Allow apps to be installed from the Marketplace staging server

RESOLVED FIXED in mozilla34

Status

()

RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: keeler, Assigned: marco, NeedInfo)

Tracking

unspecified
mozilla34
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

The certificates in question are marketplace-dev-public.crt, marketplace-dev-reviewers.crt, marketplace-prod-public.crt, and marketplace-prod-reviewers.crt in https://mxr.mozilla.org/mozilla-central/source/security/apps/

Comment 1

4 years ago
Is it possible to include certs for stage as well? Certs should be at https://www.dropbox.com/s/agkljpkh8fia2em/marketplace-stage.cert.tar.gz
Flags: needinfo?(dkeeler)
Sure it is possible, but esides the cert we also need an origin for these services in order to change:
https://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#3192.

Also, do you know how are the private keys for these certs being managed?
Flags: needinfo?(dkeeler) → needinfo?(krupa.mozbugs)

Comment 3

4 years ago
(In reply to Camilo Viecco (:cviecco) from comment #2)
> Sure it is possible, but esides the cert we also need an origin for these
> services in order to change:
> https://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#3192.
> 
> Also, do you know how are the private keys for these certs being managed?

cc'ing jason since he generated most of the certs for marketplace.
Flags: needinfo?(krupa.mozbugs) → needinfo?(jthomas)
(Assignee)

Comment 4

4 years ago
Could you also provide the marketplace dev certs? I think the certs we have in the tree are just placeholders.
(Assignee)

Updated

4 years ago
Duplicate of this bug: 1039520
(Assignee)

Comment 6

4 years ago
To summarize, we need the certs for dev (both public and reviewers) and for stage (both public and reviewers). We also need an origin for stage (is it "marketplace.allizom.org"?).
(In reply to Marco Castelluccio [:marco] from comment #4)
> Could you also provide the marketplace dev certs? I think the certs we have
> in the tree are just placeholders.

are we sure that's the reason?

The marketplace-dev reviewer cert that we have to use on pre-2.0 versions of FxOS is:
https://github.com/mozilla/marketplace-certs/blob/master/marketplace-dev-reviewers-root.der
and the mxr file is identical:
https://mxr.mozilla.org/mozilla-central/source/security/apps/marketplace-dev-reviewers.crt
(Assignee)

Comment 8

4 years ago
You're right, the reviewers certificate is correct.
Is that certificate used on marketplace.allizom.org or on marketplace-dev.allizom.org?
Right now we're trusting the certificate only if the origin is "https://marketplace-dev.allizom.org".
Flags: needinfo?(awilliamson)
(In reply to Marco Castelluccio [:marco] from comment #8)
> You're right, the reviewers certificate is correct.
> Is that certificate used on marketplace.allizom.org or on
> marketplace-dev.allizom.org?
> Right now we're trusting the certificate only if the origin is
> "https://marketplace-dev.allizom.org".

the certificate is for marketplace-dev - I'm not sure about reviewers on marketplace stage, or if one even exists.

But I can't make the marketplace-dev one work either in Nightly or Aurora desktop.
Flags: needinfo?(awilliamson)
(Assignee)

Comment 10

4 years ago
I've just built a test to verify the installation of apps from marketplace-dev (see bug 1040179). It doesn't test reviewer certificates, but it does test the public ones.

To enable installing from https://marketplace-dev.allizom.org you need to:
1) Set dom.mozApps.use_reviewer_certs to true
2) Add the domain to dom.mozApps.signed_apps_installable_from

In production, you don't need step 2.
(In reply to Marco Castelluccio [:marco] from comment #10)
> I've just built a test to verify the installation of apps from
> marketplace-dev (see bug 1040179). It doesn't test reviewer certificates,
> but it does test the public ones.
> 
> To enable installing from https://marketplace-dev.allizom.org you need to:
> 1) Set dom.mozApps.use_reviewer_certs to true
> 2) Add the domain to dom.mozApps.signed_apps_installable_from
> 
> In production, you don't need step 2.

just to be clear: I can install from public pages on -dev; I can install from public and reviewer pages on production; I can't install from reviewer pages on -dev.  (I've not tested stage)
(Assignee)

Comment 12

4 years ago
OK, so the certificate in our tree and the certificate you pointed to on GitHub are the same, but they're both wrong.
Their issuer is "MarketplaceTest2 Corporation", the issuer of the certificate used to sign unreviewed apps on marketplace-dev is "ExampllaReviewer Corporation".
hmm.  I wonder who is using the 'correct' certificates.  Jason might know.
All environment public root certificates for app signing should be on github https://github.com/mozilla/marketplace-certs/. I believe we used 'Examplla*' CommonName and 'MarketplaceTest* Issuer to differentiate the dev certs from prod. Bug 793876 for the script we used for creation of -dev certs.

