Closed Bug 1190289 Opened 9 years ago Closed 6 years ago

Enable mar signing for all platforms and remove app.update.certs.* preferences

Categories

(Instantbird Graveyard :: Other, defect)

Product:
Instantbird Graveyard
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: Fallen, Unassigned)

Details

Not sure you have a bug filed for this, I only saw them for Thunderbird and Seamonkey.

+++ This bug was initially created as a clone of Bug #1189843 +++

The custom cert check used by app update will be removed during the 43 cycle. Instead, mar signing should be used since it provides much better security. This is already implemented on Firefox.

Configs For Firefox mar signing for reference
http://mxr.mozilla.org/mozilla-central/source/browser/confvars.sh#26

http://mxr.mozilla.org/mozilla-central/search?string=ac_add_options%20--enable-verify-mar

Bug 1182352 will remove the custom cert check code from app update. If this is not completed before the code is removed then Thunderbird will not have the security mitigation provided by the cert check.

If this bug is fixed before bug 1182352 then you should set the following prefs to false. If this is done afterwards then these prefs can be removed.
app.update.cert.checkAttributes
app.update.cert.requireBuiltIn
I'm not sure what this means for us. I don't think we are signing mar files at the moment. Is this now becoming required?
afaict yes. Since "the custom cert check" is being removed, you will likely run into the same situation as Thunderbird would if we don't patch it. In the worst case, this could mean that an attacker could hijack the .mar file and update users to a rogue version of Instantbird. The patch itself is fairly simple, see bug 1189843 for a WiP version for Thunderbird.
On the behalf of Florian:
Closing bugs related to the Instantbird UI as WONTFIX, as the development of the standalone chat client Instantbird has stopped. Instantbird users are encouraged to migrate to Thunderbird. The user interface of instant messaging in Thunderbird will feel familiar, as the Thunderbird IM support started as a fork of Instantbird.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.