Re: [Project_owners] code-signing certificates from mozdev?

Eric H. Jung Sun, 22 Oct 2006 18:50:45 -0700

Thanks for info. Do you know the format (element name, etc) to specify in update.rdf? The bugzilla bug you linked to says:

>>will this require --enable-crypto?

>crypto is required for the hashes to actually work, but it will build and run
>find without the crypto library. If a web-site InstallTrigger or update.rdf
>specifies a hash and the crypto libraries are not installed then the install
>will fail because it can't verify the hash.

Anyone know if the FF downloads at mozilla.org are built with the --enable-crypto option?

thanks,
eric

----- Original Message ----
From: Matthew Wilson <[EMAIL PROTECTED]>
To: Mozdev Project Owners List <[email protected]>
Sent: Sunday, October 22, 2006 4:20:45 AM
Subject: Re: [Project_owners] code-signing certificates from mozdev?

Eric H. Jung wrote:
> I agree with Michael that code-signing is the same as vouching that the
> extension is non-evil. It simply ensures that the code hasn't been
> tampered with.
> I'll open a bugzilla bug on it to track it, if you want?

It's not as good a solution as code-signing, but you can add SHA hashes
to the update.rdf and the _javascript_ install call.

http://bugzilla.mozilla.org/show_bug.cgi?id=306478

It would at least protect against one of the mirror sites being hacked
to host a malicious version of the XPI.

Matthew Wilson

_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners

_______________________________________________
Project_owners mailing list
[email protected]
http://mozdev.org/mailman/listinfo/project_owners

Re: [Project_owners] code-signing certificates from mozdev?

Reply via email to