[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Project infrastructure updates in response to security breach

Thus spake Paolo Palmieri (palmaway@xxxxxx):

> > would it make sense to sign the torbutton xpi's?
> Actually, I've always been quite amazed by the fact that TorButton's
> .xpi (binary?) files are not signed.
> I'd really like to see this implemented in the future.

Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
sign .xpis, but have been sloppy about posting them publicly.

As for actual Firefox-compatible builtin xpi signatures, the last time
I looked into those they were exceedingly complicated and needed a
special Code Signing Certificate, which required me bending over and
paying Verisign or some other SSL Mafia Member a lot of money
($200-500/yr) to examine my rectum for a while. Maybe the Tor Project
can get one of these for me, but I am not certain its really worth it.

I suppose I could also create a rogue code signing certificate and
provide that over SSL for people to install, but then I wonder if
vanilla Firefox will reject my XPIs then because they are signed, but
with an "invalid" cert.

For now, I think the right answer is "Fetch it over SSL" or "Check the
git/gpg sig".

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpyasXDDkdIQ.pgp
Description: PGP signature