[Project_owners] Secure Updates for Firefox 3

Scott sgrayban at gmail.com
Wed Jul 18 06:12:30 PDT 2007


Axel Hecht wrote:
> Scott wrote:
>   
>> Douglas E. Warner wrote:
>>     
>>> On Tuesday 17 July 2007, Scott wrote:
>>>   
>>>       
>>>> I already sign my XPI's with a SSL cert. I followed
>>>> http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html to do this.
>>>>
>>>> Will I be required to stop doing that and use gpg then ? I figured a SSL
>>>> cert was much better.
>>>>     
>>>>         
>>> GPG and SSL can provide similar utilities here; the signing of a package.
>>>
>>> My understanding right now is that you'll be signing the updates.rdf file to 
>>> prove that the original developer is the same one pushing the update.  It 
>>> will be very similar to the process you're currently using to sign your XPIs.
>>>   
>>>       
>> If I understand this correctly -- I will be forced to either abandoned
>> my SSL signing for the forced signing of a updates.rdf  or use both?
>>
>> Frankly this is very disappointing...... I intentionally got away from
>> using the addons website because I was being forced to use the addons
>> site as the sole update for my projects. Now I am being forced into
>> something else that I don't see any better then me signing my XPI's with
>> SSL.
>>
>> This just might end any more development on my part now. If there is
>> anything that ticks me off more is being forced to do something I didn't
>> want in the first place.
>>
>> - Scott
>>     
>
> Would you mind citing the exact point that makes you think that you have 
> to drop SSL signing? Frankly I have no clue about the differences 
> between SSL and gpg, but I can't find anything obviously saying that.
>
> Axel
My impression from Doug's email is that all update RDF files must be gpg
signed for FF3 in order to get updates to work.

Correct me if I am wrong....

Scott




More information about the Project_owners mailing list