[Project_owners] Online version of McCoy
Matthew Wilson
matthew at mjwilson.demon.co.uk
Tue Feb 5 14:55:33 PST 2008
Andrew Archer wrote:
>
>
> Andrew Archer wrote:
>>
>> As I understand it for secure update to work the extension will need the
>> following entry in the install.rdf file
>> <em:updateKey> = This is the public key, it's used to verify the
>> update.rdf signature
>>
>>
>> The update.rdf will need
>> <em:updateHash> = Fingerprint of the xpi file
>> <em:signature> = This is signed hash of the install.rdf file,
>> this must be created using the private key
>>
>>
>
> oops,
>
> <em:signature> = This is signed hash of the update.rdf file, this must be created using the private key
Yes.
So any online version would have to work out the problems with keeping
the private key private.
Off the top of my head, I guess you'd have to have some kind of Java
applet which ran on the client, reading the private key from the user's
computer without ever uploading it.
Matthew
More information about the Project_owners
mailing list