+++ This bug was initially created as a clone of Bug #1303183 +++ This is the server-side part of content-signing add-on update metadata. Since there's only a "Security" component here I suspect this is no longer the right place to file such bugs but I'm not sure where the right place is.
I'll leave the triage privilege to Andy :) From a backend integration point of view, we need to grant access to the Autograph service to the AMO component that generates the update file. Autograph will compute a Content Signature and return it to AMO to serve alongside the data. The main question is how many qps we will need to serve. Autograph is currently sized to sign a handful of files per hour, but if the version check data is dynamic, we'll need to sign thousands per second. The service can scale, but it's a potential concern.
You need to log in before you can comment on or make changes to this bug.