I can reproduce the behavior. Seems like we only tested it with invalid signatures and didn't pay enough attention to the gpg documentation. The issue itself shouldn't be sufficient for a MiM attack though. The file is downloaded via HTTPS and unless the repository gets hacked, no one should be able to remove the signature. Nevertheless, we should try to fix the bug.
The only problem is that we didn't plan any further releases since Firefox wants to remove NPAPI support at the end of the year. We for example would need to setup our build servers for Debian again, otherwise some users wouldn't get the fix. There are some open questions that need to be answered before we can publish a new version, so I fear it might take a bit before a fixed version gets released.
I can reproduce the behavior. Seems like we only tested it with invalid signatures and didn't pay enough attention to the gpg documentation. The issue itself shouldn't be sufficient for a MiM attack though. The file is downloaded via HTTPS and unless the repository gets hacked, no one should be able to remove the signature. Nevertheless, we should try to fix the bug.
The only problem is that we didn't plan any further releases since Firefox wants to remove NPAPI support at the end of the year. We for example would need to setup our build servers for Debian again, otherwise some users wouldn't get the fix. There are some open questions that need to be answered before we can publish a new version, so I fear it might take a bit before a fixed version gets released.