Firefox addon signing
Martin Stransky
stransky at redhat.com
Fri Aug 28 09:24:25 UTC 2015
On 08/28/2015 11:00 AM, Alexander Ploumistos wrote:
> On Fri, Aug 28, 2015 at 10:18 AM, Martin Stransky <stransky at redhat.com> wrote:
>> Can we ship addons which are already signed by Mozilla? Or does Fedora
>> packager modify them somehow?
>
> It seems that even when the source is an xpi file, rpm treats it like
> any other source package and its contents can be patched. I don't know
> how that works, because signed addons contain a manifest file with md5
> and sha1 checksums for all included files and I would expect that
> modifications to any of them would cause the addon to get disabled.
> Obviously we need input from a packager involved with the process.
> Asking legal couldn't hurt either.
Thanks for the info. Actually is there any reason why Fedora packager
would need to modify the original extension?
ma.
> I think that these are all the addons that we ship and must be signed
> (dictionaries, themes and plugins are exempt from the signing
> process):
> http://pkgs.fedoraproject.org/cgit/firefox-esteidpkcs11loader.git/
> http://pkgs.fedoraproject.org/cgit/mozilla-adblockplus.git/
> http://pkgs.fedoraproject.org/cgit/mozilla-https-everywhere.git/
> http://pkgs.fedoraproject.org/cgit/mozilla-noscript.git/
> http://pkgs.fedoraproject.org/cgit/mozilla-requestpolicy.git/
> http://pkgs.fedoraproject.org/cgit/spice-xpi.git/
>
More information about the devel
mailing list