If we are having issues with -dev reviewer app signing certs due to the Issuer and CommonName I believe we can just recreate the certs with the correct Issuer and CommonName (please provide) and resign devs apps as needed.
Flags: needinfo?(jthomas)
(Assignee)

Comment 15

4 years ago
I think there's no need to resign all the apps, we just need the cert you're actually using (it isn't the cert on github).
So, once you've decided what you want to use, just attach the public certificate here and I'll test it and land it in mozilla-central.
I don't know the technical background around what certs were used an why, but wouldn't it be easier to swap out the certificate used on Marketplace-dev (and resign all the apps) than replace the one bundled in gecko?
(Assignee)

Comment 17

4 years ago
(In reply to Andrew Williamson [:eviljeff] from comment #16)
> I don't know the technical background around what certs were used an why,
> but wouldn't it be easier to swap out the certificate used on
> Marketplace-dev (and resign all the apps) than replace the one bundled in
> gecko?

Replacing is pretty easy (we just need to overwrite the old file), but it will only work for versions >= Nightly. Resigning all the apps means supporting all Firefox versions.
(In reply to Marco Castelluccio [:marco] from comment #17)
> (In reply to Andrew Williamson [:eviljeff] from comment #16)
> > I don't know the technical background around what certs were used an why,
> > but wouldn't it be easier to swap out the certificate used on
> > Marketplace-dev (and resign all the apps) than replace the one bundled in
> > gecko?
> 
> Replacing is pretty easy (we just need to overwrite the old file), but it
> will only work for versions >= Nightly. Resigning all the apps means
> supporting all Firefox versions.

I'd go for replacing and resigning on Marketplace then.
(Assignee)

Updated

4 years ago
See Also: → bug 1042006
(Assignee)

Comment 19

4 years ago
(In reply to Andrew Williamson [:eviljeff] from comment #18)
> (In reply to Marco Castelluccio [:marco] from comment #17)
> > (In reply to Andrew Williamson [:eviljeff] from comment #16)
> > > I don't know the technical background around what certs were used an why,
> > > but wouldn't it be easier to swap out the certificate used on
> > > Marketplace-dev (and resign all the apps) than replace the one bundled in
> > > gecko?
> > 
> > Replacing is pretty easy (we just need to overwrite the old file), but it
> > will only work for versions >= Nightly. Resigning all the apps means
> > supporting all Firefox versions.
> 
> I'd go for replacing and resigning on Marketplace then.

OK, I filed bug 1042006 to do so.

So this bug is just about adding the certificates for the staging server and adding the staging server domain to the admitted origins.
On GitHub there's only https://github.com/mozilla/marketplace-certs/blob/master/marketplace-stage-public-root.der and not the reviewer one. Who could provide it?
What is the domain of the staging server?
(Assignee)

Updated

4 years ago
Summary: ensure that we have the right dev, staging, and production certs for marketplace checked in to the tree → Allow apps to be installed from the Marketplace staging server
(In reply to Marco Castelluccio [:marco] from comment #19)
> (In reply to Andrew Williamson [:eviljeff] from comment #18)
> > (In reply to Marco Castelluccio [:marco] from comment #17)
> > > (In reply to Andrew Williamson [:eviljeff] from comment #16)
> > > > I don't know the technical background around what certs were used an why,
> > > > but wouldn't it be easier to swap out the certificate used on
> > > > Marketplace-dev (and resign all the apps) than replace the one bundled in
> > > > gecko?
> > > 
> > > Replacing is pretty easy (we just need to overwrite the old file), but it
> > > will only work for versions >= Nightly. Resigning all the apps means
> > > supporting all Firefox versions.
> > 
> > I'd go for replacing and resigning on Marketplace then.
> 
> OK, I filed bug 1042006 to do so.
> 
> So this bug is just about adding the certificates for the staging server and
> adding the staging server domain to the admitted origins.
> On GitHub there's only
> https://github.com/mozilla/marketplace-certs/blob/master/marketplace-stage-
> public-root.der and not the reviewer one. Who could provide it?

Jason?

> What is the domain of the staging server?

stage: marketplace.allizom.org
Flags: needinfo?(jthomas)
https://github.com/mozilla/marketplace-certs/blob/master/marketplace-stage-public-root.der is for both app and reviewer signing.
Flags: needinfo?(jthomas)
(Assignee)

Comment 22

4 years ago
Created attachment 8460353 [details] [diff] [review]
Patch
Attachment #8460353 - Flags: review?(fabrice)
Comment on attachment 8460353 [details] [diff] [review]
Patch

Review of attachment 8460353 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with nit fixed.

