Closed
Bug 1450985
Opened 6 years ago
Closed 6 years ago
Enable signature verification for addons/gfx/plugins collections
Categories
(Toolkit :: Blocklist Policy Requests, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox61 | --- | fixed |
People
(Reporter: leplatrem, Assigned: leplatrem)
References
Details
Attachments
(1 file)
Currently, we only verify the signature of the certificates collection during remote settings synchronization. Since the addons/plugins/gfx are properly on the server side, we should enable the client side verification for them too. Note: As we can see here: https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons the certificate is also called *onecrl* so we should use this signer too.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → mathieu
Comment hidden (mozreview-request) |
Comment 2•6 years ago
|
||
mozreview-review |
Comment on attachment 8967372 [details] Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists https://reviewboard.mozilla.org/r/236064/#review241816 ::: services/common/blocklist-clients.js:145 (Diff revision 1) > OneCRLBlocklistClient.on("change", updateCertBlocklist); > > AddonBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_BLOCKLIST_ADDONS_COLLECTION), { > bucketName: Services.prefs.getCharPref(PREF_BLOCKLIST_BUCKET), > lastCheckTimePref: PREF_BLOCKLIST_ADDONS_CHECKED_SECONDS, > - signerName: "", // disabled > + signerName: BLOCKLISTS_SIGNER, What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled?
Assignee | ||
Comment 3•6 years ago
|
||
mozreview-review-reply |
Comment on attachment 8967372 [details] Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists https://reviewboard.mozilla.org/r/236064/#review241816 > What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled? It works the exact same way as OneCRL (users write into kinto-admin, review-request/approve changes, signing happens, clients poll and perform diff-based sync...)
Comment 4•6 years ago
|
||
mozreview-review |
Comment on attachment 8967372 [details] Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists https://reviewboard.mozilla.org/r/236064/#review242256 I have a preference to keep the security state (certificate blocklist, pinning, intermediates) signing keys separate. Given that these other use-cases are all blocklists and that there are controls (including an approval step) in place for ensuring changes are reviewed, I think this is OK for now. My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all); it's not a huge issue though.
Attachment #8967372 -
Flags: review?(mgoodwin) → review+
Assignee | ||
Comment 5•6 years ago
|
||
Thanks for your review! > My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all) Yes indeed, on the server side the whole blocklists bucket is configured to be signed with the same onecrl certificate. If we want to rename it in the future, we can also put the signer name in a preferences and leverage Normandy preference rollout (Bug 1440782) to switch to another one. What do you think?
Flags: needinfo?(mgoodwin)
Comment hidden (mozreview-request) |
Comment 7•6 years ago
|
||
(In reply to Mathieu Leplatre (:leplatrem) from comment #5) > If we want to rename it in the future, we can also put the signer name in a > preferences and leverage Normandy preference rollout (Bug 1440782) to switch > to another one. > > What do you think? That should work. With regards to keeping security state signers separate; I wouldn't worry about this for now. We are doing some work on revocation that will move the vast majority of revocations from the certificate blocklist to another mechanism; once this work is complete, we can move the OneCRL blocklist (which should then be fairly small) to the security state bucket and do the signer name changes at that point. Does that sound reasonable to you?
Flags: needinfo?(mgoodwin) → needinfo?(mathieu)
Assignee | ||
Comment 8•6 years ago
|
||
Yes OK, sounds good! (I land this patch then)
Flags: needinfo?(mathieu)
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/c6aaeb90c4b0 Enable signature verification for addons/gfx/plugins blocklists r=mgoodwin
Keywords: checkin-needed
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c6aaeb90c4b0
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in
before you can comment on or make changes to this bug.
Description
•