Closed Bug 1070192 Opened 9 years ago Closed 8 years ago

Add documentation around add-on signing to MDN


( Graveyard :: Code Quality, defect, P2)



(Not tracked)



(Reporter: clouserw, Assigned: jorgev)



(Whiteboard: [qa-])

We should add documentation around add-on signing to MDN.  Off the top of my head, this should include:

* Policies around signing
* Expectations for self-hosting (namely, you would host after we sign it, you wouldn't download a key from us and sign it yourself)
* What the meta-inf directory is doing in your add-on .zip.  What happens if you change it or it already exists when you upload.
* Blocklisting changes

There are probably more.

Tentatively assigning to Jorge, because I don't know who else would own this.
Most of this is covered here:, but there are still a few things missing.
Anything we can do to help on the missing bits?
Things that are missing from the docs: 
- switching unlisted/listed: (the part explaining that an add-on can switch needs to be modified)
- multi-package XPIs aren't signed, but their inner extensions needs to be:
- an entry about what can be auto-validated:
   - only unlisted add-ons that aren't sideloaded
   - if they don't have warnings with signing severity attached higher than trivial)
   - if they do have any of those, they'll need a first manual review, and the reviewer might flag some of those warnings as ignorable for future updates
   - the part explaining that beta versions are only signed if they pass auto validation isn't correct anymore (all beta versions are automatically signed)
The first and part of the third point are now addressed in The remaining bits are too edge-casy to try to explain in detail to someone looking for general information, IMO.

The second point is now addressed here:
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.2
I was referring to comment #3, not comment #0, by the way.
Whiteboard: [qa-]
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.