If an application is EV code signed, why does Firefox warn that it's possibly dangerous on opening it in Firefox
My company uses an EV code signing certificate from Sectigo/Comodo. When a code-signed installer (.msi) is downloaded via Firefox, a warning appears that the executable may be dangerous etc. Is this expected behaviour? We bought the certificate to avoid such warnings. When the installer runs, Windows performs the installation with no issues from smart screen.
Is this an installed certtificate issue ... the Trusted authority and intermediate certificates are present.
IE and Chrome just download ... but the installer is run separately from the download folder.
Wót jerrykramskoy
Wšykne wótegrona (10)
jerrykramskoy said
When a code-signed installer (.msi) is downloaded via Firefox, a warning appears that the executable may be dangerous etc. Is this expected behaviour? We bought the certificate to avoid such warnings. When the installer runs, Windows performs the installation with no issues from smart screen.
What does that look like -- is there a warning on the Downloads button drop-down?
Or is the problem when launching the download from that list?
Thank you for the quick response.
The warning arises when selecting "Open File" on the file in the download list presented by clicking on the downloads icon (looks like downward pointing arrow with a horizontal line under it).
Doing so results in a pop up titled "Open executable file?", and shows the following message.
"emuso_64.msi" is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch "emuso_64.msi"?
Wót jerrykramskoy
Hmm, I never see that for EXE files. I wonder if it is something specific to MSI files, or something related to download site reputation? It's a little difficult to find examples to test.
When you download executable files from internet then Firefox adds a zone identifier (ADS) to mark the file as coming from internet. You can check that via the security tab of the properties of the file. This isn't related to whether the file is signed or isn't signed.
Hi cor-el, this MSI warning (example attached) looks to be the same behavior as the JNLP warning behavior from six months ago.
Example thread: https://support.mozilla.org/questions/1260307
I don't think developers/websites can bypass that.
You need to save the file instead of launching the file directly, this is also better as it allows security software to scan the file. I think that there has always been a warning with opening executable files.
cor-el said
You need to save the file instead of launching the file directly, this is also better as it allows security software to scan the file.
That part is automatic; Firefox only offers the Save/Cancel dialog for files it treats as executable.
The warning appears when launching directly from the Downloads list instead of from File Explorer / Windows Explorer.
Thank you both.
Personally, I think something is philosophically and commercially wrong if the Windows OS is happy to execute a program without warning (because it trusts the code signing), yet an application of the OS (the browser) doesn't show the same trust, thereby making a mockery of code sigining, casting doubt on the application provider (not to mention the expense, wich is not insignificant for an EV code signing certificate).
In the unsigned cases, the OS (Smart screen on Windows) will strongly warn against continuing execution.
Why does Firefox need to do this when the necessary certicates in the trust chain are present?
jerrykramskoy said
Why does Firefox need to do this when the necessary certicates in the trust chain are present?
You can research in Bugzilla to see why Firefox warns on what it deems executable files that do not have the EXE file extension:
If the answer isn't there, you could search in the source code comments:
https://dxr.mozilla.org/mozilla-release/source/
or do a site-targeted search of other Mozilla sites.
Firefox doesn't know about signing and whether the file is signed or not and treats all files that are considered as an executable file the same and shows a warning when you open the file. You can see in the DXR link I posted above that the list of included file extensions is quite extensive. On Windows this might be more prominent because the Windows OS hides a lot of file extensions by default.