Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

No remote update listing... so yeah, where did that update come from? Is it at all possible that AMO is automatically updating extensions that someone uploaded for personal use? I would compare this version to version 4.2 and see what's been changed.

Edit: You should be able to see the dates of the files in the XPI, that should give some idea as to whether anything has been edited. Of course that can be faked if there is malicious intent.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Mandatory signing requirement for add-ons is coming

Post by mightyglydd »

I've PM'd you both.. seemed a little overkill for here.

Can see the difference but it's all above my pay scale..different name for sure.. Clocki 'An LCD looking clock'
The rdf was edited a couple of days ago on the 6th. eight years after the other files !
@FWIW I scanned the file with VirusTotal/SAS/MWB/NOD32 ..clean
#KeepFightingMichael and Alex.
User avatar
therube
Posts: 21685
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Mandatory signing requirement for add-ons is coming

Post by therube »

The only meaningful changes (between 042-mod & 046) are the inclusion of:
+ META-INF/*
(so it is now signed)

& in install.rdf, other then em:maxVersion bumps:
+ <!-- em:id="l k o pi@p kp.net"
(I've purposely broken)


Note that what they call "<!-- SuiteRunner -->" is "SeaMonkey".
(So SeaMonkey is "natively" supported in 046.)


Otherwise, everything else is exactly the same.


(Just got a beep at the quarter-hour ;-).)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Philip Chee »

mightyglydd wrote:Hmm..I just go an update from 0.4.2 to Clocki 0.4.6 (unsigned) ?

Me too. Very strange. I can't find it on AMO. It has to come from AMO since the install.rdf doesn't have an update url

Phil
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Philip Chee »

therube wrote:The only meaningful changes (between 042-mod & 046) are the inclusion of:
+ META-INF/*
(so it is now signed)

& in install.rdf, other then em:maxVersion bumps:
+ <!-- em:id="l k o pi@p kp.net"
(I've purposely broken)

Note that what they call "<!-- SuiteRunner -->" is "SeaMonkey".
(So SeaMonkey is "natively" supported in 046.)
Otherwise, everything else is exactly the same.

The "SuiteRunner" comes from my modified 0.4.2 from my xsidebar site.

But if the em:id is different, AMO shouldn't have offered an update?

Phil
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

New:

Code: Select all

<!-- em:id="lkopi@pkp.net" 
Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>


Old:

Code: Select all

<!-- Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>


The em:id is still the same. Looks like they tried to change it and screwed up by putting inside the comments. Since there is no updateURL, the update had to have come from AMO. My only guess is that someone uploaded this version to AMO for personal use/signing and since the original ID was not on AMO, it accepted it and then updated users with this version installed. This is a serious flaw in this design. What happens if someone uploads an extension with the same ID as an existing extension that is not hosted on AMO... but is an entirely different extension? Or it's the same extension plus ad tracking (since AMO allows that garbage) or other unwanted features?

Note that I found another version of this extension also on AMO but under a different ID, and with only the install.RDF edited, all other files original from 2006. It was difficult to find (I had to edit the URL) it does not appear on searches, and is not listed as associated with the "author". I'm not sure if this is because AMO has not done a full review or if this was supposed to be a private upload.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

mightyglydd wrote:Can see the difference but it's all above my pay scale..different name for sure.. Clocki 'An LCD looking clock'

Personal use xpi uploaded to AMO for signing and, as I do, the guy gave it a new name so they could keep track on which version was which...is a possibility.

AMO's new Hidden settings are working (which is why it doesn't show up on the site) but it (and others?) but the xpi has now been automatically added to the usual update listings? Jorge has filed my Type 32 bug now, I point this one out to him as well.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Philip Chee
Posts: 6475
Joined: March 1st, 2005, 3:03 pm
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Philip Chee »

Checked with John-Galt and Mossop on IRC.
<John-Galt> RattyAway: It's on AMO, but it's unlisted.
<RattyAway> John-Galt: how did AMO decide to offer any update?
<John-Galt> I don't know why an update's being offered, though. We're not supposed to serve updates for unlisted add-ons
<Mossop> Huh, whoever uploaded it must have marked it Windows only
John-Galt: AMO is definitely serving updates for this thing:
<John-Galt> Mossop: Hm. Thanks. I'll file a bug.

Phil
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

I finally got a non-hosted addon signed. It took several tries though, all sorts of flaky things happening in the upload dialog. It added "-fx" to the filename instead of "-signed", but the version number itself was not touched.
Lemon Juice
Posts: 788
Joined: June 1st, 2006, 9:41 am

Re: Mandatory signing requirement for add-ons is coming

Post by Lemon Juice »

lithopsian wrote:It added "-fx" to the filename instead of "-signed", but the version number itself was not touched.

AFAIK "-signed" suffix is not supposed to be added to the version numbers of signed extensions. The addition was only a one-time event for extensions on AMO so that auto update would be triggered - it looks like Firefox cannot auto-update an extension to a version having the same version number so they appended ".1-signed" to all of them as an artificial version bump. It is not appended to newly uploaded extensions because there is no need to.
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

AMO has been automatically changing the file name for internal processing purposes for some time now. -fx for Firefox, -sm for SeaMonkey, -tb for Thunderbird.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

What happens when your self-hosted signed extensions reach their max-version? Do you keep changing the max by a couple of versions (as on AMO) and put it up again for signing? ....or....does anyone know if AMO will take a much high max for these?

Btw when putting these up for signing, leave the OS versions at 'All', even though these will not work on Android. Otherwise you'll get 3 versions back - one for Windows, one for Linux and one for Mac. Guess how I know? *sigh*
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by patrickjdempsey »

It shouldn't matter *too much* because max version is ignored except for two cases: at first install from disk, and if the extension demands strict compatibility.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Frank Lion
Posts: 21172
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Mandatory signing requirement for add-ons is coming

Post by Frank Lion »

patrickjdempsey wrote:It shouldn't matter *too much*

I'll experiment more with the next one. Why not this time? - every single detail change produces a 'Whoa!!! This extension already exists!!!' message. So you change the GUID. Get that right, you then get a 'Whoa, hold on there, boy. That extension name already exists!' message.

Luckily, I don't use that McCoy updating system stuff or it would have messed that up completely, as the one I did now has a slightly changed GUID and name! Should have used a throwaway extension to iron out the submit process problems first, I reckon.

Damn Mozilla, damn AMO. Still, nothing is forever. ;)
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
lithopsian
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Re: Mandatory signing requirement for add-ons is coming

Post by lithopsian »

Signing an extension that was once hosted on AMO, and still exists there, but without the new version being hosted at AMO, is also a pain.
Post Reply