How do you sign an extension?

Talk about add-ons and extension development.
Post Reply
wormeyman
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.
Contact:

How do you sign an extension?

Post by wormeyman »

After that recent microsoft blog post/hit piece on firefox i was wondering how one goes about signing an extension? I searched around and couldn't find anyinfo on how to do that.
wormeyman
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.
Contact:

Post by wormeyman »

Does anyone know at all?
User avatar
mai9
Posts: 1619
Joined: January 15th, 2003, 3:41 pm
Location: Barcelona
Contact:

Post by mai9 »

you probably need to give some money to microsoft ;)
wormeyman
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.
Contact:

Post by wormeyman »

Yeah like i'm going to pay microsoft Image, anyways i assume that no one knows as this topic just falls to the bottom of the page?
asqueella
Posts: 4019
Joined: November 16th, 2003, 3:05 am
Location: Russia, Moscow

Post by asqueella »

I think so. A few other people tried to figure that out but failed, afaik. There was a comment to that blog by a person who said he was able to make a signed extension for Mozilla, but not for Firefox (iirc).
Try searching these forums and PMing the people who asked this question.
User avatar
BenBasson
Moderator
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK
Contact:

Post by BenBasson »

I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.
IceDogg
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post by IceDogg »

Cusser wrote:I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.


That's correct. The view that signed make it's more secure is ridiculous . Someone with the know how to right a virus or other bad code and make it into an extension is just as likely to know how to sign it. Your best bet is to stick with sites you can trust to install extensions from. It's way safer then if it's signed or not.
User avatar
BenBasson
Moderator
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK
Contact:

Post by BenBasson »

Er, no, that's not what I said. Being signed by a developer might mean nothing, but being signed by Mozilla.org (after testing) would give a much greater assurance of security.
IceDogg
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post by IceDogg »

yea that would fall into this part of my post
Your best bet is to stick with sites you can trust to install extensions from
User avatar
jensb
Posts: 544
Joined: April 23rd, 2003, 12:42 pm
Location: Germany
Contact:

Post by jensb »

It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

The question remains whether there will be any community-type CA that gives out certificates to "trusted" extension authors... AFAIK, all CAs whose certs are currently shipped with mozilla browsers are commercial...
Mouse Gestures - control your browser the elegant way
MessageFaces - embed pictures in mail header
User avatar
iosart
Posts: 87
Joined: July 29th, 2004, 2:34 am
Contact:

Post by iosart »

jensb wrote:It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

Did anybody notice that most of the testcases on the above page FAIL?
At least with FF 1.0...
User avatar
Robert S.
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post by Robert S. »

I didn't bother trying it out after noticing that the cert has expired
User avatar
iosart
Posts: 87
Joined: July 29th, 2004, 2:34 am
Contact:

Post by iosart »

wig_out_on_me wrote:I didn't bother trying it out after noticing that the cert has expired

Another good point. The cert is indeed expired, but there's no indication of that either when trying to install :)
Looks like this whole issue doesn't have a very high priority in Mozilla. I believe it should, though...
/\/\axx
Posts: 78
Joined: July 16th, 2004, 1:01 pm

Post by /\/\axx »

Here you can download extension which is signed properly.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 - Installed Extensions
asqueella
Posts: 4019
Joined: November 16th, 2003, 3:05 am
Location: Russia, Moscow

Post by asqueella »

This (from Maxx link) appears as unsigned in Firefox's installation window.
Post Reply