Hi folks, Just want to move things forward as this is going to be essential for NFC story soon.
Here is the bug: Bug 973823 - Developer signature for apps on the marketplace Who would like to jump in? Cheers, Wesley On Aug 22, 2014, at 5:03 AM, Kamil Leszczuk <[email protected]> wrote: > Hi All!, > > can we start a more detailed discussion on how can we have the maretplace > support for the developer signatures? > > Do we need: > - use cases/user stories? > - more detailed requirements? > - anything else? > > We'd be glad to help out, of course. > > Best, > Kamil > > > > > > On Thu, Aug 7, 2014 at 7:03 AM, Paul Theriault <[email protected]> wrote: > > On 7 Aug 2014, at 2:52 am, Andy McKay <[email protected]> wrote: > > > > > On Aug 1, 2014, at 2:34 AM, Stéphanie Ouillon <[email protected]> > > wrote: > >> For specific reasons detailed below [3], we need to support a signature > >> model compatible with the Android model [4]. Until now, the Marketplace > >> has been using the same tools/model. > >> > >> If we're to support developer signing, we can imagine several models: > >> > >> 1) handling multiple signatures: the app is signed twice, once by the > >> developer and once by the Marketplace (e.g.: having two manifest files > >> in META-INF signed by each key) > > > > Signing twice would seem to be the simplest, since it doesn’t need any > > trust between the Marketplace and the developer. The signing by the > > Marketplace indicates a different thing (Mozilla approves this app) from > > the Developer signing (that over a period of release we can trust the app > > is from the some developer). > > > > Would the Marketplace be expected to do anything with that developer > > signing - for example, check that the signing is by certain trusted > > developers, or stays the same over time or anything else? > > Initially I don’t think it _needs_ to do anything at least initially, but yes > I can imagine that we would want to enforce some security controls such as > checking that the signature was valid before adding our signature. Perhaps > associating a signature with an account so that developers can vouch for > their content. > > > > > Are there limits on the types of apps that could be signed, e.g.: only > > Packaged apps? > > Yes, only static apps can be signed - i.e. only packaged apps. Signing > dynamically generated content defeats the purpose of signing. > > > > > Andy > > > > > > > > > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
