On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky <stransky(a)redhat.com> wrote:
Can we ship addons which are already signed by Mozilla? Or does
Fedora
packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats it like
any other source package and its contents can be patched. I don't know
how that works, because signed addons contain a manifest file with md5
and sha1 checksums for all included files and I would expect that
modifications to any of them would cause the addon to get disabled.
Obviously we need input from a packager involved with the process.
Asking legal couldn't hurt either.
I think that these are all the addons that we ship and must be signed
(dictionaries, themes and plugins are exempt from the signing
process):
http://pkgs.fedoraproject.org/cgit/firefox-esteidpkcs11loader.git/
http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/
http://pkgs.fedoraproject.org/cgit/mozilla-https-everywhere.git/
http://pkgs.fedoraproject.org/cgit/mozilla-noscript.git/
http://pkgs.fedoraproject.org/cgit/mozilla-requestpolicy.git/
http://pkgs.fedoraproject.org/cgit/spice-xpi.git/