[Project_owners] Mozdev secure updates
twhitema at gmail.com
Sun May 11 09:15:29 PDT 2008
On Sat, May 10, 2008 at 9:09 PM, Douglas E. Warner <silfreed at silfreed.net>
> On Saturday 10 May 2008 21:09:31 Todd Whiteman wrote:
> > I can install the "pyshell_0.3.xpi" extension manually info Firefox, but
> > when asking Firefox to check for updates (from the 0.2 version), it
> > there are no updates found.
> > Any ideas why this would be happening?
> It looks like I might have a bug in the update.rdf generation since the
> updateHash isn't in the update.rdf file for version 0.3 but it's definitely
> Could you try unreleasing and re-releasing the 0.3 version and then try
> updating to see if it works? If so I'll go and patch my bug.
I re-released the 0.3 version, saw that the update.rdf contained now the
updateHash, but Firefox complained with the following:
*** RDFItemUpdater:_parseV20Update: Update for
pyshell at twhiteman.netfirms.com at
http://downloads.mozdev.org/pyxpcomext/pyshell_0.3.xpi ignored because it is
insecure. updateLink must be a https url or an updateHash must be
*** Datasource: Addon Update Ended: pyshell at twhiteman.netfirms.com, status:
I then checked the docs for Mozilla update handling for Firefox 3:
In the update manifest delivered from the updateURL the updateLink must be
> specified in one of the following ways:
> * The updateLink to the XPI file must use https
> * The updateLink can use http and you must include an updateHash for
> the XPI file using sha1, sha256, sha384 or sha512 hash algorithms.
> Any entries in the update manifest that do not meet one of those two
> requirements will be ignored when checking for new versions.
So it seems the md5 hash (the one I have been using for the mozdev
verification process) is not supported?
I also then tried re-updating the 0.3 version and verifying with a sha1
hash, which worked, but the updateHash is once again missing from the mozdev
generated update.rdf file:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Project_owners