How do you sign an extension?
- Robert S.
- Posts: 4399
- Joined: April 24th, 2004, 3:04 am
- Location: Bay Area, CA
- RoyalMail
- Posts: 199
- Joined: August 1st, 2003, 11:35 am
- Location: UK
wig_out_on_me wrote:As for them being safe to use... this only gaurantees they haven't been changed from the time of the initial packaging as long as it wasn't also signed when repackaged. I also believe based on several posts that there are quite a few average users that believe that if an extension is signed it is safe to use in that it won't have conflicts with existing extensions, will work without problems, etc. instead of that it hasn't been modified since it was packaged.
Of course it's perfectly straightforward to include the testing for the requirements of working with existing extensions, working as advertised and so on into a QA procedure that results in a 'signed' copy of the extension going forward for distribution. This could be operated by the Moz organisation to produce a set of verified, interworking, signed extensions, if they ever showed a sign of being intgerested in such things. Microsoft operate a similar idea with certified, signed third party drivers for XP, part of the effort to reduce customer annoyance with poorly integrated software.
Regds, RM.l
-
- Posts: 1899
- Joined: November 10th, 2002, 12:35 pm
- Location: Mexico / Boulder Co.
- Contact:
Looks like Pete has once again gone and done the unthinkable .
How to Sign an Extension.
Awesome stuff.
Cheers
-Jed
How to Sign an Extension.
Awesome stuff.
Cheers
-Jed
- BenBasson
- Moderator
- Posts: 13671
- Joined: February 13th, 2004, 5:49 am
- Location: London, UK
- Contact:
TheOneKEA wrote:I wonder if there's any point in the average extension developer signing their own extensions.
I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.
-
- Posts: 140
- Joined: December 17th, 2002, 2:43 pm
Cusser wrote:TheOneKEA wrote:I wonder if there's any point in the average extension developer signing their own extensions.
I won't do it. Signed by "Cusser" or "Ben Basson" is about as meaningful as having it unsigned, but with more effort involved. If extensions are simply signed by their creators, it undermines the system and creates false trust.
Is this really true? Doesn't signing give the guarantee that the version you have downloaded is the correct one? Or am I wrong (I'm no expert)?
-
- Posts: 1899
- Joined: November 10th, 2002, 12:35 pm
- Location: Mexico / Boulder Co.
- Contact:
- BenBasson
- Moderator
- Posts: 13671
- Joined: February 13th, 2004, 5:49 am
- Location: London, UK
- Contact:
The point is that you don't know me, so why should having my name associated with a file make you trust me or that file? As Jed says, it's fine for recognisable bodies, such as companies, or maybe even extension authors if they ever became well known throughout the Internet.
Generally speaking, having author signed extensions will just make signing appear to have no real benefits, and people would lapse into installing anything and everything again, making the system redundant.
Generally speaking, having author signed extensions will just make signing appear to have no real benefits, and people would lapse into installing anything and everything again, making the system redundant.
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact:
Doesn't signing extensions, even using selfsigned certificates, guarantee that the xpi file was not tampered with?
I mean if I sign my extension in my name it does not add more information but presumably the user already knows that I wrote the extension.
However, if signing can make sure that the xpi is actually the original file that I released and not modified in any way, wouldn't that be an improvement?
I mean if I sign my extension in my name it does not add more information but presumably the user already knows that I wrote the extension.
However, if signing can make sure that the xpi is actually the original file that I released and not modified in any way, wouldn't that be an improvement?
- Spewey
- Folder@Home
- Posts: 5799
- Joined: January 25th, 2003, 2:06 pm
- Location: St. Paul, Minnes°ta
Yes, except you might be evil to begin with. I know a lot of extension authors by name and nickname but I can't expect anyone else to know all that. It's meaningless to most people. Knowing the official server of a random author is just as distant to the average user. Now if it can help u.m.o. somehow, then maybe it's worth it.
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact:
Hmm, perhaps instead of every author signing extensions himself UMO should be doing the signing.
If they do auditing to verify that there is no evil code in the listed extensions, they might as well sign the extensions before they are added for download.
Users are expected to trust one central point, in this case UMO. So that wouldn't break the chain of trust but strengthen it.
If they do auditing to verify that there is no evil code in the listed extensions, they might as well sign the extensions before they are added for download.
Users are expected to trust one central point, in this case UMO. So that wouldn't break the chain of trust but strengthen it.
- Spewey
- Folder@Home
- Posts: 5799
- Joined: January 25th, 2003, 2:06 pm
- Location: St. Paul, Minnes°ta
-
- Posts: 6
- Joined: June 28th, 2004, 12:39 pm
- Location: Bloomington, Minnesota
- Contact:
Beta of NSS 3.10 out
Just posted on mozilla.crypto newsgroup.
http://article.gmane.org/gmane.comp.mozilla.crypto/4950
These beta's include the new version of Signtool with the -X option that allows for signing .xpi extensions without needing to use the zip workaround. The -X option was added via this bug, http://bugzilla.mozilla.org/show_bug.cgi?id=248751 .
While I agree this is not a permanent measure for real extension security, it's still a step in the right direction.
I did have a tutorial online on how to sign an xpi last summer, but that was pre FF 1.0. http://www.j-maxx.net/tutorials/xpi_code_signing/
http://article.gmane.org/gmane.comp.mozilla.crypto/4950
These beta's include the new version of Signtool with the -X option that allows for signing .xpi extensions without needing to use the zip workaround. The -X option was added via this bug, http://bugzilla.mozilla.org/show_bug.cgi?id=248751 .
While I agree this is not a permanent measure for real extension security, it's still a step in the right direction.
I did have a tutorial online on how to sign an xpi last summer, but that was pre FF 1.0. http://www.j-maxx.net/tutorials/xpi_code_signing/
-
- Posts: 101
- Joined: March 31st, 2004, 5:39 pm
- Location: New Zealand
- Contact: