Nelson B wrote:
Now, apparently, beginning a couple years ago, mozilla requires the .[rd]sa files to be first. As far as I'm concerned, that's a bug in mozilla. The versions of mozilla that require that are incompatible with nearly ALL the jar files made before that. Different JAR signing tools are free to put the files in the order they wish. mozilla should be compatible with all of them. I'll mention it to Doug T tomorrow.
It isn't a bug, well maybe... We want to be able to extract the information about the signature out of the xpi file as soon as possible so that we can display to the user who *may* have signed the install.
It works something like:
a) An install is triggered.
b) We download the xpi file.
c) When the .[dr]sa is available, we indicate that the install *may* be signed by whomever.
d) After the xpi is downloaded, we verify that it is signed and that the signature matches what we indicated to the user in step (c).
So, yeah, we probably should be able to work with .[dr]sa that aren't first. But, if it isn't first, then you can't do what I outlined above.
BTW, sorry about the crappy docs. We had a docs person that was going to do a tutorial...
Regards, Doug Turner _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
