How do you sign an extension?
-
- Posts: 344
- Joined: October 17th, 2003, 11:17 pm
- Location: Somewhere starting browser wars.
- Contact:
How do you sign an extension?
After that recent microsoft blog post/hit piece on firefox i was wondering how one goes about signing an extension? I searched around and couldn't find anyinfo on how to do that.
http://wormeyman.com/Firefox/ffinfo.html My firefox information
My spyware resource center
My homepage
BRING BACK the why page!
My spyware resource center
My homepage
BRING BACK the why page!
-
- Posts: 344
- Joined: October 17th, 2003, 11:17 pm
- Location: Somewhere starting browser wars.
- Contact:
Does anyone know at all?
http://wormeyman.com/Firefox/ffinfo.html My firefox information
My spyware resource center
My homepage
BRING BACK the why page!
My spyware resource center
My homepage
BRING BACK the why page!
- mai9
- Posts: 1619
- Joined: January 15th, 2003, 3:41 pm
- Location: Barcelona
- Contact:
-
- Posts: 344
- Joined: October 17th, 2003, 11:17 pm
- Location: Somewhere starting browser wars.
- Contact:
Yeah like i'm going to pay microsoft , anyways i assume that no one knows as this topic just falls to the bottom of the page?
http://wormeyman.com/Firefox/ffinfo.html My firefox information
My spyware resource center
My homepage
BRING BACK the why page!
My spyware resource center
My homepage
BRING BACK the why page!
-
- Posts: 4019
- Joined: November 16th, 2003, 3:05 am
- Location: Russia, Moscow
- BenBasson
- Moderator
- Posts: 13671
- Joined: February 13th, 2004, 5:49 am
- Location: London, UK
- Contact:
I don't think you can - yet.
I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.
I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.
-
- Posts: 657
- Joined: July 24th, 2004, 11:26 am
Cusser wrote:I don't think you can - yet.
I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.
That's correct. The view that signed make it's more secure is ridiculous . Someone with the know how to right a virus or other bad code and make it into an extension is just as likely to know how to sign it. Your best bet is to stick with sites you can trust to install extensions from. It's way safer then if it's signed or not.
- BenBasson
- Moderator
- Posts: 13671
- Joined: February 13th, 2004, 5:49 am
- Location: London, UK
- Contact:
- jensb
- Posts: 544
- Joined: April 23rd, 2003, 12:42 pm
- Location: Germany
- Contact:
It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.
The question remains whether there will be any community-type CA that gives out certificates to "trusted" extension authors... AFAIK, all CAs whose certs are currently shipped with mozilla browsers are commercial...
The question remains whether there will be any community-type CA that gives out certificates to "trusted" extension authors... AFAIK, all CAs whose certs are currently shipped with mozilla browsers are commercial...
- iosart
- Posts: 87
- Joined: July 29th, 2004, 2:34 am
- Contact:
jensb wrote:It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.
Did anybody notice that most of the testcases on the above page FAIL?
At least with FF 1.0...
- iosart
- Posts: 87
- Joined: July 29th, 2004, 2:34 am
- Contact:
wig_out_on_me wrote:I didn't bother trying it out after noticing that the cert has expired
Another good point. The cert is indeed expired, but there's no indication of that either when trying to install
Looks like this whole issue doesn't have a very high priority in Mozilla. I believe it should, though...
-
- Posts: 78
- Joined: July 16th, 2004, 1:01 pm
Here you can download extension which is signed properly.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 - Installed Extensions