[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Red redwire at riseup.net
Wed Jun 11 16:09:13 PDT 2014

On 2014-06-10, 6:27 PM, Yan Zhu wrote:
> On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote:
>>     How about just sticking to the format we have now for update.json and
>>     going with the decision to serve multiple versions from different URLs
>>     depending on the release type?
>> This sounds good to me. Yan, sound good to you?
> Sounds good, though I think we still need to deal with Jacob's point
> that JSON-to-string conversion is non-deterministic!
> Originally I had proposed something like verifying the signature over
> the string produced by
> JSON.stringify(JSON.parse(req.responseText).update) but apparently
> JSON.stringify won't reliably preserve ordering of the object properties?
> So perhaps GPG-clearsigning the update file, verifying the signature,
> and then parsing the JSON in the update file is the simplest thing. I'm
> not sure extensions support GPG signature formats; will leave it up to
> Zack to figure out the details there and add them to the spec.

Rather than trying to find a solution by introducing new tools and
libraries into everything, I spent some time experimenting and talking
to some people on the ##javascript IRC channel on the Freenode network
who gave me some great advice.
Instead of hashing a stringified version of the `update` object
directly, we could sort an array of the keys in the update object and
then create an array of key, value pairs in the sorted-key order.  This
solution will be really simple to automate in the script I wrote to
create the update.json content (that is, to compute the hash of `update`
automatically) and will also be very easy to do in plain-old Javascript
in the extension.  This approach is also favored by the fact that we've
decided not to nest other JSON objects within the `update` object.
If no one has any objections, I can get this done in no time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140611/dce2ecbe/attachment.sig>

More information about the HTTPS-Everywhere mailing list