eviljeff
commented
1 year ago Hi, the signing metadata is actually added by a different mozilla project called autograph, but that project is in maintenance mode (only security fixes). So this isn't going to get addressed unfortunately.
KevinMind
Describe the problem and steps to reproduce it:
(Please include as many details as possible.)
I maintain an add-on published on AMO and I would like to include AMO signatures within add-on source code. The extension builds are reproducible (the built output is always the same, independent of OS, and other parameters of system performing builds). Unfortunately, some files returned by AMO which might as well be reproducible are not reproducible.
META-INFhas few files which can not be reproducible (e.g., signing certificate which is generated anew for every signature), but and all text indexes (hash lists) may be reproducible. These files have a predetermined set of entries, but these entries may appear in different order. It would be nice if hash entries had a predetermined order (were sorted) so that the hash files could be constructed from folder contents in a reproducible manner.What happened?
All files in
META-INFare somewhat random.What did you expect to happen?
Add-on signer sorts entries in files in
META-INFlists before saving them.Anything else we should know?
(Please include a link to the page, screenshots and any relevant files.)
It's possible to make add-ons signer create sorted lists by sorting files within the submitted zip file. But this is a bit counter-intuitive. Also contents of
mozilla-recommendation.jsonare serialized in non-reproducible manner.┆Issue is synchronized with this Jira Task