Hi All!, can we start a more detailed discussion on how can we have the maretplace support for the developer signatures?
Do we need: - use cases/user stories? - more detailed requirements? - anything else? We'd be glad to help out, of course. Best, Kamil On Thu, Aug 7, 2014 at 7:03 AM, Paul Theriault <[email protected]> wrote: > > On 7 Aug 2014, at 2:52 am, Andy McKay <[email protected]> wrote: > > > > > On Aug 1, 2014, at 2:34 AM, Stéphanie Ouillon <[email protected]> > wrote: > >> For specific reasons detailed below [3], we need to support a signature > >> model compatible with the Android model [4]. Until now, the Marketplace > >> has been using the same tools/model. > >> > >> If we're to support developer signing, we can imagine several models: > >> > >> 1) handling multiple signatures: the app is signed twice, once by the > >> developer and once by the Marketplace (e.g.: having two manifest files > >> in META-INF signed by each key) > > > > Signing twice would seem to be the simplest, since it doesn’t need any > trust between the Marketplace and the developer. The signing by the > Marketplace indicates a different thing (Mozilla approves this app) from > the Developer signing (that over a period of release we can trust the app > is from the some developer). > > > > Would the Marketplace be expected to do anything with that developer > signing - for example, check that the signing is by certain trusted > developers, or stays the same over time or anything else? > > Initially I don’t think it _needs_ to do anything at least initially, but > yes I can imagine that we would want to enforce some security controls such > as checking that the signature was valid before adding our signature. > Perhaps associating a signature with an account so that developers can > vouch for their content. > > > > > Are there limits on the types of apps that could be signed, e.g.: only > Packaged apps? > > Yes, only static apps can be signed - i.e. only packaged apps. Signing > dynamically generated content defeats the purpose of signing. > > > > > Andy > > > > > > > >
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
