Talk:Extension Manager:Addon Update Security:Signature: Difference between revisions

Talk:Extension Manager:Addon Update Security:Signature (view source)

826 bytes added , 16 September 2007

no edit summary

canmove, Confirmed users

1,570

edits

@@ Line 25: / Line 25: @@
 It was not apparent to me how those GUIDs or http URLs ensure the authenticity of the content downloaded from the http URLs.  What stops a download from one of those http URLs from being modified in transit?  What ensures that the user who downloads the content of those http URLs is actually getting content from the expected server?  I expected that the signed data would include at least a digest (a hash) of the download, but that is not apparent.  It occurred to me that the thing that looks like a GUID could actually be an MD5 hash.  But it is called an "id", so I doubt that.
+Some answers for you:
+. Yes the key is contained in the install manifest which is the original extension installed by the user. This manifest format is that already in use by add-ons for previous versions of Firefox and other Mozilla applications and it was important to make the manifest continue to work on those previous versions, thus just the addition of the updateKey property to it.
+. The signed manifest is the update manifest. This is the update information that is automatically retrieved periodically to find updates for the add-on. It is necessary to sign the update manifest because it can be retrieved over insecure channels. The final downloaded updated add-on (the xpi file) is protected by virtue of the fact that it must either be available on a https url, or there must be a hash provided for the xpi.