[Project_owners] Secure Updates for Firefox 3
sgrayban at gmail.com
Wed Jul 18 07:42:11 PDT 2007
Douglas E. Warner wrote:
> On Wednesday 18 July 2007, Scott wrote:
>> My impression from Doug's email is that all update RDF files must be gpg
>> signed for FF3 in order to get updates to work.
>> Correct me if I am wrong....
> The "signing process" isn't well-defined yet. I don't believe it's going to
> be GPG; it will probably be some type of SSL. But yes, you will have to sign
> your updates.rdf file as well as your XPI (if you wish to continue doing
> I'm assuming you have a code-signing certificate? If that's the case, that's
> the best for initial installs, while the signing of the updates.rdf file
> ensures the updates process is secure as well.
I hope that there will be a 'show-n-tell' before anything becomes mandatory.
I really hate having to go through hoops when I did that already when
learning how to sign XPI files.
And yes I do have a code signing cert.
I really do not see a better advantage to this because signing the XPI
code is rock hard security compared to signing just the updates.rdf
If I was to *enforce* anything it would be XPI signing because you can't
defeat that in any form that I know of.
More information about the Project_owners