Comment 7 for bug 1516031

This is indeed weak behavior as described. I do agree that attack vector is limited to cases where there is attack vector the the backend store, but on the other hand that's exactly what the signature verification is trying to prevent.