[Project_owners] Secure Updates for Firefox 3

Scott sgrayban at gmail.com
Wed Jul 18 07:42:11 PDT 2007


Douglas E. Warner wrote:
> On Wednesday 18 July 2007, Scott wrote:
>   
>> My impression from Doug's email is that all update RDF files must be gpg
>> signed for FF3 in order to get updates to work.
>>
>> Correct me if I am wrong....
>>     
>
> The "signing process" isn't well-defined yet.  I don't believe it's going to 
> be GPG; it will probably be some type of SSL.  But yes, you will have to sign 
> your updates.rdf file as well as your XPI (if you wish to continue doing 
> both).
>
> I'm assuming you have a code-signing certificate?  If that's the case, that's 
> the best for initial installs, while the signing of the updates.rdf file 
> ensures the updates process is secure as well.
>   

I hope that there will be a 'show-n-tell' before anything becomes mandatory.

I really hate having to go through hoops when I did that already when
learning how to sign XPI files.

And yes I do have a code signing cert.

I really do not see a better advantage to this because signing the XPI
code is rock hard security compared to signing just the updates.rdf

If I was to *enforce* anything it would be XPI signing because you can't
defeat that in any form that I know of.

- Scott



More information about the Project_owners mailing list