On 08/09/15 10:54, Rob Stradling wrote: > Assuming this is still Mozilla's plan, please would you clarify which > versions of Firefox and Thunderbird will be (or were?) the first > versions that won't accept "normal CA-issued object-signing certificates" ?
Extension signing was historically very rare, so I'm not sure what our new signing system would do when faced with an extension which is already signed. (Is that what you are asking?) Basically, it just put the signer's name in the install dialog, AFAIAA. > (I see the Timeline at [2], but it's not clear to me if the old > mechanism is being phased out at the same time the new mechanism is > being phased in, or if both mechanisms will run in parallel for a while > before the old mechanism is then phased out). https://bugzilla.mozilla.org/show_bug.cgi?id=1203584 suggests that the new target for the new system is Firefox 43/44. So currently there is no requirement that addons be signed. https://wiki.mozilla.org/RapidRelease/Calendar I assume that once this is required, it will be required - i.e. Firefox will look for a Mozilla signature, and other signatures will not make any difference. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
