Closed
Bug 1207607
Opened 9 years ago
Closed 9 years ago
Signature required for experiments.
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: rvitillo, Unassigned)
Details
I tried to test a simple experiment in the current Nightly and I got the following error in the console: "addons.xpi WARN Download of http://localhost:8000/foobar/experiment.xpi failed: signature is required but missing" The very same experiment works in the current release though. Is this expected? Georg mentioned that signing should be off for experiments.
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(dtownsend)
|
||
Comment 1•9 years ago
|
||
My impression from bug 1191421 (and some other discussion i can't find now) was that we don't require signing for experiments for now until there was a clear light-weight process for experiment signing? Per this we apparently do require experiments to be signed now: https://dxr.mozilla.org/mozilla-central/rev/f1dffc8682fbba463cb4bb305f293ddcccbc20b4/toolkit/mozapps/extensions/internal/XPIProvider.jsm#224 Is that correct, did i misunderstand things here? What is the expected light-weight process for testing/developing experiments then (keeping in mind channel-specific conditions etc.)?
|
|
||
Updated•9 years ago
|
Component: Telemetry → Add-ons Manager
|
||
Comment 2•9 years ago
|
||
Extension signing enforcement has been pushed to Firefox 43, so it will not affect release channel clients until that time. There is a concern around experiments where a third-party installer could modify the manifest and install location to get around enforcement, and would be reasonably simple for existing drive-by installers to implement. The Add-ons team is working on a simple signing protocol for experiments, where an experiment add-on would be submitted and signed via an API, and has been flagged as a priority, and should be available in advance of 43, but signing can also be performed on-demand/request with the AMO review crew, if that's needed. End-state will be a simple submission and signing process, but there may be an overlap of manual submission of final experiment packages in the interim (development can and should be performed with xpinstall.signatures.required set to false.
Flags: needinfo?(dtownsend)
|
|
||
Comment 3•9 years ago
|
||
In the mean-time i think that breaks deployment via the current experiments server setup. Benjamin, are you aware of this?
Flags: needinfo?(benjamin)
|
|
||
Comment 4•9 years ago
|
||
Where can we find the unbranded builds for 43+ with signing disabled for testing experiments locally?
Flags: needinfo?(kev)
Flags: needinfo?(dtownsend)
|
||
Comment 5•9 years ago
|
||
(In reply to Georg Fritzsche [:gfritzsche] from comment #4) > Where can we find the unbranded builds for 43+ with signing disabled for > testing experiments locally? There are none. Signing can be disabled by setting xpinstall.signatures.required to false in all current builds.
Flags: needinfo?(kev)
Flags: needinfo?(dtownsend)
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•