::: security/manager/ssl/public/nsIX509CertDB.idl
@@ +299,5 @@
>    const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2;
>    const AppTrustedRoot AppMarketplaceDevPublicRoot = 3;
>    const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4;
> +  const AppTrustedRoot AppMarketplaceStageRoot = 5;
> +  const AppTrustedRoot AppXPCShellRoot = 6;

please change the UUID of the interface.
Attachment #8460353 - Flags: review?(fabrice) → review+
https://hg.mozilla.org/mozilla-central/rev/8439b6d7bd2a
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Krupa, is this something you might want to (and be set up to) test? Thanks!
QA Whiteboard: [qa+]
Flags: needinfo?(krupa.mozbugs)

Comment 27

4 years ago
On 34.0a1, packaged app installs still fail on stage.

build identifier: 20140804040204
git commit info: 2014-08-01 5fd14b8b

8-04 19:46:55.852 E/GeckoConsole( 1108): Content JS LOG at https://marketplace.allizom.org/iframe-install.html/:129 in installPackage/installRequest.onsuccess: [iframe-install] App install request for Stage
08-04 19:46:55.862 E/GeckoConsole(  305): Content JS LOG at app://system.gaiamobile.org/js/app_usage_metrics.js:92 in debug: [AppUsage] https://marketplace.allizom.org/app/e6a59937-29e4-456a-b636-b69afa8693b4/manifest.webapp installed
08-04 19:46:56.012 I/Gecko   (  305): RemoteOpenFileParent: file '/data/local/webapps/{b9b415b9-3bd2-4f7f-a213-6696374117e4}/application.zip' was not found!
08-04 19:46:56.012 I/Gecko   ( 1070): IPDL protocol error: [PRemoteOpenFileChild] Received an invalid file descriptor!
08-04 19:46:56.062 E/GeckoConsole( 1070): Content JS ERROR at app://verticalhome.gaiamobile.org/gaia_build_defer_index.js:397 in GridItem.prototype.doRenderIcon/<: Error fetching icon Error: Error while HTTP GET: 
08-04 19:46:56.312 I/GeckoDump(  305): XXX FIXME : Got a mozContentEvent: inputmethod-update-layouts
08-04 19:46:57.182 E/GeckoConsole(  305): Content JS INFO at app://system.gaiamobile.org/js/app_install_manager.js:356 in ai_handleDownloadError: downloadError event, error code is INVALID_SIGNATURE
08-04 19:46:57.272 E/GeckoConsole( 1108): Content JS LOG at https://marketplace.allizom.org/iframe-install.html/:145 in installPackage/installRequest.onsuccess/installRequest.result.ondownloaderror: [iframe-install] App download error: INVALID_SIGNATURE
08-04 19:46:57.272 E/GeckoConsole( 1108): Content JS LOG at https://marketplace-stage.cdn.mozilla.net/media/fireplace/js/include.js?b=1406925514345:6 in s/<: [installer] Received message from iframe installer (install-package)
08-04 19:46:57.272 E/GeckoConsole( 1108): Content JS LOG at https://marketplace-stage.cdn.mozilla.net/media/fireplace/js/include.js?b=1406925514345:6 in s/<: [installer] iframe install failed: INVALID_SIGNATURE
Status: RESOLVED → REOPENED
Flags: needinfo?(krupa.mozbugs)
Resolution: FIXED → ---
(Assignee)

Comment 28

4 years ago
Mmmh, we have a test using three apps downloaded from marketplace.allizom.org: http://mxr.mozilla.org/mozilla-central/source/dom/apps/tests/test_marketplace_pkg_install.html?force=1

Comment 29

4 years ago
(In reply to Marco Castelluccio [:marco] from comment #28)
> Mmmh, we have a test using three apps downloaded from
> marketplace.allizom.org:
> http://mxr.mozilla.org/mozilla-central/source/dom/apps/tests/
> test_marketplace_pkg_install.html?force=1

hrm, that's odd. I tried installing the same packaged apps after manually installing certs and the installs worked. I can try again tomorrow  with a fresh build.

Comment 30

4 years ago
I tried to install a hosted and a packaged app on my Android phone, and got the following error "App install error: 0-" http://screencast.com/t/sakLbNJDK and the apps were not installed, and tried on Android tablet, the apps were installed, but I got the following error "INVALID_SIGNATURE". Both devices have Android 4.2.1. 

I have also modified the browser.webapps.apkFactoryUrl to https://apk-controller.stage.mozaws.net/application.apk in about:config, and I have installed the latest Nightly. 

Is this the same issue or should I file a new bug?

