Closed Bug 378730 Opened 18 years ago Closed 5 years ago

Signing Lightning XPI

Categories

(Calendar :: Build Config, enhancement)

Product:
Calendar
Component:
Build Config
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dbo, Unassigned)

References

Details

Gozer, any ideas on this?
Well, you'll need a code signing certificate, and automating the signing is possible, but has security implications. Why is this wanted, exactly? Are we talking about releases or nightly builds?
I'm not sure, its probably enough to do so for the release builds...other opinions? I guess the reason for this is ... "because we can" :-) And maybe to get rid of the unsigned dialog and give people a better feeling when installing lightning.
(In reply to comment #3) > I'm not sure, its probably enough to do so for the release builds...other > opinions? Not really, anything like signing nightly builds would require automated, unnatended code-signing, and that's hard. Securely signing release builds, that can involve a bit of manual work, and that's easy, so good! > I guess the reason for this is ... "because we can" :-) And maybe to get rid of > the unsigned dialog and give people a better feeling when installing lightning. Yes, it's certainly possible, but I am not 100% certain where responsability for signing these would lie. Once I've got all the bits and pieces in place to sign the Thunderbird releases, I could probably better tell you how easy/realistic it could be for Mozilla Messaging to be signing the Lightning XPIs.
(In reply to comment #4) > Once I've got all the bits and pieces in place to sign the Thunderbird > releases, I could probably better tell you how easy/realistic it could be for > Mozilla Messaging to be signing the Lightning XPIs. Sounds good. Is there a bug on that we could set dependency with?
Depends on: 499708
Component: Lightning Only → Build Config
QA Contact: lightning → build
Depends on: 550514
Mark, what are the odds that this can happen for future releases? We'd have to either use the Thunderbird signing certs, or have our own certificates.
Doesn't amo effectively sign your packages? AFAIK users are not currently prompted because Lightning isn't signed. I can't at see a real use for this at the moment...
(In reply to comment #7) > https://bugzilla.mozilla.org/show_bug.cgi?id=378730#c7 > Doesn't amo effectively sign your packages? AFAIK users are not currently > prompted because Lightning isn't signed. I can't at see a real use for this at > the moment... They don't do real xpi signing. The user is not prompted with an extra dialog, but it does say "Author not verified" when installing Lightning.
Doesn't addons.mozilla.org repackage the xpi files, e.g. if one changes the supported application version? What would happen to a signed xpi in that case? And what about signing the binary components during build/release as requested in another bug?

From Thunderbird 74 onwards Lightning does not exist as a separate add-on but is integrated into Thunderbird.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.