Re: NoScript Not A Signed Add On (Yet)?
Posted: Fri Aug 14, 2015 4:23 pm
Can signed XPIs be hosted on secure.informaction.com (in addition to AMO)?
I think they can be: I proposed how to do this above (in the work flow).
Since then, I have tried to see if there are any technical reasons why
my idea would fail to work.
I have used 7zip to open (copies of) "{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi",
the NoScript Extension,
that came from AMO and from the feed.
I used NoScript 2.6.9.35rc2
(which is signed by Mozilla - if it is 'collected from / installed from AMO')
The "install.rdf" has:
> <em:id>{73a6fe31-595d-460b-a920-fcc0f8843232}</em:id>
> <em:name>NoScript</em:name>
> <em:version>2.6.9.35rc2</em:version>
The ONLY difference I can see is the 'signed by Mozilla' version has a
META-INF subfolder.
All the other files seem to be identical (in content and number of bytes).
I can NOT find anything, inside the XPI, that would force an update
from any particular place.
In particular, I can't see an 'updateURL'.
So, for example, there is no reference that says, in effect,
'this series of XPIs must be installed from' e.g. secure.informaction.com (or from AMO).
I might be missing something.
Would it be a good idea to have signed XPIs be hosted on secure.informaction.com (in addition to AMO)?
I think so, because it would allow Fx 42 + Users (Release and Beta) to install 'old versions'
when AMO was unavailable.
I do appreciate that it would be extra work for Giorgio.
An archive of 'Mozilla signed XPIs' - hosted at secure.informaction.com - might be worth considering.
DJ-Leith
I think they can be: I proposed how to do this above (in the work flow).
Since then, I have tried to see if there are any technical reasons why
my idea would fail to work.
I have used 7zip to open (copies of) "{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi",
the NoScript Extension,
that came from AMO and from the feed.
I used NoScript 2.6.9.35rc2
(which is signed by Mozilla - if it is 'collected from / installed from AMO')
The "install.rdf" has:
> <em:id>{73a6fe31-595d-460b-a920-fcc0f8843232}</em:id>
> <em:name>NoScript</em:name>
> <em:version>2.6.9.35rc2</em:version>
The ONLY difference I can see is the 'signed by Mozilla' version has a
META-INF subfolder.
All the other files seem to be identical (in content and number of bytes).
I can NOT find anything, inside the XPI, that would force an update
from any particular place.
In particular, I can't see an 'updateURL'.
So, for example, there is no reference that says, in effect,
'this series of XPIs must be installed from' e.g. secure.informaction.com (or from AMO).
I might be missing something.
Would it be a good idea to have signed XPIs be hosted on secure.informaction.com (in addition to AMO)?
I think so, because it would allow Fx 42 + Users (Release and Beta) to install 'old versions'
when AMO was unavailable.
I do appreciate that it would be extra work for Giorgio.
An archive of 'Mozilla signed XPIs' - hosted at secure.informaction.com - might be worth considering.
DJ-Leith