facebookincubator / meta-code-verify

Code Verify is an open source web browser extension that confirms that your Facebook, Messenger, Instagram, and WhatsApp Web code hasn’t been tampered with or altered, and that the Web experience you’re getting is the same as everyone else’s.
MIT License
149 stars 27 forks source link

Building from source / validating existing builds, as a non-developer (or non-web-developer) #339

Open magicgoose opened 2 months ago

magicgoose commented 2 months ago

The addon is distributed via e.g. addons.mozilla.org, this is great. However, on their page, as an uneducated user, I see "This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing." and there is no clear path to "make sure I trust it".

Scoring the "recommended" status by Mozilla (like, for example, any of these) would be fantastic, but in the meantime:

What is the easiest way, that an (almost) non-technical user can also do, to install this add-on while guaranteeing that the build will correspond to the published source code?

rich-hansen commented 2 months ago

What is the easiest way, that an (almost) non-technical user can also do, to install this add-on while guaranteeing that the build will correspond to the published source code?

There is nothing you need to do to ensure the build matches the published source code. Almost any build of the extension will work, the verification that happens is not tied to the specific extension build, but the build of the website and that verification will be done by the extension for any build that we release.

The reason why I say almost any, is because we sometimes add additional verification checks, that only work on version of the extension where we add that support or subsequent releases. The only thing you should be concerned about is keeping the extension up to date. We should handle the rest.

magicgoose commented 2 months ago

Hmm I am not sure we are talking about the same thing. I was trying to ask about verifying the add-on itself - verifying the assumption that it is made out of the code at git@github.com:facebookincubator/meta-code-verify.git with no other concealed changes on top of it. Which is not obvious when installing it from https://addons.mozilla.org/nl/firefox/addon/code-verify Like, for example, if the Mozilla account that uploads the addon is hacked, there will be no way for the user to notice? Or is there some signature check in place that will prevent publishing altered code using stolen credentials of Mozilla account?