canmove, Confirmed users
1,570
edits
Talk:Extension Manager:Addon Update Security:Signature: Difference between revisions
Jump to navigation
Jump to search
Talk:Extension Manager:Addon Update Security:Signature (view source)
Revision as of 22:49, 16 September 2007
, 16 September 2007no edit summary
(more discussion) |
No edit summary |
||
| Line 52: | Line 52: | ||
There are several common ways of encoding DSA signatures. I've described them above. The question is: what syntax does your code require? If you're not sure, but you can give me an lxr or mxr URL for the code that checks the signatures, I'll be happy to look at that code and answer the question here. | There are several common ways of encoding DSA signatures. I've described them above. The question is: what syntax does your code require? If you're not sure, but you can give me an lxr or mxr URL for the code that checks the signatures, I'll be happy to look at that code and answer the question here. | ||
== Dave's Reply of 2007-09-16 15:44 PDT == | |||
Maybe, but the spec we are looking at here is about validating the update manifest when delivered over an insecure channel, not about how the application then interprets that information. The requirements on url and hashing for the xpi file are a separate issue, though they are both part of the wider issue of securing the entire process of updating add-ons. If I get a spare moment though I will update the example to include some hashes. | |||
If you want a fuller example then please talk a look at the example in the [http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility#Update_RDF_Format developer documentation]. | |||
I was under the impression you had already seen the code that does the verifying, but here it is: http://mxr.mozilla.org/seamonkey/source/security/manager/ssl/src/nsDataSignatureVerifier.cpp#59 | |||