Force users to retrust unknown extensions on cold starts

app/src/main/java/eu/kanade/tachiyomi/extension/ExtensionManager.kt

@@ -258,7 +258,6 @@ class ExtensionManager(
         val untrustedSignatures = _untrustedExtensionsFlow.value.map { it.signatureHash }.toSet()
         if (signature !in untrustedSignatures) return
 
-        ExtensionLoader.trustedSignatures += signature
         preferences.trustedSignatures() += signature
 
         val nowTrustedExtensions = _untrustedExtensionsFlow.value.filter { it.signatureHash == signature }

app/src/main/java/eu/kanade/tachiyomi/extension/util/ExtensionLoader.kt

@@ -15,6 +15,7 @@ import eu.kanade.tachiyomi.source.Source
 import eu.kanade.tachiyomi.source.SourceFactory
 import eu.kanade.tachiyomi.util.lang.Hash
 import eu.kanade.tachiyomi.util.storage.copyAndSetReadOnlyTo
+import eu.kanade.tachiyomi.util.system.isDevFlavor
 import kotlinx.coroutines.async
 import kotlinx.coroutines.awaitAll
 import kotlinx.coroutines.runBlocking
@@ -62,11 +63,6 @@ internal object ExtensionLoader {
     // inorichi's key
     private const val officialSignature = "7ce04da7773d41b489f4693a366c36bcd0a11fc39b547168553c285bd7348e23"
 
-    /**
-     * List of the trusted signatures.
-     */
-    var trustedSignatures = mutableSetOf(officialSignature) + preferences.trustedSignatures().get()
-
     private const val PRIVATE_EXTENSION_EXTENSION = "ext"
 
     private fun getPrivateExtensionDir(context: Context) = File(context.filesDir, "exts")
@@ -123,6 +119,12 @@ internal object ExtensionLoader {
      * @param context The application context.
      */
     fun loadExtensions(context: Context): List<LoadResult> {
+        // Always make users trust unknown extensions on cold starts in non-dev builds
+        // due to inherent security risks
+        if (!isDevFlavor) {
+            preferences.trustedSignatures().delete()
+        }
+
         val pkgManager = context.packageManager
 
         val installedPkgs = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
@@ -394,6 +396,11 @@ internal object ExtensionLoader {
     }
 
     private fun hasTrustedSignature(signatures: List<String>): Boolean {
+        if (officialSignature in signatures) {
+            return true
+        }
+
+        val trustedSignatures = preferences.trustedSignatures().get()
         return trustedSignatures.any { signatures.contains(it) }
     }
 

i18n/src/commonMain/resources/MR/base/strings.xml

@@ -318,7 +318,7 @@
     <string name="ext_uninstall">Uninstall</string>
     <string name="ext_app_info">App info</string>
     <string name="untrusted_extension">Untrusted extension</string>
-    <string name="untrusted_extension_message">This extension was signed with an untrusted certificate and wasn\'t activated.\n\nA malicious extension could read any stored login credentials or execute arbitrary code.\n\nBy trusting this certificate you accept these risks.</string>
+    <string name="untrusted_extension_message">This extension was signed by any unknown author and wasn\'t loaded.\n\nMalicious extensions can read any stored login credentials or execute arbitrary code.\n\nBy trusting this extension\'s certificate, you accept these risks.</string>
     <string name="obsolete_extension_message">This extension is no longer available. It may not function properly and can cause issues with the app. Uninstalling it is recommended.</string>
     <string name="unofficial_extension_message">This extension is not from the official list.</string>
     <string name="extension_api_error">Failed to get extensions list</string>