[Project_owners] Secure Updates for Firefox 3
sgrayban at gmail.com
Tue Jul 17 14:51:25 PDT 2007
I already sign my XPI's with a SSL cert. I followed
http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
Will I be required to stop doing that and use gpg then ? I figured a SSL
cert was much better.
Douglas E. Warner wrote:
> After discussion with Dave Townsend today it was determined that it won't be
> necessary for Mozdev to provide SSL connections for the updates.rdf file or
> the XPIs and the downloads will still be able to be secure. In order to do
> this, it's required that the extension owner:
> 1) sign the updates.rdf with a public/private key
> 2) embed the updateHash key for each xpi file inside the updates.rdf file
> Mozilla will be providing a tool to make signing the updates files easy, and
> I'm assuming most extension developers use a tool to generate their
> updates.rdf file currently as well - so this tool would need updated to add
> updateHash (if it doesn't already).
> We feel this constitutes a good workaround for not providing SSL-enabled
> downloads. Let us know what your thoughts and concerns will be and we'll see
> what we can do to address them.
More information about the Project_owners