How do you sign an extension?

[Robert S.]

It'll have to wait a couple of days... I spent this evening trying to figure out why an update.rdf wasn't working... it appears that the 0.9 section was preventing it from working though I haven't had time to mess with it enough to be sure.

[RoyalMail]

As for them being safe to use... this only gaurantees they haven't been changed from the time of the initial packaging as long as it wasn't also signed when repackaged. I also believe based on several posts that there are quite a few average users that believe that if an extension is signed it is safe to use in that it won't have conflicts with existing extensions, will work without problems, etc. instead of that it hasn't been modified since it was packaged.

Of course it's perfectly straightforward to include the testing for the requirements of working with existing extensions, working as advertised and so on into a QA procedure that results in a 'signed' copy of the extension going forward for distribution. This could be operated by the Moz organisation to produce a set of verified, interworking, signed extensions, if they ever showed a sign of being intgerested in such things. Microsoft operate a similar idea with certified, signed third party drivers for XP, part of the effort to reduce customer annoyance with poorly integrated software.

Regds, RM.l

[jedbro]

Looks like Pete has once again gone and done the unthinkable .
How to Sign an Extension.

Awesome stuff.
Cheers
-Jed

[asqueella]

Perhaps this thread should be unstickied now and the link should go to the announcement?

[TheOneKEA]

I wonder if there's any point in the average extension developer signing their own extensions.

[BenBasson]

I wonder if there's any point in the average extension developer signing their own extensions.

I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.

[mjwilson]

I wonder if there's any point in the average extension developer signing their own extensions.

I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.

Is this really true? Doesn't signing give the guarantee that the version you have downloaded is the correct one? Or am I wrong (I'm no expert)?

[jedbro]

Yes it does, however as I understand it a signed extension can only be downloaded from the sever that has the certificate, unless I am mistaken.
If so, this is good for companies but not for independent authors like myself and cusser

[BenBasson]

The point is that you don't know me, so why should having my name associated with a file make you trust me or that file? As Jed says, it's fine for recognisable bodies, such as companies, or maybe even extension authors if they ever became well known throughout the Internet.

Generally speaking, having author signed extensions will just make signing appear to have no real benefits, and people would lapse into installing anything and everything again, making the system redundant.

[DerManoMann]

Doesn't signing extensions, even using selfsigned certificates, guarantee that the xpi file was not tampered with?
I mean if I sign my extension in my name it does not add more information but presumably the user already knows that I wrote the extension.

However, if signing can make sure that the xpi is actually the original file that I released and not modified in any way, wouldn't that be an improvement?

[Spewey]

Yes, except you might be evil to begin with. I know a lot of extension authors by name and nickname but I can't expect anyone else to know all that. It's meaningless to most people. Knowing the official server of a random author is just as distant to the average user. Now if it can help u.m.o. somehow, then maybe it's worth it.

[DerManoMann]

Hmm, perhaps instead of every author signing extensions himself UMO should be doing the signing.
If they do auditing to verify that there is no evil code in the listed extensions, they might as well sign the extensions before they are added for download.
Users are expected to trust one central point, in this case UMO. So that wouldn't break the chain of trust but strengthen it.

[Spewey]

But don't they want authors to be able to submit updates directly without comprehensive code security auditing? As in "Cusser is a good guy, let him in." Forgive me if I'm out of the loop on this. Don't authors want that as well? Would a umo sig go on a good guy's crap automagically?

[freakyfreak]

Just posted on mozilla.crypto newsgroup.

http://article.gmane.org/gmane.comp.mozilla.crypto/4950

These beta's include the new version of Signtool with the -X option that allows for signing .xpi extensions without needing to use the zip workaround. The -X option was added via this bug, http://bugzilla.mozilla.org/show_bug.cgi?id=248751 .

While I agree this is not a permanent measure for real extension security, it's still a step in the right direction.

I did have a tutorial online on how to sign an xpi last summer, but that was pre FF 1.0. http://www.j-maxx.net/tutorials/xpi_code_signing/

[DerManoMann]

Just wondering,

Would it work using a java sign tool to sign an xpi file? Shouldn't that come out be pretty much the same?