搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

If an application is EV code signed, why does Firefox warn that it's possibly dangerous on opening it in Firefox

  • 10 个回答
  • 1 人有此问题
  • 10 次查看
  • 最后回复者为 cor-el

more options

My company uses an EV code signing certificate from Sectigo/Comodo. When a code-signed installer (.msi) is downloaded via Firefox, a warning appears that the executable may be dangerous etc. Is this expected behaviour? We bought the certificate to avoid such warnings. When the installer runs, Windows performs the installation with no issues from smart screen.

Is this an installed certtificate issue ... the Trusted authority and intermediate certificates are present.

IE and Chrome just download ... but the installer is run separately from the download folder.

My company uses an EV code signing certificate from Sectigo/Comodo. When a code-signed installer (.msi) is downloaded via Firefox, a warning appears that the executable may be dangerous etc. Is this expected behaviour? We bought the certificate to avoid such warnings. When the installer runs, Windows performs the installation with no issues from smart screen. Is this an installed certtificate issue ... the Trusted authority and intermediate certificates are present. IE and Chrome just download ... but the installer is run separately from the download folder.

由jerrykramskoy于修改

所有回复 (10)

more options

jerrykramskoy said

When a code-signed installer (.msi) is downloaded via Firefox, a warning appears that the executable may be dangerous etc. Is this expected behaviour? We bought the certificate to avoid such warnings. When the installer runs, Windows performs the installation with no issues from smart screen.

What does that look like -- is there a warning on the Downloads button drop-down?

Or is the problem when launching the download from that list?

more options

Thank you for the quick response.

The warning arises when selecting "Open File" on the file in the download list presented by clicking on the downloads icon (looks like downward pointing arrow with a horizontal line under it).

Doing so results in a pop up titled "Open executable file?", and shows the following message.

"emuso_64.msi" is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch "emuso_64.msi"?

由jerrykramskoy于修改

more options

Hmm, I never see that for EXE files. I wonder if it is something specific to MSI files, or something related to download site reputation? It's a little difficult to find examples to test.

more options

When you download executable files from internet then Firefox adds a zone identifier (ADS) to mark the file as coming from internet. You can check that via the security tab of the properties of the file. This isn't related to whether the file is signed or isn't signed.

more options

Hi cor-el, this MSI warning (example attached) looks to be the same behavior as the JNLP warning behavior from six months ago.

Example thread: https://support.mozilla.org/questions/1260307

I don't think developers/websites can bypass that.

more options

You need to save the file instead of launching the file directly, this is also better as it allows security software to scan the file. I think that there has always been a warning with opening executable files.

more options

cor-el said

You need to save the file instead of launching the file directly, this is also better as it allows security software to scan the file.

That part is automatic; Firefox only offers the Save/Cancel dialog for files it treats as executable.

The warning appears when launching directly from the Downloads list instead of from File Explorer / Windows Explorer.

more options

Thank you both.

Personally, I think something is philosophically and commercially wrong if the Windows OS is happy to execute a program without warning (because it trusts the code signing), yet an application of the OS (the browser) doesn't show the same trust, thereby making a mockery of code sigining, casting doubt on the application provider (not to mention the expense, wich is not insignificant for an EV code signing certificate).

In the unsigned cases, the OS (Smart screen on Windows) will strongly warn against continuing execution.

Why does Firefox need to do this when the necessary certicates in the trust chain are present?

more options

jerrykramskoy said

Why does Firefox need to do this when the necessary certicates in the trust chain are present?

You can research in Bugzilla to see why Firefox warns on what it deems executable files that do not have the EXE file extension:

https://bugzilla.mozilla.org/

If the answer isn't there, you could search in the source code comments:

https://dxr.mozilla.org/mozilla-release/source/

or do a site-targeted search of other Mozilla sites.

more options

Firefox doesn't know about signing and whether the file is signed or not and treats all files that are considered as an executable file the same and shows a warning when you open the file. You can see in the DXR link I posted above that the list of included file extensions is quite extensive. On Windows this might be more prominent because the Windows OS hides a lot of file extensions by default.