Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FF3: How to sign update.rdf without McCoy

133 views
Skip to first unread message

Legaev Andrey

unread,
May 24, 2008, 2:19:58 AM5/24/08
to
There are two ways to implement updates in FF3:
> * The updateURL uses https, or there is no updateURL at all (which defaults to addons.mozilla.org which is https)
> * The updateURL uses http and the updateKey entry is specified which will be used to verify the data in the update manifest.

from http://developer.mozilla.org/en/docs/Extension_Versioning,_Update_and_Compatibility#Securing_Updates

To sing update.rdf (to set value to signature in update.rdf):
>When the author creates the update rdf file a tool is used to sign it using the private part of the key. Roughly speaking the update information is converted to a string, then hashed using a sha512 hashing algorithm and this hash is signed using the private key. The resultant data is DER encoded then base 64 encoded for inclusion in the update.rdf as an signature entry.

It is possible to create signature without McCoy tool?

Subrata Mazumdar

unread,
May 24, 2008, 8:59:30 AM5/24/08
to
Hi,
I have developed a XUL version of signing of updated.rdf as part of my
KeyManager tool (https://addons.mozilla.org/en-US/firefox/addon/4471)
add-on. This tool uses keys from browser's cert-DB. You can use the
KeyManager tool to create keys and self-signed cert.
Update.rdf signing works only for FF3. There is one problem - my tool
also mangles the updated.rdf file after signing.
--
Subrata

Nils Maier

unread,
May 24, 2008, 10:33:35 AM5/24/08
to

I use spock[1], an unofficial command line tool, for generating nightly
builds.

Cheers
Nils

[1] http://hyperstruct.net/projects/spock

Dave Townsend

unread,
May 24, 2008, 10:41:01 AM5/24/08
to

Can I ask what it is about McCoy that makes you want to find another option?

Legaev Andrey

unread,
May 24, 2008, 12:10:49 PM5/24/08
to
On May 24, 5:41 pm, Dave Townsend <dtowns...@mozilla.com> wrote:
> Legaev Andrey wrote:
> > There are two ways to implement updates in FF3:
> >> * The updateURL uses https, or there is no updateURL at all (which defaults to addons.mozilla.org which is https)
> >> * The updateURL uses http and the updateKey entry is specified which will be used to verify the data in the update manifest.
>
> > fromhttp://developer.mozilla.org/en/docs/Extension_Versioning,_Update_and...

>
> > To sing update.rdf (to set value to signature in update.rdf):
> >> When the author creates the update rdf file a tool is used to sign it using the private part of the key. Roughly speaking the update information is converted to a string, then hashed using a sha512 hashing algorithm and this hash is signed using the private key. The resultant data is DER encoded then base 64 encoded for inclusion in the update.rdf as an signature entry.
>
> > It is possible to create signature without McCoy tool?
>
> Can I ask what it is about McCoy that makes you want to find another option?

I want to upgrade build.xml in my project (Apache Ant) to build
extension for FF 3. For this purposes I need to sign update.rdf
automatically, but McCoy doest not support command-line interface for
Win-platforms.

John J. Barton

unread,
May 24, 2008, 1:40:48 PM5/24/08
to
Legaev Andrey wrote:
> On May 24, 5:41 pm, Dave Townsend <dtowns...@mozilla.com> wrote:
..

>> Can I ask what it is about McCoy that makes you want to find another option?
>
> I want to upgrade build.xml in my project (Apache Ant) to build
> extension for FF 3. For this purposes I need to sign update.rdf
> automatically, but McCoy doest not support command-line interface for
> Win-platforms.

I wrote a small Mccoy extension to add a command line interface for signing:
https://fireclipse.svn.sourceforge.net/svnroot/fireclipse/trunk/FireclipseExtensions/chromebug/mccoy/signOnTheLine/

I'm not going to continue with that bit of code but it worked to sign
the Firebug 1.2a* files.

For Firebug 1.2b I took the opposite model, eliminating ant. I embedded
Mccoy in Firefox and added code to remove debug tracing code from
Firebug, zip the extension, mark the file names with version numbers,
and do the signing/hash thing. Generalizing it to other extensions would
need work. Its also driven from the command line.

https://fireclipse.svn.sourceforge.net/svnroot/fireclipse/trunk/FireclipseExtensions/chromebug/mozzipper

John.

Nils Maier

unread,
May 26, 2008, 11:44:47 AM5/26/08
to
Dave Townsend wrote:
> Can I ask what it is about McCoy that makes you want to find another
> option?
>
The nightly builds I have to sign are generated on a headless linux
server and (being nightlies) in an automated fashion.
McCoy fails to address all of this:
* General linux problems, especially when the system libraries are not
that bleeding edge (Debian etch here ;))
* No commandline signing
* Requires GUI libraries.
* No automation.

Leni

unread,
May 26, 2008, 4:26:40 PM5/26/08
to dev-ext...@lists.mozilla.org
Nils Maier wrote:
> McCoy fails to address all of this:
> * No commandline signing
> * No automation.

The signOnTheLine extension to Mccoy does both these things and it is
working for me. The GUI still flashes up but it doesn't require human
intervention.

Some notes on use:
https://bugzilla.mozilla.org/show_bug.cgi?id=395368

Leni

Nils Maier

unread,
May 27, 2008, 11:37:09 AM5/27/08
to

Thanks for hint.;)
But being an extension to McCoy (which is a custom xulrunner app) it
still requires at least the GUI libraries, even if it doesn't use them,
really.
I'm perfectly fine with spock. Seems to just work, although it in fact
is "just" a hack.

I just replied to answer Dave's question why I cannot use the official
McCoy builds.

0 new messages