[Project_owners] Mozdev secure updates

Todd Whiteman twhitema at gmail.com
Sun May 11 09:15:29 PDT 2008


On Sat, May 10, 2008 at 9:09 PM, Douglas E. Warner <silfreed at silfreed.net>
wrote:

> On Saturday 10 May 2008 21:09:31 Todd Whiteman wrote:
> > I can install the "pyshell_0.3.xpi" extension manually info Firefox, but
> > when asking Firefox to check for updates (from the 0.2 version), it
> states
> > there are no updates found.
> >
> > Any ideas why this would be happening?
>
> It looks like I might have a bug in the update.rdf generation since the
> updateHash isn't in the update.rdf file for version 0.3 but it's definitely
> verified.
>
> Could you try unreleasing and re-releasing the 0.3 version and then try
> updating to see if it works?  If so I'll go and patch my bug.
>
>
I re-released the 0.3 version, saw that the update.rdf contained now the
updateHash, but Firefox complained with the following:

*** RDFItemUpdater:_parseV20Update: Update for
pyshell at twhiteman.netfirms.com at
http://downloads.mozdev.org/pyxpcomext/pyshell_0.3.xpi ignored because it is
insecure. updateLink  must be a https url or an updateHash must be
specified.
*** Datasource: Addon Update Ended: pyshell at twhiteman.netfirms.com, status:
8

I then checked the docs for Mozilla update handling for Firefox 3:
http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility

In the update manifest delivered from the updateURL the updateLink must be
> specified in one of the following ways:
>
>     * The updateLink to the XPI file must use https
>     * The updateLink can use http and you must include an updateHash for
> the XPI file using sha1, sha256, sha384 or sha512 hash algorithms.
>
> Any entries in the update manifest that do not meet one of those two
> requirements will be ignored when checking for new versions.
>


So it seems the md5 hash (the one I have been using for the mozdev
verification process) is not supported?

I also then tried re-updating the 0.3 version and verifying with a sha1
hash, which worked, but the updateHash is once again missing from the mozdev
generated update.rdf file:
https://www.mozdev.org/p/updates/pyxpcomext/pyshell@twhiteman.netfirms.com/update.rdf

Cheers,
Todd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.mozdev.org/pipermail/project_owners/attachments/20080511/968999bb/attachment.html 


More information about the Project_owners mailing list