On Wed, Feb 12, 2014 at 1:55 PM, Paul Theriault <[email protected]> wrote: > On Feb 12, 2014, at 6:55 PM, Brian Smith wrote: > What is the process for getting a app signed by the reviewer cert? Is it as > same as production?
This is a question better answered by Marketplace people. Briefly, when an app is submitted, we do some automated checks. If those automated checks pass then we create a new ZIP file that contains the contents of the submitted ZIP file, and then sign the new ZIP file with the reviewer cert. Then the reviewer-signed app is made available under https://marketplace.firefox.com/reviewers/something-something-something for reviewers to download. The reviewers download and install the app, test it out, and when they approve it, the process starts all over again, except the production cert is used. > Stating the obvious, but apps can be installed from any location so won't this > also special case apps installed from places like http://foo.com/reviewers/ ? Signed apps can only be installed from the domains listed in the pref dom.mozApps.signed_apps_installable_from, which defaults to https://marketplace.firefox.com, or by side-loading the app. Because side-loading and changing prefs is much easier in Desktop Firefox than in B2G, we may want to change what controls this. > Couldn't an app developer just download their app from the reviewer interface > (not sure if URLs are auth restricted), then host it somewhere else, and > bypass the review process entirely? I believe the reviewer interface is auth-restricted. Also, they can't usefully host it somewhere else because of the pref I mentioned above. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
