MozillaZine

How do you sign an extension?

Talk about add-ons and extension development.
wormeyman

User avatar
 
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.

Post Posted December 22nd, 2004, 11:30 pm

After that recent microsoft blog post/hit piece on firefox i was wondering how one goes about signing an extension? I searched around and couldn't find anyinfo on how to do that.

wormeyman

User avatar
 
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.

Post Posted December 23rd, 2004, 8:43 am

Does anyone know at all?

mai9

User avatar
 
Posts: 1619
Joined: January 15th, 2003, 3:41 pm
Location: Barcelona

Post Posted December 23rd, 2004, 9:00 am

you probably need to give some money to microsoft ;)

wormeyman

User avatar
 
Posts: 344
Joined: October 17th, 2003, 11:17 pm
Location: Somewhere starting browser wars.

Post Posted December 23rd, 2004, 2:37 pm

Yeah like i'm going to pay microsoft Image, anyways i assume that no one knows as this topic just falls to the bottom of the page?

asqueella
 
Posts: 4019
Joined: November 16th, 2003, 3:05 am
Location: Russia, Moscow

Post Posted December 23rd, 2004, 3:13 pm

I think so. A few other people tried to figure that out but failed, afaik. There was a comment to that blog by a person who said he was able to make a signed extension for Mozilla, but not for Firefox (iirc).
Try searching these forums and PMing the people who asked this question.

BenBasson
Moderator

User avatar
 
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK

Post Posted December 23rd, 2004, 3:16 pm

I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.

IceDogg
 
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post Posted December 23rd, 2004, 5:06 pm

Cusser wrote:I don't think you can - yet.

I would guess that Mozilla.org will sign extensions before putting them on UMO in the future (whenever it's all sorted out) - since individually, it's unlikely that extension authors can afford certificates, and frankly, being signed by a developer means nothing in terms of security assurance.


That's correct. The view that signed make it's more secure is ridiculous . Someone with the know how to right a virus or other bad code and make it into an extension is just as likely to know how to sign it. Your best bet is to stick with sites you can trust to install extensions from. It's way safer then if it's signed or not.

BenBasson
Moderator

User avatar
 
Posts: 13671
Joined: February 13th, 2004, 5:49 am
Location: London, UK

Post Posted December 23rd, 2004, 5:20 pm

Er, no, that's not what I said. Being signed by a developer might mean nothing, but being signed by Mozilla.org (after testing) would give a much greater assurance of security.

IceDogg
 
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post Posted December 23rd, 2004, 5:36 pm

yea that would fall into this part of my post
Your best bet is to stick with sites you can trust to install extensions from

jensb

User avatar
 
Posts: 544
Joined: April 23rd, 2003, 12:42 pm
Location: Germany

Post Posted December 24th, 2004, 3:34 pm

It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

The question remains whether there will be any community-type CA that gives out certificates to "trusted" extension authors... AFAIK, all CAs whose certs are currently shipped with mozilla browsers are commercial...
Mouse Gestures - control your browser the elegant way
MessageFaces - embed pictures in mail header

iosart

User avatar
 
Posts: 87
Joined: July 29th, 2004, 2:34 am

Post Posted December 25th, 2004, 7:13 am

jensb wrote:It seems you can actually sign extensions. Bug 178687 - Support Signed XPI packages added the support for it in 2002, and since there are some testcases at http://www.mozilla.org/projects/xpinsta ... index.html , I'd guess it works.

Did anybody notice that most of the testcases on the above page FAIL?
At least with FF 1.0...

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted December 25th, 2004, 7:50 am

I didn't bother trying it out after noticing that the cert has expired

iosart

User avatar
 
Posts: 87
Joined: July 29th, 2004, 2:34 am

Post Posted December 25th, 2004, 7:59 am

wig_out_on_me wrote:I didn't bother trying it out after noticing that the cert has expired

Another good point. The cert is indeed expired, but there's no indication of that either when trying to install :)
Looks like this whole issue doesn't have a very high priority in Mozilla. I believe it should, though...

/\/\axx
 
Posts: 78
Joined: July 16th, 2004, 1:01 pm

Post Posted December 25th, 2004, 6:02 pm

Here you can download extension which is signed properly.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 - Installed Extensions

asqueella
 
Posts: 4019
Joined: November 16th, 2003, 3:05 am
Location: Russia, Moscow

Post Posted December 25th, 2004, 6:07 pm

This (from Maxx link) appears as unsigned in Firefox's installation window.

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 1 guest