[wormeyman]

After that recent microsoft blog post/hit piece on firefox i was wondering how one goes about signing an extension? I searched around and couldn't find anyinfo on how to do that.

[wormeyman]

Does anyone know at all?

[mai9]

you probably need to give some money to microsoft

[wormeyman]

Yeah like i'm going to pay microsoft , anyways i assume that no one knows as this topic just falls to the bottom of the page?

[asqueella]

I think so. A few other people tried to figure that out but failed, afaik. There was a comment to that blog by a person who said he was able to make a signed extension for Mozilla, but not for Firefox (iirc).
Try searching these forums and PMing the people who asked this question.

[BenBasson]

I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.

[IceDogg]

I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.

That's correct. The view that signed make it's more secure is ridiculous . Someone with the know how to right a virus or other bad code and make it into an extension is just as likely to know how to sign it. Your best bet is to stick with sites you can trust to install extensions from. It's way safer then if it's signed or not.

[BenBasson]

Er, no, that's not what I said. Being signed by a developer might mean nothing, but being signed by Mozilla.org (after testing) would give a much greater assurance of security.

[IceDogg]

yea that would fall into this part of my post

Your best bet is to stick with sites you can trust to install extensions from

[jensb]

It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

The question remains whether there will be any community-type CA that gives out certificates to "trusted" extension authors... AFAIK, all CAs whose certs are currently shipped with mozilla browsers are commercial...

[iosart]

It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

Did anybody notice that most of the testcases on the above page FAIL?
At least with FF 1.0...

[Robert S.]

I didn't bother trying it out after noticing that the cert has expired

[iosart]

I didn't bother trying it out after noticing that the cert has expired

Another good point. The cert is indeed expired, but there's no indication of that either when trying to install
Looks like this whole issue doesn't have a very high priority in Mozilla. I believe it should, though...

[/\/\axx]

Here you can download extension which is signed properly.

[asqueella]

This (from Maxx link) appears as unsigned in Firefox's installation window.