-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2016 08:41 AM, Martin Stransky wrote: > On 01/07/2016 02:29 PM, Naheem Zaffar wrote: >> ESR will only delay the problem. >> >> Can the Fedora build add a secodary key to accept signed >> extensions? > > Is it possible to use Mozilla API to sign our extensions? > > https://developer.mozilla.org/en-US/Add-ons/Distribution > http://olympia.readthedocs.org/en/latest/topics/api/signing.html > No, it is not. The primary reason being that Koji builds intentionally have no network access. This is to ensure that all builds are reproducible (since if they relied upon external network resources, the output from the same input could be different if it was rebuilt at a different time). Additionally it's to ensure that some third-party service isn't inserting unexpected code into the output, thereby resulting in us shipping a binary that doesn't match the sources. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlaOa8gACgkQeiVVYja6o6POxQCfXQHYuiXpS9c0pwH5/WogS+Uk K/MAoIlxNenanTT2JSWQytw1ok3LI4sD =c2LI -----END PGP SIGNATURE----- -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/desktop@xxxxxxxxxxxxxxxxxxxxxxx
