Closed
Bug 902761
Opened 11 years ago
Closed 10 years ago
Stop storing certs used for MAR verification in EXE resource files
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: bbondy, Assigned: bbondy)
References
Details
Attachments
(2 files, 9 obsolete files)
|
5.24 KB,
patch
|
spohl
:
review+
|
Details | Diff | Splinter Review |
|
3.19 KB,
patch
|
bbondy
:
review+
glandium
:
review-
|
Details | Diff | Splinter Review |
In preparation for verifying MARs on all platforms, we should have a platform independent way to store the certificates used in MAR verification. On Windows we currently stash them in the exe's resource section. The idea is to instead create a python scrip that will run when building to generate a .h file. The .h file will contain an array of hex char numbers. The array will hold the byte of the .der file. It will simply be included into updater.cpp/archivereader.cpp and used directly. This bug is only for making the cert loading platform independent. Other bugs will be posted later for doing the rest of the work to get OSX and Linux verifying mar files.
|
Assignee | |
Comment 1•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Flags: sec-review?
|
|
Assignee | |
Comment 2•11 years ago
|
||
Will be pushing to oak for testing, didn't test yet.
Attachment #787296 -
Attachment is obsolete: true
Attachment #787759 -
Flags: review?(robert.bugzilla)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #787759 -
Attachment description: bug902761_buildconfig.diff → Build config for turning DER files into .h files - rev1
|
|
Assignee | |
Comment 3•11 years ago
|
||
Attachment #787762 -
Flags: review?(robert.bugzilla)
|
||
Updated•11 years ago
|
Flags: sec-review? → sec-review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
Fix cert verification error
Attachment #787762 -
Attachment is obsolete: true
Attachment #787762 -
Flags: review?(robert.bugzilla)
Attachment #789339 -
Flags: review?(robert.bugzilla)
|
|
Assignee | |
Comment 5•11 years ago
|
||
rstrong this is all green and tested now, and should be ready to go: https://tbpl.mozilla.org/?tree=Try&rev=ae3c132f37dd
|
||
Comment 6•11 years ago
|
||
Comment on attachment 787759 [details] [diff] [review] Build config for turning DER files into .h files - rev1 For the ifneq you can use the following format http://mxr.mozilla.org/mozilla-central/source/layout/build/Makefile.in#78 Please convert to unix newlines
Attachment #787759 -
Flags: review?(robert.bugzilla) → review+
|
|
||
Updated•11 years ago
|
Attachment #789339 -
Flags: review?(robert.bugzilla) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to Robert Strong [:rstrong] (do not email) from comment #6) > Comment on attachment 787759 [details] [diff] [review] > Build config for turning DER files into .h files - rev1 > > For the ifneq you can use the following format > http://mxr.mozilla.org/mozilla-central/source/layout/build/Makefile.in#78 > > Please convert to unix newlines It is already unix newlines
|
|
Assignee | |
Comment 8•11 years ago
|
||
(In reply to Brian R. Bondy [:bbondy] from comment #7) > (In reply to Robert Strong [:rstrong] (do not email) from comment #6) > > Comment on attachment 787759 [details] [diff] [review] > > Build config for turning DER files into .h files - rev1 > > > > For the ifneq you can use the following format > > http://mxr.mozilla.org/mozilla-central/source/layout/build/Makefile.in#78 The only difference I could see here was the else and ifneq on different lines. So uploading that change in a new patch. Let me know if I missed anything else.
|
|
Assignee | |
Comment 9•11 years ago
|
||
Implemented nit. Carrying forward r+.
Attachment #787759 -
Attachment is obsolete: true
Attachment #808654 -
Flags: review+
|
|
Assignee | |
Comment 10•11 years ago
|
||
Didn't realize combining the else and ifneq on the same line would reduce the need for the exra endif. Fixed.
