Closed Bug 248218 Opened 20 years ago Closed 8 years ago

Updates don't display xpi cert information

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bugs, Unassigned)

Details

(Keywords: helpwanted, Whiteboard: [Triaged 9/2/12 - Waiting on response from dveditz])

The update wizard does not show any cert information that may exist for the update xpis it finds.... The UI that lists the available updates needs to be changed to show certs associated with the updates, and the new nsIXPInstallManager interface method initManagerFromChrome needs to be updated to take a list of certs as well so that the manager can verify when install occurs.
Flags: blocking1.0+
Priority: -- → P3
Target Milestone: --- → Firefox1.0beta
Flags: blocking-aviary1.0+ → blocking-aviary1.0-
This seems like something we need to get for 1.1. Can we plus it?
Flags: blocking-aviary1.1?
Whiteboard: [asaP1]
I'd like to plus it.
Summary: Update Wizard ignores signed xpi certs → Update Wizard doesn't display xpi cert information
In fact, I think we should go farther and check the particular signing cert against the original cert used to install the extension (+app?). But we at least need a way to view the cert. Helpwanted, I'm not sure either Ben or I has time to get to this in the next 6 weeks.
Assignee: bugs → nobody
Flags: blocking-aviary1.1? → blocking-aviary1.1+
Keywords: helpwanted
Depends on: 292163
This isn't going to block our app update work but may be something that dougt and dveditz want to be involved with around the extension signing issue.
Blocks: 292163
No longer depends on: 292163
Flags: blocking1.8b4?
Flags: blocking1.8b4?
Flags: blocking1.8b4+
Flags: blocking-aviary1.1+
We've talked about this in terms of the shift to signing of Extensions in the 1.5.x timeframe (dougt, beng, darin, shaver, gerv et al.). Is someone reasonably going to be able to get to this in the next week in order for it to make 1.5? Otherwise, I think we need to defer this work. /cb
Whiteboard: [asaP1] → [asaP1] [defer to post 1.5?]
no one is working on this at the moment. this is _not_ going to make the 1.5 train if work is needed to be complete in one week.
This is quite a serious issue, because it means that unsigned xpi files can be installed without the user's knowledge: The Update procedure happily downloads and installs unsigned updates such as /pub/mozilla.org/firefox/releases/1.0.6/update/win32/en-US/update-1.0.6.xpi That brings us to another problem - major firefox updates such as this, should be signed.
Flags: blocking1.8b4+ → blocking1.8b4-
Whiteboard: [asaP1] [defer to post 1.5?] → [asaP1]
Target Milestone: Firefox1.0beta → ---
Summary: Update Wizard doesn't display xpi cert information → Updates don't display xpi cert information
QA Contact: bugs → extension.manager
Product: Firefox → Toolkit
We no longer use xpi's for app update so resolving -> invalid
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Rob this seems valid for the Add-ons manager. Some of the comments do look like app updated related but I think it's sensible to consider showing xpi certs for extension updates.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
You are right and sorry about that... I was going on this bug blocking bug 292163 which is for app update.
No longer blocks: 292163
How useful is this considering that we now only accept updates over reasonably secure channels?
Priority: P3 → --
(In reply to Dave Townsend (:Mossop) from comment #11) > How useful is this considering that we now only accept updates over > reasonably secure channels? dveditz: Ping?
Whiteboard: [asaP1] → [9/2/12 - Waiting on response from dveditz]
Whiteboard: [9/2/12 - Waiting on response from dveditz] → [Triaged 9/2/12 - Waiting on response from dveditz]
As of Firefox 43, we require all add-ons (including updates) to be signed by a Mozilla cert: https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox Since there's only one acceptable certificate and it's always verified before install or update, a UI to show cert information doesn't seem as helpful anymore.
Status: REOPENED → RESOLVED
Closed: 16 years ago8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.