1072977 - New non prod environment packaged app signing certificate not working in v2.0 and v2.2

Status: RESOLVED WONTFIX

(Firefox OS Graveyard :: General, defect)

Description

[Jason Thomas [:jason]]

Marketplace team uses https://github.com/mozilla/marketplace-certs/ to generate custom certificate trust databases which contain root certificates to test packaged apps from non production environments on Firefox OS devices.

We recently configured packaged app signing on a new test environment https://payments-alt.allizom.org/ however we are unable to install packaged apps from this marketplace on Firefox OS devices with v2.0 and v2.2, install error INVALID_SIGNATURE.

Our other non production environment packaged apps (marketplace-dev.allizom.org and marketplace.allizom.org) install on v2.0+ even without pushing custom certificate trust database.

Do we need to add our new test root certificate to mozilla-central/source/security/apps/ ?

Comment 1

[Wil Clouser [:clouserw]]

I talked to Fabrice a little about this on IRC.  He said this had changed when the codebase started to use pkix and keeler would be able to give us more details.  Keeler, bsmith used to help us with certs (he wrote the instructions at the github link in comment 0).  Can you answer the following questions now that he is gone?

Can you point us to some docs or explain where the OS gets app signing certs now?

Are the instructions at that github link no longer applicable?  If not, how do we load custom certs onto the device?

There is a new option in the Developer Tools called "Use Marketplace Reviewer Certs" that seems to enable more than just reviewer certs (perhaps also dev/stage certs?).  Where do those certs live in Gaia so we can see what it enables?

Thanks!

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

(In reply to Wil Clouser [:clouserw] from comment #1)
> Can you point us to some docs or explain where the OS gets app signing certs
> now?

Unfortunately, I can't seem to find any documentation on this specifically at the moment. I can write some or do some more digging to locate it.

> Are the instructions at that github link no longer applicable?

Anything talking about 'certdb' is no longer applicable for any Firefox OS based on Firefox 31 or later. When we switched to mozilla::pkix for certificate verification, we changed the way this happens.

>  If not, how do we load custom certs onto the device?

The .crt files in security/apps/ are basically the public keys that are trusted to sign for apps. As the names suggest, they correspond to different modes of operation: production, reviewers, development, etc. If the private key is available for (for example) marketplace-dev-public.crt, it would be easiest to just use that to sign apps. If not, you could generate a new public/private key pair and drop in the public key (as a DER-encoded file - use `openssl x509 -outform der`) in place of marketplace-dev-public.crt. Then, you would have to recompile gecko and flash your device.
Since it looks like you're working on a new domain, I imagine you'll have to modify the pref "dom.mozApps.signed_apps_installable_from" to include it.
I would also have a look at this: http://hg.mozilla.org/mozilla-central/annotate/4534f97c4633/dom/apps/Webapps.jsm#l3436

> There is a new option in the Developer Tools called "Use Marketplace
> Reviewer Certs" that seems to enable more than just reviewer certs (perhaps
> also dev/stage certs?).  Where do those certs live in Gaia so we can see
> what it enables?

Those are the certificates in security/apps, I believe.

Let me know if I can further clarify anything.

Comment 3

[Wil Clouser [:clouserw]]

Thanks for the info, keeler - that's very helpful.  I didn't realize stage used the same cert for public and review apps.  Weird.


Krupa/Jason - Is comment 2 enough info for you?  If payments-alt needs to work, it sounds like we'll need a mozilla-central patch.  Are there other domains that need to work?

Comment 4

[Jason Thomas [:jason]]

I can work on a patch for payments-alt and attach it to this bug for review. If the other sites are working (-dev and stage) I think payments-alt is the only one we need to work on for now.