Attachment #808654 -
Attachment is obsolete: true
Attachment #808662 -
Flags: review+
|
|
Assignee | |
Comment 11•11 years ago
|
||
qref'ed :)
Attachment #808662 -
Attachment is obsolete: true
Attachment #808665 -
Flags: review+
|
|
||
Comment 12•11 years ago
|
||
(In reply to Brian R. Bondy [:bbondy] from comment #7) > (In reply to Robert Strong [:rstrong] (do not email) from comment #6) > > Comment on attachment 787759 [details] [diff] [review] > > Build config for turning DER files into .h files - rev1 > > > > For the ifneq you can use the following format > > http://mxr.mozilla.org/mozilla-central/source/layout/build/Makefile.in#78 > > > > Please convert to unix newlines > > It is already unix newlines When I imported the patch a second time gen_cert_header.py it was created again with CRLF newlines
|
|
Assignee | |
Comment 13•11 years ago
|
||
(In reply to Robert Strong [:rstrong] (do not email) from comment #12) > (In reply to Brian R. Bondy [:bbondy] from comment #7) > > (In reply to Robert Strong [:rstrong] (do not email) from comment #6) > > > Comment on attachment 787759 [details] [diff] [review] > > > Build config for turning DER files into .h files - rev1 > > > > > > For the ifneq you can use the following format > > > http://mxr.mozilla.org/mozilla-central/source/layout/build/Makefile.in#78 > > > > > > Please convert to unix newlines > > > > It is already unix newlines > When I imported the patch a second time gen_cert_header.py it was created > again with CRLF newlines Ah sorry, the comment appeared just under Makefile.in so I thought you were talking about that file. Should have checked both. New patch coming.
|
|
Assignee | |
Comment 14•11 years ago
|
||
Stripped \r from the python file. Carrying forward r+.
Attachment #808665 -
Attachment is obsolete: true
Attachment #808922 -
Flags: review+
|
||
Comment 15•10 years ago
|
||
Updated for current trunk. Carrying over r+.
Attachment #8416007 -
Flags: review+
|
|
||
Comment 16•10 years ago
|
||
Updated for current trunk. Carrying over r+.
Attachment #789339 -
Attachment is obsolete: true
Attachment #808922 -
Attachment is obsolete: true
Attachment #8416008 -
Flags: review+
|
|
Assignee | |
Comment 17•10 years ago
|
||
Rebase to m-c tip and add nightly-ux (it was missed before)
Attachment #8416007 -
Attachment is obsolete: true
Attachment #8505915 -
Flags: review+
|
|
Assignee | |
Comment 18•10 years ago
|
||
Tested this with a corrected manifest and we're all good. https://hg.mozilla.org/integration/mozilla-inbound/rev/c249afdad744 https://hg.mozilla.org/integration/mozilla-inbound/rev/149fc4026b50
|
|
Assignee | |
Updated•10 years ago
|
Target Milestone: --- → mozilla36
|
||
Comment 19•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c249afdad744 https://hg.mozilla.org/mozilla-central/rev/149fc4026b50
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 20•10 years ago
|
||
Comment on attachment 8505915 [details] [diff] [review] Part 1: Build config for turning DER files into .h files - rev5 Review of attachment 8505915 [details] [diff] [review]: ----------------------------------------------------------------- ::: toolkit/mozapps/update/updater/Makefile.in @@ +35,5 @@ > + > +export:: > + $(PYTHON) $(srcdir)/gen_cert_header.py primaryCertData $(srcdir)/$(PRIMARY_CERT) > primaryCert.h > + $(PYTHON) $(srcdir)/gen_cert_header.py secondaryCertData $(srcdir)/$(SECONDARY_CERT) > secondaryCert.h > + $(PYTHON) $(srcdir)/gen_cert_header.py xpcshellCertData $(srcdir)/xpcshellCertificate.der > xpcshellCert.h This should have been reviewed by a build peer.
Attachment #8505915 -
Flags: review-
You need to log in
before you can comment on or make changes to this bug.
Description
•