[Project_owners] Secure Updates for Firefox 3

Scott sgrayban at gmail.com
Tue Jul 17 14:51:25 PDT 2007

I already sign my XPI's with a SSL cert. I followed
http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.

Will I be required to stop doing that and use gpg then ? I figured a SSL
cert was much better.

- Scott

Douglas E. Warner wrote:
> After discussion with Dave Townsend today it was determined that it won't be 
> necessary for Mozdev to provide SSL connections for the updates.rdf file or 
> the XPIs and the downloads will still be able to be secure.  In order to do 
> this, it's required that the extension owner:
> 1) sign the updates.rdf with a public/private key
> 2) embed the updateHash key for each xpi file inside the updates.rdf file
> Mozilla will be providing a tool to make signing the updates files easy, and 
> I'm assuming most extension developers use a tool to generate their 
> updates.rdf file currently as well - so this tool would need updated to add 
> updateHash (if it doesn't already).
> We feel this constitutes a good workaround for not providing SSL-enabled 
> downloads.  Let us know what your thoughts and concerns will be and we'll see 
> what we can do to address them.
> -Doug

More information about the Project_owners mailing list