1160969 - Sign multi-package XPIs

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Code Quality, defect)

Description

[Mathieu Agopian [:magopian]]

At the moment, we're not properly signing multi-package XPIs (https://developer.mozilla.org/en-US/docs/Multiple_Item_Packaging).

The proper way to sign them is to
1/ unzip them
2/ check the install.rdf/package.json from inside the contained XPIs
3/ if their type is 2 (extension), then sign them as we sign simple extension XPIs
4/ repackage the multi-package XPI (bumping its version number)

:mossop :dveditz :kmag should we also bump the version number of the included extensions?

Comment 1

[Dave Townsend [:mossop] (PTO until Aug 21st)]

multipackage XPIs are an oddity. Firefox doesn't do automatic updates for the multipackage XPI itself. So there is no need to bump version numbers when repackaging existing ones (same goes for the XPIs inside the package).

Firefox does search for and install updates to the extensions/themes included inside the package so hopefully the authors also include these as separate listings on AMO.

Comment 2

[Mathieu Agopian [:magopian]]

PR: https://github.com/mozilla/olympia/pull/541#discussion_r29613564

Comment 3

[Mathieu Agopian [:magopian]]

Fixed in: https://github.com/mozilla/olympia/commit/77686e328aa370617f31868f3d1b3788174c57f9

STR:
1/ upload a new multi-package xpi (you can make one rather easily following the instructions in https://developer.mozilla.org/en-US/docs/Multiple_Item_Packaging), then review it.
2/ once it's been reviewed, download the XPI again, and unzip it
3/ make sure the XPI itself wasn't signed (there's no META-INF folder)
4/ make sure the internal extensions (the XPIs inside the multi-package) have been signed (only if they had a type of 2)

Comment 4

[Madalin Cotetiu]

Verified as fixed in FF37(Win7) in addons-dev.allizom.org
Only internal xpis are signed and only those with type == 2.
Closing bug.