For addons that use the public halves of public/private keypairs as their IDs, we should start cryptographically signing their code when it is bundled into XPI bundles via "cfx xpi" so that such signatures can be verified in the future when distributed by AMO and/or hosted by Firefox. This entails both determining what to sign (the XPI package, individual files or directories within it, etc.) and where to store the signatures (as files inside the XPIs, via ZIP format metadata, etc.). We should make this happen for SDK 1.0 final. Brian has expressed an interest in taking this on, so assigning it to him.
We've previously discussed the possibility that AMO will repack XPI bundles when a new version of the SDK becomes available to address security/stability issues. The l10n solution we're working on will probably also include AMO repacking XPI bundles new localizations become available to contain those new localizations. So a signing implementation should take both these potential types of repacking into account.
Priority: -- → P2
Target Milestone: --- → Future
We removed the ECDSA keys in 1.0b5, which means this is a WONTFIX, at least for 1.0 . We may bring this back in the 2.0 timeframe. Meanwhile, bug 657494 is about investigating the use of old-style XPI signatures and what it might get us.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.