[Project_owners] Secure Updates for Firefox 3
sgrayban at gmail.com
Wed Jul 18 06:12:30 PDT 2007
Axel Hecht wrote:
> Scott wrote:
>> Douglas E. Warner wrote:
>>> On Tuesday 17 July 2007, Scott wrote:
>>>> I already sign my XPI's with a SSL cert. I followed
>>>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>>>> cert was much better.
>>> GPG and SSL can provide similar utilities here; the signing of a package.
>>> My understanding right now is that you'll be signing the updates.rdf file to
>>> prove that the original developer is the same one pushing the update. It
>>> will be very similar to the process you're currently using to sign your XPIs.
>> If I understand this correctly -- I will be forced to either abandoned
>> my SSL signing for the forced signing of a updates.rdf or use both?
>> Frankly this is very disappointing...... I intentionally got away from
>> using the addons website because I was being forced to use the addons
>> site as the sole update for my projects. Now I am being forced into
>> something else that I don't see any better then me signing my XPI's with
>> This just might end any more development on my part now. If there is
>> anything that ticks me off more is being forced to do something I didn't
>> want in the first place.
>> - Scott
> Would you mind citing the exact point that makes you think that you have
> to drop SSL signing? Frankly I have no clue about the differences
> between SSL and gpg, but I can't find anything obviously saying that.
My impression from Doug's email is that all update RDF files must be gpg
signed for FF3 in order to get updates to work.
Correct me if I am wrong....
More information about the Project_owners