[Project_owners] Secure Updates for Firefox 3

Douglas E. Warner silfreed at silfreed.net
Tue Jul 17 19:35:38 PDT 2007

On Tuesday 17 July 2007, Scott wrote:
> I already sign my XPI's with a SSL cert. I followed
> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
> Will I be required to stop doing that and use gpg then ? I figured a SSL
> cert was much better.

GPG and SSL can provide similar utilities here; the signing of a package.

My understanding right now is that you'll be signing the updates.rdf file to 
prove that the original developer is the same one pushing the update.  It 
will be very similar to the process you're currently using to sign your XPIs.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070717/1471d204/attachment.bin 

More information about the Project_owners mailing list