New issue
Advanced search Search tips

Issue 671836 link

Starred by 1 user

Issue metadata

Status: Assigned
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Remove most of the InstallVerifier code

Project Member Reported by asargent@chromium.org, Dec 6 2016

Issue description

The InstallVerifier class (and related class InstallSigner) were added to verify that the ids of installed extension where known to the webstore, by sending a list of extension ids up to the webstore and asking it to send a signed response if they were all known to the store. 

We did this when we first rolled out the restriction on windows that chrome would only load extensions from the webstore. The install verifier code didn't do anything to protect the contents of the extension on disk; it just made sure that the id matched something in the webstore, so after adding this mechanism we then added what we now call content verification, which verified the contents of extensions on disk against a list of signed hashes. 

Since the presence of a properly signed copy of the signed hashes for content verification are proof that an extension came from the webstore, we don't need to be doing the install verifier requests to sign the list of extension ids anymore and can remove a lot of the InstallVerifier code. 

 
Cc: proberge@chromium.org
Owner: ----

Sign in to add a comment