In reference to jpm Issue #315 and 344:
https://github.com/mozilla-jetpack/jpm/issues/315
If I rename the output .xpi file-name, and retain the .xpi extension, will I invalidate the signing? Seems like it shouldn’t matter since it’s the contents that are signed.
Changing the filename shouldn’t impact the signature.
Recompressing every file in .xpi (in the same order) into a new .xpi (=PKZIP) archive worked too, because signature is for individual files in a .xpi archive. File names in a .xpi archive cannot be changed. Of course until SHA-1 is truly broken … 