Talk:Extension Manager:Addon Update Security: Difference between revisions

Talk:Extension Manager:Addon Update Security (view source)

Revision as of 19:56, 9 July 2007

No change in size , 9 July 2007

m

→‎Update Scenarios

Grimholtz

12

edits

@@ Line 26: / Line 26: @@
 ***There are two possibilities. It will be retrieved if the add-on has provided a public key for the purposes of verifying the digital signature in the update manifest. It would also be retrieved for older extensions not yet compatible with Firefox 3 which have not yet been updated to meet the security requirements. Otherwise no it would not be retrieved. --[[User:Mossop|Mossop]]
-****''It'' [update.rdf] ''will be retrieved if the add-on has provided a public key for the purposes of verifying the digital signature in the update manifest.'' Doesn't this create a chicken-and-egg problem? I'm assuming by "update manifest" you mean update.rdf. If so, how will FF know if a public key has been provided in the update manifest if it can't download it?
+****''It'' [update.rdf] ''will be retrieved if the add-on has provided a public key for the purposes of verifying the digital signature in the update manifest.'' Doesn't this create a chicken-and-egg problem? I'm assuming by "update manifest" you mean update.rdf. If so, how will FF know if a public key has been provided in the update manifest if it can't retrieve it?
 . Suppose install.rdf contains an em:updateURL of https://foo.com/update.rdf. When FF retrieves the resource at https://foo.com/update.rdf, FF will install the update even if no em:updateHash element exists (assuming there are no problems with the certificate for foo.com). If, however, em:updateHash does exist, it is checked for validity against the update.