Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


roytam1

My browser builds (part 2)

Recommended Posts

2 hours ago, luweitest said:

@roytam1: Could later releases provide a GPG signature? Security is quite a concern for browsers.

never think about it as these are just my personal builds.

Share this post


Link to post
Share on other sites

hey. I try install extension (pushbullet) in new moon and have this (error) warning! what this mean ? Its any way to install this extension ?

Clipboard01.jpg

Share this post


Link to post
Share on other sites
1 hour ago, S75 said:

what this mean ?

this type of extension is not supported by NM27.

Share this post


Link to post
Share on other sites
17 hours ago, roytam1 said:

never think about it as these are just my personal builds.

Then publish an SHA-1 hash of the file? Anyway I think your personal builds would get spread.

Share this post


Link to post
Share on other sites
1 hour ago, luweitest said:

Then publish an SHA-1 hash of the file? Anyway I think your personal builds would get spread.

this could be possible to put *.sha1 files to the server.

Share this post


Link to post
Share on other sites
13 hours ago, roytam1 said:

this type of extension is not supported by NM27

any way to install pushbullet in new moon ?

Share this post


Link to post
Share on other sites
16 hours ago, S75 said:

hey. I try install extension (pushbullet) in new moon and have this (error) warning! what this mean ? Its any way to install this extension ?

If my mind does tell me right - you could actually install Jetpack extensions in NM27 through the Moon Tester Tool extension. Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

Edited by IntMD
  • Like 1

Share this post


Link to post
Share on other sites
57 minutes ago, IntMD said:

If my mind does tell me right - you could actually install Jetpack extensions in NM27 through the Moon Tester Tool extension. Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

Holly shirt =) Its mostly working, its not normal login, mast login every time when send push and it redirect me to webPush, but any way that's something.

Edited by S75

Share this post


Link to post
Share on other sites

@S75: Welcome to the MSFN forums :)

First thing you should ask yourself is whether you actually expect any legacy (XUL) version of the Pushbullet extension to work today; this extension relies on third-party infrastructure (secure logins to their servers, etc.) and they may have blocked old "unsupported" versions of their addon, on old "unsupported" browsers, on old "unsupported" OSes (you get my drift...) from even connecting to their service (for "security" reasons, no doubt... :angry:).

The latest version 347 of their Firefox extension is still available, but - as expected - in WebExtensions format, not compatible with New Moon 27/28, but possibly compatible with FirefoxESR 52.9.1 and Serpent 52/55:

https://addons.mozilla.org/en-US/firefox/addon/pushbullet/versions/

In the remote possibility any XUL Pushbullet version is still functional, then CAA extension

caa:addon/pushbullet/versions

reveals that the latest legacy version 316 dates from Dec 28th 2015, while the last "supposedly" NM27 compatible version 179[.1-signed] dates from Feb 22nd 2015

The Tycho platform (forked from FxESR 38) on which NM27 is built doesn't support Jetpack SDK legacy extensions, and that was a decision made at the time by the Moonchild team of developers; so you can't directly install such extensions in NM27, as the browser itself warns you about...

The tool pointed to by @IntMD was developed to mitigate that imposed limitation (among several others), but it does not work universally on all types of JetPack SDK extensions - don't ask me why, I'm not an XUL extension developer.

Force-installing an officially unsupported extension via the aid of the MTT always carries an inherent risk of browser profile corruption! Do keep this in mind and act accordingly (i.e. back up!). Second, if the unsupported extension is force-installed (in [TEST] mode) via said tool, you have no reassurance it will function as designed...

4 hours ago, IntMD said:

Download the XPI file for pushbullet, pipe it through MTT and hope that everything will work fine.

I have run some tests on my old NM27 version here, I first downloaded to disk file pushbullet-179-fx.xpi, selected it via MTT (about:addons => Moon Tester Tool 1.2.0 => Options => Select file...) and it was still impossible to install :realmad:

I then tried to do the same with latest legacy version 316, which claims to support Fx 38.0a1 - 49.*; since Tycho is forked from FxESR 38, we stand a fair chance of it being NM27 compatible; following the same procedure, file pushbullet-316-an+fx.xpi did manage to install successfully - but I can't vow about its usability...

