<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">There are no current plans to require
signing in Thunderbird.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Philipp<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 12/12/18 9:07 PM, Onno Ekker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c590c77d-d747-2a8b-c986-169373f458e6@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">P.S.</div>
<div class="moz-cite-prefix">I've heard rumors that Thunderbird
will require signing again in the future.</div>
<div class="moz-cite-prefix">Maybe someone can confirm or disprove
this?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Op 11-12-2018 om 08:54 schreef John
Bieling:<br>
</div>
<blockquote type="cite"
cite="mid:7B378412-4B30-4840-B74E-3EEB908BDFF5@gmx.de">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">Thanks! Will have a look at that.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Best regards,</div>
<div dir="ltr">John</div>
<div dir="ltr"><br>
Am 11.12.2018 um 08:45 schrieb Onno Ekker <<a
href="mailto:o.e.ekker@gmail.com" moz-do-not-send="true">o.e.ekker@gmail.com</a>>:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>Updates from ATN are protected because they are sent
over https, so the server can be identied as the real
server.</div>
<div>For updates outside of ATN you can add update an
updateKey to your install manifest, and sign your
updates using McCoy. This is only necessary when you
don't serve the updates over https.</div>
<div>I used to sign my add-ons myself, but signing
information isn't shown anymore in Thunderbird and
because the signing certificate cost real money, I
stopped doing that.</div>
<div>Now I sign my add-ons externally with GPG and offer
the signature along with my signing key next to the
download link, so people can verify the file isn't
tampered with themselves.</div>
<div><br>
</div>
<div>Onno<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Dec 11, 2018 at 4:19 AM John
Bieling <<a href="mailto:john.bieling@gmx.de"
moz-do-not-send="true">john.bieling@gmx.de</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px
 0.8ex;border-left:1px solid

rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
today one of my add-on users asked, if there is some
sort of integrity <br>
validation of the downloaded add-on during updates from
ATN. Since my <br>
add-on has access to contacts and calendars, which can
contain <br>
confidential data, he wants to be sure, that no payload
is added to the <br>
add-on by some attacker, which might send his data
elsewhere.<br>
<br>
Would add-on signing help here? Does Thunderbird support
that? If not, <br>
is it planed? Do I have other options?<br>
<br>
Best regards, and thanks for your time,<br>
John<br>
<br>
_______________________________________________<br>
tb-planning mailing list<br>
<a href="mailto:tb-planning@mozilla.org" target="_blank"
moz-do-not-send="true">tb-planning@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/tb-planning"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://mail.mozilla.org/listinfo/tb-planning</a><br>
</blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr"><span>_______________________________________________</span><br>
<span>tb-planning mailing list</span><br>
<span><a href="mailto:tb-planning@mozilla.org"
moz-do-not-send="true">tb-planning@mozilla.org</a></span><br>
<span><a
href="https://mail.mozilla.org/listinfo/tb-planning"
moz-do-not-send="true">https://mail.mozilla.org/listinfo/tb-planning</a></span><br>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
tb-planning mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org" moz-do-not-send="true">tb-planning@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning" moz-do-not-send="true">https://mail.mozilla.org/listinfo/tb-planning</a>
</pre>
</blockquote>
<p><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
tb-planning mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tb-planning@mozilla.org">tb-planning@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/tb-planning">https://mail.mozilla.org/listinfo/tb-planning</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>