[Project_owners] Online version of McCoy

Matthew Wilson matthew at mjwilson.demon.co.uk
Tue Feb 5 14:55:33 PST 2008


Andrew Archer wrote:
> 
> 
> Andrew Archer wrote:
>>
>> As I understand it for secure update to work the extension will need the 
>> following entry in the install.rdf file
>> <em:updateKey> = This is the public key, it's used to verify the 
>> update.rdf signature
>>  
>>
>>  The update.rdf will need
>>  <em:updateHash>  = Fingerprint of the xpi file
>>  <em:signature>      = This is signed hash of the install.rdf file,  
>> this must be created using the private key
>>
>>   
> 
> oops,
> 
> <em:signature> = This is signed hash of the update.rdf file, this must be created using the private key

Yes.

So any online version would have to work out the problems with keeping 
the private key private.

Off the top of my head, I guess you'd have to have some kind of Java 
applet which ran on the client, reading the private key from the user's 
computer without ever uploading it.

Matthew


More information about the Project_owners mailing list