MozillaZine

How do you sign an extension?

Talk about add-ons and extension development.
Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted January 19th, 2005, 2:02 am

It'll have to wait a couple of days... I spent this evening trying to figure out why an update.rdf wasn't working... it appears that the 0.9 section was preventing it from working though I haven't had time to mess with it enough to be sure.

RoyalMail

User avatar
 
Posts: 197
Joined: August 1st, 2003, 11:35 am
Location: UK

Post Posted February 21st, 2005, 7:02 am

wig_out_on_me wrote:As for them being safe to use... this only gaurantees they haven't been changed from the time of the initial packaging as long as it wasn't also signed when repackaged. I also believe based on several posts that there are quite a few average users that believe that if an extension is signed it is safe to use in that it won't have conflicts with existing extensions, will work without problems, etc. instead of that it hasn't been modified since it was packaged.


Of course it's perfectly straightforward to include the testing for the requirements of working with existing extensions, working as advertised and so on into a QA procedure that results in a 'signed' copy of the extension going forward for distribution. This could be operated by the Moz organisation to produce a set of verified, interworking, signed extensions, if they ever showed a sign of being intgerested in such things. Microsoft operate a similar idea with certified, signed third party drivers for XP, part of the effort to reduce customer annoyance with poorly integrated software.

Regds, RM.l

jedbro

User avatar
 
Posts: 1899
Joined: November 10th, 2002, 12:35 pm
Location: Mexico / Boulder Co.

Post Posted February 24th, 2005, 11:34 am

Looks like Pete has once again gone and done the unthinkable ;).
How to Sign an Extension.

Awesome stuff.
Cheers
-Jed

asqueella
 
Posts: 4019
Joined: November 16th, 2003, 3:05 am
Location: Russia, Moscow

Post Posted February 24th, 2005, 1:39 pm

Perhaps this thread should be unstickied now and the link should go to the announcement?

TheOneKEA

User avatar
 
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post Posted February 24th, 2005, 2:00 pm

I wonder if there's any point in the average extension developer signing their own extensions.
Proud user of teh Fox of Fire
Registered Linux User #289618

BenBasson
Moderator

User avatar
 
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK

Post Posted February 24th, 2005, 7:10 pm

TheOneKEA wrote:I wonder if there's any point in the average extension developer signing their own extensions.

I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.

mjwilson
 
Posts: 140
Joined: December 17th, 2002, 2:43 pm

Post Posted March 1st, 2005, 6:23 am

Cusser wrote:
TheOneKEA wrote:I wonder if there's any point in the average extension developer signing their own extensions.

I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.


Is this really true? Doesn't signing give the guarantee that the version you have downloaded is the correct one? Or am I wrong (I'm no expert)?

jedbro

User avatar
 
Posts: 1899
Joined: November 10th, 2002, 12:35 pm
Location: Mexico / Boulder Co.

Post Posted March 1st, 2005, 9:50 am

Yes it does, however as I understand it a signed extension can only be downloaded from the sever that has the certificate, unless I am mistaken.
If so, this is good for companies but not for independent authors like myself and cusser

BenBasson
Moderator

User avatar
 
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK

Post Posted March 1st, 2005, 11:41 am

The point is that you don't know me, so why should having my name associated with a file make you trust me or that file? As Jed says, it's fine for recognisable bodies, such as companies, or maybe even extension authors if they ever became well known throughout the Internet.

Generally speaking, having author signed extensions will just make signing appear to have no real benefits, and people would lapse into installing anything and everything again, making the system redundant.

DerManoMann
 
Posts: 101
Joined: March 31st, 2004, 5:39 pm
Location: New Zealand

Post Posted March 1st, 2005, 1:22 pm

Doesn't signing extensions, even using selfsigned certificates, guarantee that the xpi file was not tampered with?
I mean if I sign my extension in my name it does not add more information but presumably the user already knows that I wrote the extension.

However, if signing can make sure that the xpi is actually the original file that I released and not modified in any way, wouldn't that be an improvement?

Spewey
Folder@Home

User avatar
 
Posts: 5799
Joined: January 25th, 2003, 2:06 pm
Location: St. Paul, Minnes°ta

Post Posted March 1st, 2005, 1:28 pm

Yes, except you might be evil to begin with. I know a lot of extension authors by name and nickname but I can't expect anyone else to know all that. It's meaningless to most people. Knowing the official server of a random author is just as distant to the average user. Now if it can help u.m.o. somehow, then maybe it's worth it.

DerManoMann
 
Posts: 101
Joined: March 31st, 2004, 5:39 pm
Location: New Zealand

Post Posted March 1st, 2005, 1:44 pm

Hmm, perhaps instead of every author signing extensions himself UMO should be doing the signing.
If they do auditing to verify that there is no evil code in the listed extensions, they might as well sign the extensions before they are added for download.
Users are expected to trust one central point, in this case UMO. So that wouldn't break the chain of trust but strengthen it.

Spewey
Folder@Home

User avatar
 
Posts: 5799
Joined: January 25th, 2003, 2:06 pm
Location: St. Paul, Minnes°ta

Post Posted March 1st, 2005, 1:52 pm

But don't they want authors to be able to submit updates directly without comprehensive code security auditing? As in "Cusser is a good guy, let him in." Forgive me if I'm out of the loop on this. Don't authors want that as well? Would a umo sig go on a good guy's crap automagically?

freakyfreak
 
Posts: 6
Joined: June 28th, 2004, 12:39 pm
Location: Bloomington, Minnesota

Post Posted March 31st, 2005, 2:56 pm

Just posted on mozilla.crypto newsgroup.

http://article.gmane.org/gmane.comp.mozilla.crypto/4950

These beta's include the new version of Signtool with the -X option that allows for signing .xpi extensions without needing to use the zip workaround. The -X option was added via this bug, http://bugzilla.mozilla.org/show_bug.cgi?id=248751 .

While I agree this is not a permanent measure for real extension security, it's still a step in the right direction.

I did have a tutorial online on how to sign an xpi last summer, but that was pre FF 1.0. http://www.j-maxx.net/tutorials/xpi_code_signing/

DerManoMann
 
Posts: 101
Joined: March 31st, 2004, 5:39 pm
Location: New Zealand

Post Posted April 2nd, 2005, 2:49 am

Just wondering,

Would it work using a java sign tool to sign an xpi file? Shouldn't that come out be pretty much the same?

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 1 guest