MozillaZine

Mandatory signing requirement for add-ons is coming

Talk about add-ons and extension development.
patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 8th, 2015, 7:23 pm

No remote update listing... so yeah, where did that update come from? Is it at all possible that AMO is automatically updating extensions that someone uploaded for personal use? I would compare this version to version 4.2 and see what's been changed.

Edit: You should be able to see the dates of the files in the XPI, that should give some idea as to whether anything has been edited. Of course that can be faked if there is malicious intent.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

mightyglydd

User avatar
 
Posts: 9516
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted June 8th, 2015, 7:41 pm

I've PM'd you both.. seemed a little overkill for here.

Can see the difference but it's all above my pay scale..different name for sure.. Clocki 'An LCD looking clock'
The rdf was edited a couple of days ago on the 6th. eight years after the other files !
@FWIW I scanned the file with VirusTotal/SAS/MWB/NOD32 ..clean
#KeepFightingMichael

therube

User avatar
 
Posts: 19961
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 9th, 2015, 7:44 am

The only meaningful changes (between 042-mod & 046) are the inclusion of:
+ META-INF/*
(so it is now signed)

& in install.rdf, other then em:maxVersion bumps:
+ <!-- em:id="l k o pi@p kp.net"
(I've purposely broken)


Note that what they call "<!-- SuiteRunner -->" is "SeaMonkey".
(So SeaMonkey is "natively" supported in 046.)


Otherwise, everything else is exactly the same.


(Just got a beep at the quarter-hour ;-).)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Philip Chee

User avatar
 
Posts: 6475
Joined: March 1st, 2005, 3:03 pm

Post Posted June 9th, 2015, 9:23 am

mightyglydd wrote:Hmm..I just go an update from 0.4.2 to Clocki 0.4.6 (unsigned) ?

Me too. Very strange. I can't find it on AMO. It has to come from AMO since the install.rdf doesn't have an update url

Phil

Philip Chee

User avatar
 
Posts: 6475
Joined: March 1st, 2005, 3:03 pm

Post Posted June 9th, 2015, 9:34 am

therube wrote:The only meaningful changes (between 042-mod & 046) are the inclusion of:
+ META-INF/*
(so it is now signed)

& in install.rdf, other then em:maxVersion bumps:
+ <!-- em:id="l k o pi@p kp.net"
(I've purposely broken)

Note that what they call "<!-- SuiteRunner -->" is "SeaMonkey".
(So SeaMonkey is "natively" supported in 046.)
Otherwise, everything else is exactly the same.

The "SuiteRunner" comes from my modified 0.4.2 from my xsidebar site.

But if the em:id is different, AMO shouldn't have offered an update?

Phil

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 9th, 2015, 9:51 am

New:
Code: Select all
<!-- em:id="lkopi@pkp.net"
Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>


Old:
Code: Select all
<!-- Front End MetaData -->
<em:id>lcdclock_bloodeye@gmail.com</em:id>


The em:id is still the same. Looks like they tried to change it and screwed up by putting inside the comments. Since there is no updateURL, the update had to have come from AMO. My only guess is that someone uploaded this version to AMO for personal use/signing and since the original ID was not on AMO, it accepted it and then updated users with this version installed. This is a serious flaw in this design. What happens if someone uploads an extension with the same ID as an existing extension that is not hosted on AMO... but is an entirely different extension? Or it's the same extension plus ad tracking (since AMO allows that garbage) or other unwanted features?

Note that I found another version of this extension also on AMO but under a different ID, and with only the install.RDF edited, all other files original from 2006. It was difficult to find (I had to edit the URL) it does not appear on searches, and is not listed as associated with the "author". I'm not sure if this is because AMO has not done a full review or if this was supposed to be a private upload.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

Frank Lion

User avatar
 
Posts: 20393
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted June 9th, 2015, 10:18 am

mightyglydd wrote:Can see the difference but it's all above my pay scale..different name for sure.. Clocki 'An LCD looking clock'

Personal use xpi uploaded to AMO for signing and, as I do, the guy gave it a new name so they could keep track on which version was which...is a possibility.

