Thus spake Paolo Palmieri (palmaway@xxxxxx): > > would it make sense to sign the torbutton xpi's? > > Actually, I've always been quite amazed by the fact that TorButton's > .xpi (binary?) files are not signed. > > I'd really like to see this implemented in the future. Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg sign .xpis, but have been sloppy about posting them publicly. As for actual Firefox-compatible builtin xpi signatures, the last time I looked into those they were exceedingly complicated and needed a special Code Signing Certificate, which required me bending over and paying Verisign or some other SSL Mafia Member a lot of money ($200-500/yr) to examine my rectum for a while. Maybe the Tor Project can get one of these for me, but I am not certain its really worth it. I suppose I could also create a rogue code signing certificate and provide that over SSL for people to install, but then I wonder if vanilla Firefox will reject my XPIs then because they are signed, but with an "invalid" cert. For now, I think the right answer is "Fetch it over SSL" or "Check the git/gpg sig". -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpyasXDDkdIQ.pgp
Description: PGP signature