[Project_owners] Secure Updates for Firefox 3

Axel Hecht axel at pike.org
Wed Jul 18 03:47:03 PDT 2007

Scott wrote:
> Douglas E. Warner wrote:
>> On Tuesday 17 July 2007, Scott wrote:
>>> I already sign my XPI's with a SSL cert. I followed
>>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>>> cert was much better.
>> GPG and SSL can provide similar utilities here; the signing of a package.
>> My understanding right now is that you'll be signing the updates.rdf file to 
>> prove that the original developer is the same one pushing the update.  It 
>> will be very similar to the process you're currently using to sign your XPIs.
> If I understand this correctly -- I will be forced to either abandoned
> my SSL signing for the forced signing of a updates.rdf  or use both?
> Frankly this is very disappointing...... I intentionally got away from
> using the addons website because I was being forced to use the addons
> site as the sole update for my projects. Now I am being forced into
> something else that I don't see any better then me signing my XPI's with
> SSL.
> This just might end any more development on my part now. If there is
> anything that ticks me off more is being forced to do something I didn't
> want in the first place.
> - Scott

Would you mind citing the exact point that makes you think that you have 
to drop SSL signing? Frankly I have no clue about the differences 
between SSL and gpg, but I can't find anything obviously saying that.


More information about the Project_owners mailing list