(In reply to :wezhou from comment #20) > > Are system addons and omni.jar currently signed as system addons using the addon-shipper lambda? > > System addons are signed manually using the steps documented in [[1]](https://mana.mozilla.org/wiki/display/SVCOPS/Autograph#Autograph-AMO) > > I don't know if omni.jar is an system addon or not. Usually, the signing requester tells us an addon is to be signed as an system addon, and we will sign it as such. omni JAR(s) and any XPI files (such as bundled system add-ons) shipped with Firefox have never been signed AFAIK. The tl;dr is that "default" system add-ons are packaged as XPI files and bundled with Firefox and persist in the (read-only) application directory, and "updates" are signed by Mozilla and are delivered to the users (read/write) profile directory. :wezhou has been doing signatures for "updates" but we've never signed omni jar or The distinction between default and updates for system add-ons is documented further at https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html#default-built-in-system-add-ons > I'm not sure what "addon-shipper" lambda is. But, there is a lambda known as "addon-signxpi" lambda, which is used to sign what's called "internal addon/extension". Information about signing this type of addon is in [[2]](https://mana.mozilla.org/wiki/display/FIREFOX/Internal+Extension+Signing) and [[3]](https://mana.mozilla.org/wiki/display/SVCOPS/Sign+a+Mozilla+Internal+Extension). If omni.jar were considered as an internal addon, someone would have followed those docs and signed it (cloudops rarely get involved signing internal addons). > > > Do they need to be backwards compatible with old Fx versions (in which case we should use AMO) or can we switch to taskcluster and the SHA2 signatures? > > Sorry but I don't how to answer this question. I assume someone who owns the omni.jar file should know. I don't think we need to worry about backwards compatibility for files that are shipped with Firefox since they'll only be verified by new code (bug 1515712). We'll need to take more care around updates but I think we can handle that separately without trouble.
Bug 1515173 Comment 21 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to :wezhou from comment #20) > > Are system addons and omni.jar currently signed as system addons using the addon-shipper lambda? > > System addons are signed manually using the steps documented in [[1]](https://mana.mozilla.org/wiki/display/SVCOPS/Autograph#Autograph-AMO) > > I don't know if omni.jar is an system addon or not. Usually, the signing requester tells us an addon is to be signed as an system addon, and we will sign it as such. omni JAR(s) and any XPI files (such as bundled system add-ons) shipped with Firefox have never been signed AFAIK. The tl;dr is that "default" system add-ons are packaged as XPI files and bundled with Firefox and persist in the (read-only) application directory, and "updates" are signed by Mozilla and are delivered to the users (read/write) profile directory. :wezhou has been doing signatures for "updates" but not "defaults". The distinction between default and updates for system add-ons is documented further at https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html#default-built-in-system-add-ons > I'm not sure what "addon-shipper" lambda is. But, there is a lambda known as "addon-signxpi" lambda, which is used to sign what's called "internal addon/extension". Information about signing this type of addon is in [[2]](https://mana.mozilla.org/wiki/display/FIREFOX/Internal+Extension+Signing) and [[3]](https://mana.mozilla.org/wiki/display/SVCOPS/Sign+a+Mozilla+Internal+Extension). If omni.jar were considered as an internal addon, someone would have followed those docs and signed it (cloudops rarely get involved signing internal addons). > > > Do they need to be backwards compatible with old Fx versions (in which case we should use AMO) or can we switch to taskcluster and the SHA2 signatures? > > Sorry but I don't how to answer this question. I assume someone who owns the omni.jar file should know. I don't think we need to worry about backwards compatibility for files that are shipped with Firefox since they'll only be verified by new code (bug 1515712). We'll need to take more care around updates but I think we can handle that separately without trouble.