Closed Bug 1170851 Opened 9 years ago Closed 9 years ago

Warn about add-ons detected as no longer signed during the periodic check

Categories

(Firefox for Android Graveyard :: Add-on Manager, defect)

Product:
Firefox for Android Graveyard
Component:
Add-on Manager
Version:
35 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox41 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 41
Tracking Flags:
Tracking Status
firefox41 --- fixed

People

(Reporter: Margaret, Assigned: Margaret)

References

Details

Attachments

(2 files)

MozReview Request: Bug 1170851 - Warn about add-ons detected as no longer signed. r=mfinkle,Mossop
40 bytes, text/x-review-board-request
mossop
: review+
mfinkle
: review+
Details
screenshot
182.64 KB, image/png
Details
Android version of bug 1151509.
Blocks: 1170043
No longer blocks: 1151509
Mossop, what's a good way to test this? Could I write a test that installs an unsigned add-on, then does something to change the fact that we require signed add-ons and force a check? One tricky thing with our robocop test harness is that we can't restart the browser, so this would all need to happen during a single running instance. I tried testing this manually by installing an unsigned add-on, applying a patch that requires add-on signing, and then rebuilding/reinstalling. The first time I installed my new build, nothing looked different, but then after killing it and restarting, I found the add-on was disabled. I also tried adding an "xpi-signature-changed" observer, but that never fired, so I think I just ran into the startup case that I'll need to address in bug 1170846.
Flags: needinfo?(dtownsend)
(In reply to :Margaret Leibovic from comment #1) > Mossop, what's a good way to test this? Could I write a test that installs > an unsigned add-on, then does something to change the fact that we require > signed add-ons and force a check? > > One tricky thing with our robocop test harness is that we can't restart the > browser, so this would all need to happen during a single running instance. What you want to do is turn on signing requirements then install a signed add-on. Then break the add-on in some way, add a file to its XPI or something. Then trigger the background check and you should get the notification. > I tried testing this manually by installing an unsigned add-on, applying a > patch that requires add-on signing, and then rebuilding/reinstalling. The > first time I installed my new build, nothing looked different, but then > after killing it and restarting, I found the add-on was disabled. > > I also tried adding an "xpi-signature-changed" observer, but that never > fired, so I think I just ran into the startup case that I'll need to address > in bug 1170846. Yeah that sounds likely.
Flags: needinfo?(dtownsend)
Bug 1170851 - Warn about add-ons detected as no longer signed. r=mfinkle,Mossop
Attachment #8621322 - Flags: review?(mark.finkle)
Attachment #8621322 - Flags: review?(dtownsend)
I decided to just add the startup check needed for bug 1170851 while I'm here, although I had trouble figuring out how to test that code path... To test the xpi-signature changed path, I did the following: 1) Set add-on signing required 2) Installed a signed add-on (ABP) 3) Ran this script to copy a modified version of the XPI from the sdcard to the extensions directory in the profile (and also force the signature check): https://gist.github.com/leibovic/4f30e00461304886d41b
Attached image screenshot
(antlam and I talked about this on IRC, and I got the thumbs up there)
Attachment #8621322 - Flags: review?(mark.finkle)
Comment on attachment 8621322 [details] MozReview Request: Bug 1170851 - Warn about add-ons detected as no longer signed. r=mfinkle,Mossop https://reviewboard.mozilla.org/r/10947/#review9579 ::: mobile/android/chrome/content/browser.js:6302 (Diff revision 1) > + // TODO: Open about:addons to show only unsigned add-ons? Do you want to file a bug on adding this functionality to about:addons ?
Comment on attachment 8621322 [details] MozReview Request: Bug 1170851 - Warn about add-ons detected as no longer signed. r=mfinkle,Mossop https://reviewboard.mozilla.org/r/10947/#review9581 Ship It!
Attachment #8621322 - Flags: review+
(In reply to Mark Finkle (:mfinkle) from comment #7) > Comment on attachment 8621322 [details] > MozReview Request: Bug 1170851 - Warn about add-ons detected as no longer > signed. r=mfinkle,Mossop > > https://reviewboard.mozilla.org/r/10947/#review9579 > > ::: mobile/android/chrome/content/browser.js:6302 > (Diff revision 1) > > + // TODO: Open about:addons to show only unsigned add-ons? > > Do you want to file a bug on adding this functionality to about:addons ? Yeah, I can file a bug. Right now about:addons 1) doesn't know about signed/unsigned add-ons (bug 1170841) and 2) doesn't have a way to handle URL parameters (bug 1173893).
Comment on attachment 8621322 [details] MozReview Request: Bug 1170851 - Warn about add-ons detected as no longer signed. r=mfinkle,Mossop https://reviewboard.mozilla.org/r/10947/#review9621 Ship It!
Attachment #8621322 - Flags: review?(dtownsend) → review+
https://hg.mozilla.org/mozilla-central/rev/e2566fef5f24
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 41
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: