Dave Townsend wrote: > Gervase Markham wrote: >> Dave Townsend wrote: >>> What I want is to be able to be able to establish some trust that the >>> update file retrieved is correct, and has not been tampered with, >>> intercepted and is as it was originally written by the add-on author. >> >> Link Fingerprints was designed for precisely this purpose, and is >> currently being implemented in Firefox by Ed Lee, who is sitting next >> to Dan Veditz: >> http://www.gerv.net/security/link-fingerprints/ > > No this is really a different case to where link fingerprints are > useful. The update manifest file cannot be hashed before hand, i.e. in > version 1 of my extension I don't know the hash of the update manifest > in advance for when 2 is released.
Indeed not. I wasn't suggesting downloading the manifest using Link Fingerprints, but the final download. I was under the impression that all manifests were hosted on a.m.o. > Yes for retrieving the final xpi a hash specified in the update manifest > is useful, and already implemented. OK, no problem then :-) And were there a possibility to host > third party update manifests on addons.mozilla.org then this could work > without any extra effort. What do you mean by "third party manifests"? All the software on a.m.o. is third party. > Currently that is not in place, however I will > be speaking to them to find out what possibilities exist along those > lines. This seems like the right solution to me. In fact, I had assumed it was already the case, and that we were trying to solve the other half of the problem. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
