Commit 415f520f authored by anonym's avatar anonym
Browse files

Tor Browser: add signing exceptions for Tails' extensions.

... by patching the hack applied by the Tor Browser developers.

Will-fix: #11419
parent e6c9aaef
...@@ -114,6 +114,81 @@ EOF ...@@ -114,6 +114,81 @@ EOF
rm -r "${tmp}" rm -r "${tmp}"
} }
# TBB workes around the lack of code signing for its extensions by
# hacking in exceptions. We do the same!
apply_extension_code_signing_hacks () {
local destination tmp
destination="${1}"
tmp="$(mktemp -d)"
(
cd "${tmp}"
7z x -tzip "${TBB_INSTALL}/omni.ja" \
modules/addons/XPIProvider.jsm \
chrome/toolkit/content/mozapps/extensions/extensions.js
patch -p1 <<EOF
diff -Naur a/chrome/toolkit/content/mozapps/extensions/extensions.js b/chrome/toolkit/content/mozapps/extensions/extensions.js
--- a/chrome/toolkit/content/mozapps/extensions/extensions.js 2000-01-01 00:00:00.000000000 +0000
+++ b/chrome/toolkit/content/mozapps/extensions/extensions.js 2000-01-01 00:00:00.000000000 +0000
@@ -282,7 +282,9 @@
// they aren't the correct type for signing.
if (aAddon.id == "torbutton@torproject.org" ||
aAddon.id == "tor-launcher@torproject.org" ||
- aAddon.id == "https-everywhere-eff@eff.org") {
+ aAddon.id == "https-everywhere-eff@eff.org" ||
+ aAddon.id == "branding@amnesia.boum.org" ||
+ aAddon.id == "uBlock0@raymondhill.net") {
return true;
}
return aAddon.isCorrectlySigned !== false;
diff -Naur a/modules/addons/XPIProvider.jsm b/modules/addons/XPIProvider.jsm
--- a/modules/addons/XPIProvider.jsm 2000-01-01 00:00:00.000000000 +0000
+++ b/modules/addons/XPIProvider.jsm 2000-01-01 00:00:00.000000000 +0000
@@ -749,7 +749,9 @@
if (aAddon.id == "torbutton@torproject.org" ||
aAddon.id == "tor-launcher@torproject.org" ||
aAddon.id == "https-everywhere-eff@eff.org" ||
- aAddon.id == "meek-http-helper@bamsoftware.com") {
+ aAddon.id == "meek-http-helper@bamsoftware.com" ||
+ aAddon.id == "branding@amnesia.boum.org" ||
+ aAddon.id == "uBlock0@raymondhill.net") {
return true;
}
EOF
7z u -tzip "${TBB_INSTALL}/omni.ja" \
modules/addons/XPIProvider.jsm \
chrome/toolkit/content/mozapps/extensions/extensions.js
7z x -tzip "${TBB_INSTALL}/browser/omni.ja" \
components/nsBrowserGlue.js
patch -p1 <<EOF
diff -Naur x/components/nsBrowserGlue.js y/components/nsBrowserGlue.js
--- a/components/nsBrowserGlue.js 2000-01-01 00:00:00.000000000 +0000
+++ b/components/nsBrowserGlue.js 2000-01-01 00:00:00.000000000 +0000
@@ -1122,7 +1122,9 @@
if ((addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) &&
!(addon.id == "torbutton@torproject.org" ||
addon.id == "tor-launcher@torproject.org" ||
- addon.id == "https-everywhere-eff@eff.org")) {
+ addon.id == "https-everywhere-eff@eff.org" ||
+ addon.id == "branding@amnesia.boum.org" ||
+ addon.id == "uBlock0@raymondhill.net")) {
this._notifyUnsignedAddonsDisabled();
break;
}
EOF
7z u -tzip "${TBB_INSTALL}/browser/omni.ja" \
components/nsBrowserGlue.js
# These binaries are generated from the above modified files
# so we have to remove them.
# XXX: could this be unsafe some how?
7z d -tzip "${TBB_INSTALL}/omni.ja" \
jsloader/resource/gre/modules/addons/XPIProvider.jsm
7z d -tzip "${TBB_INSTALL}/browser/omni.ja" \
jsloader/resource/app/components/nsBrowserGlue.js
)
}
install_langpacks_from_bundles() { install_langpacks_from_bundles() {
local bundles_dir destination local bundles_dir destination
bundles_dir="${1}" bundles_dir="${1}"
...@@ -191,6 +266,7 @@ TMP="$(mktemp -d)" ...@@ -191,6 +266,7 @@ TMP="$(mktemp -d)"
download_and_verify_files "${TBB_TARBALLS_BASE_URL}" "${TBB_TARBALLS}" "${TMP}" download_and_verify_files "${TBB_TARBALLS_BASE_URL}" "${TBB_TARBALLS}" "${TMP}"
install_tor_browser "${TMP}/${MAIN_TARBALL}" "${TBB_INSTALL}" install_tor_browser "${TMP}/${MAIN_TARBALL}" "${TBB_INSTALL}"
apply_extension_code_signing_hacks "${TBB_INSTALL}"
mkdir -p "${TBB_EXT}" mkdir -p "${TBB_EXT}"
if [ "${NIGHTLY_BUILD}" != yes ]; then if [ "${NIGHTLY_BUILD}" != yes ]; then
......
...@@ -90,8 +90,3 @@ pref("browser.download.panel.shown", true); ...@@ -90,8 +90,3 @@ pref("browser.download.panel.shown", true);
// open external applications, so let's not offer the option to the user, // open external applications, so let's not offer the option to the user,
// and instead only propose them to save downloaded files. // and instead only propose them to save downloaded files.
pref("browser.download.forbid_open_with", true); pref("browser.download.forbid_open_with", true);
// uBlock Origin and the amnesia branding extensions are not signed and
// therefore disabled by default for FF 45+ *unless* we set this
// option. This is only a temporary stop gap. See #11419.
pref("xpinstall.signatures.required", false);
...@@ -188,6 +188,7 @@ openpgp-applet ...@@ -188,6 +188,7 @@ openpgp-applet
openssh-client openssh-client
paperkey paperkey
parted parted
patch
pidgin pidgin
pidgin-guifications pidgin-guifications
pidgin-otr pidgin-otr
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment