c) When the .[dr]sa is available, we indicate that the install *may* be signed by whomever.
d) After the xpi is downloaded, we verify that it is signed and that the signature matches what we indicated to the user in step (c).
I don't see this two steps in the current Mozilla.
The tests cases in http://www.mozilla.org/projects/xpinstall/signed/testcases/index.html
directly show after download the dialog if I want to install and telling the xpi is unsigned.
Anyway, the real decision can only really be made *after* the download is over and the full info is available.
So it would be better to change that.
Can I enter a bug for this ? (I don't think it exist already) I will *try* to fix if I can find the time. If you can just gives me the right pointeur to the source. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