Comment 31

4 years ago
I investigated same scenario as in comment from above on my Android device (Galaxy S3, Android 4.3) and I was able to install both hosted and packaged apps, but I received same error as Iulian(INVALID_SIGNATURE) only for packaged apps.
(In reply to Iulian Timis from comment #30)
> I tried to install a hosted and a packaged app on my Android phone, and got
> the following error "App install error: 0-"
> http://screencast.com/t/sakLbNJDK and the apps were not installed, and tried
> on Android tablet, the apps were installed, but I got the following error
> "INVALID_SIGNATURE". Both devices have Android 4.2.1. 
> 
> I have also modified the browser.webapps.apkFactoryUrl to
> https://apk-controller.stage.mozaws.net/application.apk in about:config, and
> I have installed the latest Nightly. 
> 
> Is this the same issue or should I file a new bug?

Austin, do you think this is the same issue or not?
Flags: needinfo?(ozten.bugs)

Comment 33

4 years ago
I am receiving the INVALID_SIGNATURE error on Flame (FFOS 2.1) for packaged apps and the apps are NOT installed.
(Assignee)

Comment 34

4 years ago
Are you sure you're both setting "dom.mozApps.use_reviewers_certs" to true and adding https://marketplace.allizom.org/ to the list in the "dom.mozApps.signed_apps_installable_from" pref?

Comment 35

4 years ago
(In reply to Marco Castelluccio [:marco] from comment #34)
> Are you sure you're both setting "dom.mozApps.use_reviewers_certs" to true
> and adding https://marketplace.allizom.org/ to the list in the
> "dom.mozApps.signed_apps_installable_from" pref?

Yes, I have done the above settings but I'm still getting the same behavior described in comment 30
(Assignee)

Comment 36

4 years ago
Krupa, can you test again?
Flags: needinfo?(krupa.mozbugs)

Comment 37

4 years ago
platform version:30.0 (20140820000202) 4f92950e

08-20 12:51:45.269 E/GeckoConsole(  135): Content JS INFO at app://system.gaiamobile.org/js/app_install_manager.js:355 in ai_handleDownloadError: downloadError event, error code is INVALID_SIGNATURE
08-20 12:51:45.389 E/GeckoConsole(  533): Content JS LOG at https://marketplace.allizom.org/iframe-install.html/:153 in installPackage/installRequest.onsuccess/installRequest.result.ondownloaderror: [iframe-install] App download error: INVALID_SIGNATURE
08-20 12:51:45.389 E/GeckoConsole(  533): Content JS LOG at app://packaged.marketplace.allizom.org/media/js/include.js:6 in s/<: [installer] Received message from iframe installer (install-package)
08-20 12:51:45.399 E/GeckoConsole(  533): Content JS LOG at app://packaged.marketplace.allizom.org/media/js/include.js:6 in s/<: [installer] Received message from iframe installer (install-package)
08-20 12:51:45.399 E/GeckoConsole(  533): Content JS LOG at app://packaged.marketplace.allizom.org/media/js/include.js:6 in s/<: [installer] iframe install failed: INVALID_SIGNATURE
08-20 12:51:45.399 E/GeckoConsole(  533): Content JS LOG at app://packaged.marketplace.allizom.org/media/js/include.js:6 in s/<: [buttons] App install deferred was rejected for  Whatsap Firefox OS Info
08-20 12:51:45.399 E/GeckoConsole(  533): Content JS LOG at app://packaged.marketplace.allizom.org/media/js/include.js:6 in s/<: [buttons] Unsuccessful install for Whatsap Firefox OS Info

iulian, can you try as well?
Flags: needinfo?(krupa.mozbugs) → needinfo?(iulian.timis)

Comment 38

4 years ago
I was able to install and launch a packaged app with no issues on my Android 4.2.1 device on FF34.
Flags: needinfo?(iulian.timis)

Comment 39

4 years ago
(In reply to Iulian Timis from comment #38)
> I was able to install and launch a packaged app with no issues on my Android
> 4.2.1 device on FF34.

Iulian, can you try the same on firefoxOS, please?
Flags: needinfo?(iulian.timis)

Comment 40

4 years ago
I was also able to install a packaged app on FF OS 1.3 (Inari) with no issues.
Flags: needinfo?(iulian.timis)
(Assignee)

Comment 41

4 years ago
I think it's worth opening a new bug for the issue krupa is seeing.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED

Comment 42

4 years ago
Krupa, I can no longer reproduce this issue, could you please test again in your enviroment? Thank you!
Flags: needinfo?(krupa.mozbugs)

Updated

3 years ago
Flags: needinfo?(krupa.mozbugs)
You need to log in before you can comment on or make changes to this bug.