|
|
|
|
|
|
by josteink
2604 days ago
|
|
|
> Presumably because how would it differentiate between a legit "already installed" extension with a signature that cannot be verified, and an extension installed by malware that also cannot be verified? This is why a signature can also be accompanied by a trusted time stamp which can confirm that the signature was made while the certificate was valid. This is the common way to sign all Windows software to avoid this exact kind of problem. Yes, that implies this is a known and solved problem. It’s embarrassing for Mozilla to not have prepared for this. |
|
|