Signing system for FHR web v.next

NEW
Unassigned

Status

Firefox Health Report
Web: Health Report
P5
normal
4 years ago
3 years ago

People

(Reporter: Benjamin Smedberg, Unassigned)

Tracking

(Blocks: 1 bug)

31 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [measurement:client])

(Reporter)

Description

4 years ago
This bug tracks implement a deployment system to securely sign .jar files for FHR v.next with a Mozilla private key.

FHR web v.next is going to be secured by deploying as signed JAR files. Because the FHR website will be given extra privileges to read private data and take actions within Firefox, we want to verify this content with more security than simply a certificate pin. As a result these JARs will need to be signed by a Mozilla key using existing JAR signing tools.

After they are signed, the files will be deployed to the CDN as with to today's FHR.

We should treat the signing key system with at least the same level of security that we treat Firefox installer and update signing keys.
Priority: -- → P5
Whiteboard: [measurement:client]
You need to log in before you can comment on or make changes to this bug.