Closed Bug 1168577 Opened 9 years ago Closed 5 years ago

Create a new hotfix signing certificate for Android that chains to the AMO root.

Categories

(Firefox for Android Graveyard :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: mossop, Unassigned)

References

Details

When add-on signing is turned on there will need to be a new hotfix certificate that meets the signing requirements. So we need to create a cert, keep it somewhere and add its fingerprint to the prefs. Bug 1155762 and bug 1151537 did this for Firefox.
What do we need to do here? Do we just need to add a fingerprint pref in mobile.js similar to what was done in bug 1151537?
Flags: needinfo?(dtownsend)
(In reply to :Margaret Leibovic from comment #1)
> What do we need to do here? Do we just need to add a fingerprint pref in
> mobile.js similar to what was done in bug 1151537?

If you have the certificate already (or if the plan is to use the same certificate as Firefox) then yes.
Flags: needinfo?(dtownsend)
(In reply to Dave Townsend [:mossop] from comment #2)
> (In reply to :Margaret Leibovic from comment #1)
> > What do we need to do here? Do we just need to add a fingerprint pref in
> > mobile.js similar to what was done in bug 1151537?
> 
> If you have the certificate already (or if the plan is to use the same
> certificate as Firefox) then yes.

Andy, can Android use the same certificate as desktop here? If so, I can write a simple patch to update mobile.js.

I don't think we've ever shipped a hotfix add-on on Android, so I'm worried this is not well tested, but we might as well try to maintain the same level of support.
Flags: needinfo?(amckay)
(In reply to :Margaret Leibovic from comment #3)
> (In reply to Dave Townsend [:mossop] from comment #2)
> > (In reply to :Margaret Leibovic from comment #1)
> > > What do we need to do here? Do we just need to add a fingerprint pref in
> > > mobile.js similar to what was done in bug 1151537?
> > 
> > If you have the certificate already (or if the plan is to use the same
> > certificate as Firefox) then yes.
> 
> Andy, can Android use the same certificate as desktop here? If so, I can
> write a simple patch to update mobile.js.
> 
> I don't think we've ever shipped a hotfix add-on on Android, so I'm worried
> this is not well tested, but we might as well try to maintain the same level
> of support.

I would presume so, but there's probably a reason Mossop filed it so just checking with him.
Flags: needinfo?(amckay) → needinfo?(dtownsend)
I assume that using different certificates means we don't have to update both apps in the event we need to revoke but I'm going to defer to Dan as someone who knows more than me about such things.
Flags: needinfo?(dtownsend) → needinfo?(dveditz)
It's probably simpler to use the same certificate for both -- there may even be future hotfixes where we could release a single one for both applications (pref changes to disable some platform feature?) but only if there's a single certificate. Why would we have to revoke? If someone can get our key out of HSM, or get into our build subnet to issue "sign me" commands they could compromise both certs anyway--or at least we'd have to assume they did even if we didn't have proof. I don't think two certs buys us much benefit.

Unless the android hotfix already has a separate ID -- then they need a separate certificate anyway. ... and of course it does:
https://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#67
https://mxr.mozilla.org/mozilla-central/source/mobile/android/app/mobile.js#211

You need to either
* rename the android hotfix, or
* get a separate android cert

I don't think either way is meaningfully more secure so do whichever fits our other needs better.

Probably should ask RelEng which works better for them. Lawrence?
Flags: needinfo?(dveditz) → needinfo?(lmandel)
Chris - Can you answer Dan's question ^ above?
Flags: needinfo?(lmandel) → needinfo?(catlee)
My understanding is that we want to use the new addon signing infrastructure for signing the hotfix addons as well? If that's the case, then RelEng will have no direct involvement with the hotfix signing, so I don't have a preference which option you choose.

If we're going to continue to use the RelEng signing infra for signing hotfixes, then it's simpler if we can use the same cert for both Firefox and Android.
Flags: needinfo?(catlee)

Closing this since the hotfix add-on was discontinued, and there are other conversations going on for how to quickly patch up Firefox.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.