[Project_owners] Secure Updates for Firefox 3
axel at pike.org
Wed Jul 18 03:47:03 PDT 2007
> Douglas E. Warner wrote:
>> On Tuesday 17 July 2007, Scott wrote:
>>> I already sign my XPI's with a SSL cert. I followed
>>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>>> cert was much better.
>> GPG and SSL can provide similar utilities here; the signing of a package.
>> My understanding right now is that you'll be signing the updates.rdf file to
>> prove that the original developer is the same one pushing the update. It
>> will be very similar to the process you're currently using to sign your XPIs.
> If I understand this correctly -- I will be forced to either abandoned
> my SSL signing for the forced signing of a updates.rdf or use both?
> Frankly this is very disappointing...... I intentionally got away from
> using the addons website because I was being forced to use the addons
> site as the sole update for my projects. Now I am being forced into
> something else that I don't see any better then me signing my XPI's with
> This just might end any more development on my part now. If there is
> anything that ticks me off more is being forced to do something I didn't
> want in the first place.
> - Scott
Would you mind citing the exact point that makes you think that you have
to drop SSL signing? Frankly I have no clue about the differences
between SSL and gpg, but I can't find anything obviously saying that.
More information about the Project_owners