AMO's new Hidden settings are working (which is why it doesn't show up on the site) but it (and others?) but the xpi has now been automatically added to the usual update listings? Jorge has filed my Type 32 bug now, I point this one out to him as well.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Philip Chee

User avatar
 
Posts: 6475
Joined: March 1st, 2005, 3:03 pm

Post Posted June 9th, 2015, 10:21 am

Checked with John-Galt and Mossop on IRC.
<John-Galt> RattyAway: It's on AMO, but it's unlisted.
<RattyAway> John-Galt: how did AMO decide to offer any update?
<John-Galt> I don't know why an update's being offered, though. We're not supposed to serve updates for unlisted add-ons
<Mossop> Huh, whoever uploaded it must have marked it Windows only
John-Galt: AMO is definitely serving updates for this thing:
<John-Galt> Mossop: Hm. Thanks. I'll file a bug.

Phil

lithopsian
 
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Post Posted June 17th, 2015, 9:13 am

I finally got a non-hosted addon signed. It took several tries though, all sorts of flaky things happening in the upload dialog. It added "-fx" to the filename instead of "-signed", but the version number itself was not touched.

Lemon Juice
 
Posts: 784
Joined: June 1st, 2006, 9:41 am

Post Posted June 17th, 2015, 11:19 am

lithopsian wrote:It added "-fx" to the filename instead of "-signed", but the version number itself was not touched.

AFAIK "-signed" suffix is not supposed to be added to the version numbers of signed extensions. The addition was only a one-time event for extensions on AMO so that auto update would be triggered - it looks like Firefox cannot auto-update an extension to a version having the same version number so they appended ".1-signed" to all of them as an artificial version bump. It is not appended to newly uploaded extensions because there is no need to.
*** SeaMonkey — weird name, sane interface, modern bowels ***
Mouse Gestures for SeaMonkey/Firefox
Convert Fx and TB extensions to SeaMonkey

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted June 17th, 2015, 3:20 pm

AMO has been automatically changing the file name for internal processing purposes for some time now. -fx for Firefox, -sm for SeaMonkey, -tb for Thunderbird.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

Frank Lion

User avatar
 
Posts: 20393
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted July 7th, 2015, 1:35 pm

What happens when your self-hosted signed extensions reach their max-version? Do you keep changing the max by a couple of versions (as on AMO) and put it up again for signing? ....or....does anyone know if AMO will take a much high max for these?

Btw when putting these up for signing, leave the OS versions at 'All', even though these will not work on Android. Otherwise you'll get 3 versions back - one for Windows, one for Linux and one for Mac. Guess how I know? *sigh*
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted July 7th, 2015, 3:44 pm

It shouldn't matter *too much* because max version is ignored except for two cases: at first install from disk, and if the extension demands strict compatibility.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

Frank Lion

User avatar
 
Posts: 20393
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted July 7th, 2015, 4:37 pm

patrickjdempsey wrote:It shouldn't matter *too much*

I'll experiment more with the next one. Why not this time? - every single detail change produces a 'Whoa!!! This extension already exists!!!' message. So you change the GUID. Get that right, you then get a 'Whoa, hold on there, boy. That extension name already exists!' message.

Luckily, I don't use that McCoy updating system stuff or it would have messed that up completely, as the one I did now has a slightly changed GUID and name! Should have used a throwaway extension to iron out the submit process problems first, I reckon.

Damn Mozilla, damn AMO. Still, nothing is forever. ;)
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

lithopsian
 
Posts: 3664
Joined: September 15th, 2010, 9:03 am

Post Posted July 8th, 2015, 2:28 am

Signing an extension that was once hosted on AMO, and still exists there, but without the new version being hosted at AMO, is also a pain.

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 2 guests