OT: I wrote this post with NM27 that I seldom use now (UXP forks are mostly used here) and discovered the MSFN post editor has several minor issues (absent on UXP) - but is otherwise functional... :P

Edited by VistaLover
  • Like 2

Share this post


Link to post
Share on other sites
6 hours ago, VistaLover said:

The latest version 347 of their Firefox extension is still available, but - as expected - in WebExtensions format, not compatible with New Moon 27/28, but possibly compatible with FirefoxESR 52.9.1 and Serpent 52/55:

https://addons.mozilla.org/en-US/firefox/addon/pushbullet/versions/

Later versions won't install, but version 335 at the above link installs in Serpent 55 (Edit: but not Serpent 52 :() and appears to run. But my Android phone is too old for a complete test (Android 5.0 required).

Edited by Mathwiz

Share this post


Link to post
Share on other sites
On 10/26/2019 at 11:31 PM, luweitest said:

@roytam1: Could later releases provide a GPG signature? Security is quite a concern for browsers.

On 10/27/2019 at 2:29 AM, roytam1 said:

never think about it as these are just my personal builds.

21 hours ago, luweitest said:

Then publish an SHA-1 hash of the file? Anyway I think your personal builds would get spread.

Presumably the purpose would be to ensure the downloads haven't been tampered with. If so, https: already provides adequate assurance against tampering "in transit."

As for someone hacking into @roytam1's server and altering the files, presumably such a hacker would be smart enough recalculate the SHA hashes and alter those files too, so publishing SHA hashes provides little additional assurance. You really would need a GPG signature to guard against that possibility. (Roytam would never put his private key on the server, so it would be impossible for a hacker to recalculate valid signatures for altered files.)

Luckily GPG is free, so signatures can be produced and published at no cost (unlike, say, code-signing certificates).

  • Like 3

Share this post


Link to post
Share on other sites
21 hours ago, roytam1 said:

this could be possible to put *.sha1 files to the server.

 

2 hours ago, Mathwiz said:

Presumably the purpose would be to ensure the downloads haven't been tampered with. If so, https: already provides adequate assurance against tampering "in transit."

As for someone hacking into @roytam1's server and altering the files, presumably such a hacker would be smart enough recalculate the SHA hashes and alter those files too, so publishing SHA hashes provides little additional assurance. You really would need a GPG signature to guard against that possibility. (Roytam would never put his private key on the server, so it would be impossible for a hacker to recalculate valid signatures for altered files.)

Luckily GPG is free, so signatures can be produced and published at no cost (unlike, say, code-signing certificates).

Hashes could be published in a different place (presumably here with weekly release announce) to prevent alteration with executables. As time goes, the files would get spread to different channels like software sites, P2P share etc., without a method to verify. The original release site may also get blocked, closed, etc. No doubt GPG signature is preferred, yet @roytam1 may not be ready for it; so SHA1 could be published right now.

Share this post


Link to post
Share on other sites
3 hours ago, luweitest said:

As time goes, the files would get spread to different channels like software sites, P2P share etc., without a method to verify.

but gpg generates .sig/.asc file for the signature which may not be spread together as well.

EDIT: I prepared my key and you can get it with command:

gpg --recv-keys --keyserver pgp.key-server.io 0xD3DD285F6205667A

Key fingerprint = 5705 CD21 AB46 17A9 0724  D3A6 D3DD 285F 6205 667A

Edited by roytam1

Share this post


Link to post
Share on other sites
3 hours ago, roytam1 said:

but gpg generates .sig/.asc file for the signature which may not be spread together as well.

Pack them together in 7z?

I think that disadvantage of separated GPG sig compared to integrated CA sig is not due to technical reason but OS support.

Share this post


Link to post
Share on other sites
40 minutes ago, luweitest said:

Pack them together in 7z?

2 levels of 7z is not my cup of tea.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...