[Project_owners] signed XPI files

Paul Tomlin paul at paultomlin.com
Fri Oct 21 18:08:13 EDT 2005

Eric Jung wrote:
> Does anyone know how to sign a XPI file? I'd heard the Yahoo! Search
> Bar extension for Firefox was signed.

But to add more to the discussion, would it be seen as valuable and/or 
possible to do this via mozdev?

Some form of code review possibly warranted to ensure no nastiness (I 
recall a previous discussion on similar grounds), the exact machanism 
for which I couldn't say.

But, maybe an automated system whereby a request from an author for a 
signed package of a particular CVS tag could start a swathe of testing 
:) followed by voting and a generated XPI if all goes well.

Initial testing might be lengthly (AMO is currently some 130+ extensions 
in the initial submission queue - due to longer initial review) but 
updates might be easier since diffing the CVS would show changes. By 
using the CVS tree we can ensure what is built is what's there, it's not 
code delivered by the author, the system simply extracts it from CVS on 

Small PayPal-esque fee to cover cert costs? Though that might discourage 
frequent requests to the detriment of speeding the review (larger diff 
== more time). And certs aren't that pricey.

Not sure myself. Would I pay, probably $10, if I thought that people 
would care. So far they haven't but you never know. OTOH, if someone 
really cared I could do it, special like, for a little more than $10 ;)

More information about the Project_owners mailing list