatures for binaries, and separates them from the underlying DLLs/EXEs so the cache doesn't fill up too fast even if you're shipping very large binaries, and a GitHub Action to integrate that cache with GitHub's own. All this saves a lot of signatures and therefore money.

Fifth challenge: Windows chooses to identify apps by the hash of their X.500 name as decided by their CA, but CAs constantly change their mind on how to format this name and change it for pointless reasons. Because the Windows ecosystem hates developers this can easily break app reputations/updates that are checking code signatures, and nobody at the CAs or Microsoft cares. So Conveyor has a whole system that recognizes when this has occurred and can drive an automatic reinstallation to repair things. The user doesn't notice except for a short delay on app startup (and seeing a progress bar).

Sixth challenge: platforms like the JVM that like to hide native code inside ZIP files, which may also contain native libs for the wrong CPU architecture or platform. Conveyor finds them, deletes the irrelevant binaries, signs the ones that remain and puts them back (or extracts them into the app directory and ensures they get found).

Seventh challenge: enterprises that have custom internal signing servers. So you can write a little script that submits binaries to the server and gets them back again. This works with all the above stuff too, when relevant.

Eighth challenge: MSIX. Microsoft's only non-deprecated packaging tech has a lot of benefits, and allows non-admin users to install packages, but the signature format is pure madness. By far the craziest scheme I ever saw. Reverse engineered and implemented.

Next challenge on the list: Azure Trusted Signing, Microsoft's new CA. It's marginally cheaper than the others, so some users want to use it, but it also doesn't provide a standard driver or use standard protocols. It'll require custom support.

Looking to the future, the path forward is to use kernel sandboxing tech to eliminate signing requirements for our users when possible. For apps that can fit inside the sandbox it should be possible for us to sign and distribute their apps for them, with full code signing only required if the app has special needs. That would give a much more web-like experience for non-web apps, where a developer can just create a scaffolded app with one command, ship it with a second and not think about any of the platform specific details or code signing at all. Unfortunately this is a way off yet.

[1] https://hydraulic.dev/

You're going to write a history of code signing at Mozilla and not even mention the time they fucked their users by negligently letting a certificate expire and forcibly disabling every extension on every Firefox instance worldwide?

Slightly off-topic but my god that font is hard to read.

Wow. No mention in this history/hagiography of the 2019 global add-on outage where (after banning unsigned add-ons even if you enabled them in about:config) they forgot to update their certs?

Some of the HN threads:

https://news.ycombinator.com/item?id=20421948

https://news.ycombinator.com/item?id=19871989

Edit: removed speculation if consequences of privacy loss, but come on … that’s still pretty serious.