Firefox addon signing
Alexander Ploumistos
alex.ploumistos at gmail.com
Fri Aug 28 09:00:59 UTC 2015
On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky <stransky at redhat.com> wrote:
> Can we ship addons which are already signed by Mozilla? Or does Fedora
> packager modify them somehow?
It seems that even when the source is an xpi file, rpm treats it like
any other source package and its contents can be patched. I don't know
how that works, because signed addons contain a manifest file with md5
and sha1 checksums for all included files and I would expect that
modifications to any of them would cause the addon to get disabled.
Obviously we need input from a packager involved with the process.
Asking legal couldn't hurt either.
I think that these are all the addons that we ship and must be signed
(dictionaries, themes and plugins are exempt from the signing
process):
http://pkgs.fedoraproject.org/cgit/firefox-esteidpkcs11loader.git/
http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/
http://pkgs.fedoraproject.org/cgit/mozilla-https-everywhere.git/
http://pkgs.fedoraproject.org/cgit/mozilla-noscript.git/
http://pkgs.fedoraproject.org/cgit/mozilla-requestpolicy.git/
http://pkgs.fedoraproject.org/cgit/spice-xpi.git/
More information about the devel
mailing list