1012705 - BetaChannel support for provisioning devices to new channels

Status: RESOLVED WONTFIX

(DevTools Graveyard :: WebIDE, defect)

Description

[Austin King [:ozten]]

BetaFox [1] is a new project to make testing privileged apps easier.

A FxOS device must be provisioned with a new certificate database as well as an update to a preference in user.js.

Currently this is done over adb with shell scripts. App Manager would make this very nice.

As discussed with Paul and Axel, we will use this bug for mockup and code to coordinate implementing this in the App Manager.

[1] https://wiki.mozilla.org/Mobile/Projects/BetaFox

Comment 1

[Austin King [:ozten]]

Attachment: Default State

Default State - Mozilla Marketplace is the trusted channel by default.

Comment 2

[Austin King [:ozten]]

Attachment: Betafox Provisioned

BetaFox Provisioned - Device is ready for testing

Comment 3

[Austin King [:ozten]]

Attachment: Example Channel

Example Channel - After adding an example channel, the new channel is listed

(Mockup is as though we were on Default and then used the Add Trusted Channel form)

Comment 4

[Austin King [:ozten]]

Attachment: app_manager_sketch.js

Very early sketch of the code, not tested.

I'll keep working on this in an Addon, but wanted to share early in case this is enough to get you going.

Comment 5

[Austin King [:ozten]]

Requirements:

1) Given a endpoint (http://betafox.mozilla.org) provision a device by updating the certificate db and updating 

* cert9.db, key4.db, and pkcs11.txt copied under /b2g/mozilla/${profile}
* /system/b2g/defaults/pref/user.js update dom.mozApps.signed_apps_installable_from

${profile} is the directory with a random name that ends in ".default"

Reboot the device

2) When provisioning, backup the existing files and value of dom.mozApps.signed_apps_installable_from to a restore location

3) Allow restoring default certificate dbs and user.js pref value

4) UI - Allow adding new Trusted Channels to the App Manager "Distribution Channels" panel

Comment 6

[Austin King [:ozten]]

Attachment: provision.js

Fixes paths, moved into a file I can test from a sample SDK based Add-on.

Comment 7

[Austin King [:ozten]]

Attachment: main.js

Basic Addon adds context menu 'Test Provisioning' item, which runs provisioning code against http://d2gk.co our unoffical dev environment

Comment 8

[Paul Rouget [:paul]]

Comment on attachment 8424869 [details]
Default State

This is the old App Manager. The new App Manager is very different. You'll need to build it yourself to test it. Basically, you need to host this tool in its own window, and use native styling.

Comment 9

[Paul Rouget [:paul]]

Comment on attachment 8424939 [details]
provision.js

Looks good. But I need to understand where the phone come from. Will they be unlocked? Apparently, we won't be allowed to update the certificates on "normal" phone. A pref in prefs.js will need to be changed to allow that, and ADB is required for that.

Comment 10

[Austin King [:ozten]]

> This is the old App Manager. The new App Manager is very different.
Do you have a link for how to get/build the new app manager?

> You'll need to build it yourself to test it. Basically, you need to host this tool in its own window, and use native styling.

If we treat these as wireframes, is that enough to get you going?

> But I need to understand where the phone come from. Will they be unlocked?

Yes, for 1.0 release, partners will have unlocked phones for their testers to use.

(After 1.0 we will work on improving FxOS to support all phones)

Comment 11

[Paul Rouget [:paul]]

As far as I understand (need to be confirmed by the security team), to enable this feature in the app manager, you'll need to set a preference (devtools.debugger.forbid-certified-apps) in prefs.js on the phone (only accessible via ADB, so on rooted devices). This would require to run a script for each phone to update the pref, and at this point, they could just override the certificates at the same time.

How do they unlock the phones?

Just trying to figure out the process. We need this feature to avoid having to run shell scripts against the phones, but if you need to run a shell script to unlock the phone in the first place, there's no point of building this feature.

Comment 12

[Austin King [:ozten]]

Great, thank you for looking into this.

For 1.0, it is okay if only rooted phones are supported.

Comment 13

[:Harald Kirschner :digitarald]

Geeksphone and Flame are currently come rooted by default. Review team has rooted Tarakos and OneTouch Fire where some device they got off ebay.

Comment 14

[Paul Rouget [:paul]]

Do partners need to go through a unlocking/rooting phase?
Do partners, at any point in time, need to run a script against the phone?

Comment 15

[:Harald Kirschner :digitarald]

(In reply to Paul Rouget [:paul] (slow to respond. Ping me on IRC) from comment #14)
> Do partners need to go through a unlocking/rooting phase?
> Do partners, at any point in time, need to run a script against the phone?

No for partners and long tail, as they currently don't need to sideload certificates.

Comment 16

[Austin King [:ozten]]

This current plan works for existing versions of FxOS, but what is landing in aurora Fx right now completely restructures certificates and how they work. It will break our current plan.

We are working outside of this bug on how to support this going forward. I'll add a depends on bug# once I find the best one to track.

Comment 17

[Austin King [:ozten]]

There is a proposal for FxOS 2.x in bug#1023499#c1

Feedback there for this work would be great.

Comment 18

[Austin King [:ozten]]

Renaming project from BetaFox to BetaChannel.

Comment 19

[Alexandre Poirot [:ochameau]]

Given that last update on transitioning gaia/fxos to no longer use certified/privileged permissions,
I imagine this project is going to be cancelled?

Also, in the meantime we provided a way to root your phone via settings app and be able to push certified apps via webide.

Please reopen if it isn't.