Open ghost opened 10 years ago
A good idea. This is the full Tor page - https://www.torproject.org/docs/verifying-signatures.html.en
I of course always use Perspectives to validate the https connection when uploading to AMO ;)
Note that this GPG type of signature is different from the "sign your extension with a certificate" type of signature that is also possible with AMO extensions. I do not think that second type is appropriate for this project. Perspectives' goal is to validate certificates outside of the current Certificate Authority control model because we believe the CA model has flaws. It seems silly to then use a CA certificate to pretend to ensure the validity of our extension.
Right now there is no way to validate that the extension downloaded from the Mozilla add-ons page is in fact the version uploaded by the Perspectives project maintainer or that is not been tampered with. The project should publish a public key on the download page with a hashsum verifying the build. Similar to the Torproject download page, see "sig" and "What's this".
(This may be related to issue #5.)