Closed Bug 1213919 Opened 4 years ago Closed 4 years ago

Need to use a 'permitted-list' for handling certificates when opening signed packages for reviewers

Categories

(Core Graveyard :: DOM: Apps, defect, P1)

defect

Tracking

(blocking-b2g:2.5+, firefox44 fixed)

RESOLVED FIXED
mozilla44
blocking-b2g 2.5+
Tracking Status
firefox44 --- fixed

People

(Reporter: ddurst, Assigned: fabrice)

References

Details

Attachments

(1 file)

In https://mxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3726, the reviewer certs are associated with the root "/reviewers/" which is true for webapps, but not for add-ons (those are using /content/addon/review/).

Fabrice suggested a permitted list instead of additional hard-coding.

This is currently blocking reviewer approval of submitted add-ons for 2.5.
David, can you test this patch locally to verify?
Assignee: nobody → fabrice
Attachment #8672775 - Flags: review?(ferjmoreno)
(In reply to [:fabrice] Fabrice Desré from comment #1)
> Created attachment 8672775 [details] [diff] [review]
> reviewer-cert-paths.patch

It needs to apply to production as well as a dev - the patch is only changing dev.
Comment on attachment 8672775 [details] [diff] [review]
reviewer-cert-paths.patch

Review of attachment 8672775 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8672775 - Flags: review?(ferjmoreno) → review+
can you fix this to apply to production marketplace too?
Flags: needinfo?(fabrice)
Bustage follow up:

https://hg.mozilla.org/integration/b2g-inbound/rev/2bd66074e01a

(In reply to Andrew Williamson [:eviljeff] from comment #5)
> can you fix this to apply to production marketplace too?

I did in the followup.
Flags: needinfo?(fabrice)
https://hg.mozilla.org/mozilla-central/rev/c80eaf2d0f22
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Reopening based on https://bugzilla.mozilla.org/show_bug.cgi?id=1213860#c6
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
blocking-b2g: --- → 2.5+
(Pasting here from bug 1213860 to save you a crosslink)

https://marketplace.firefox.com/extension/1ee2f3ed13e842fab67afed75492333b/manifest.json is 404 because it's the public mini-manifest URL. The reviewer mini-manifest URL is different, it's per version and the prefix is /extension/reviewers/. 

I'm not sure what's causing your issue, but in any case the whitelist to pick reviewer certs in Gecko seems wrong to me:
https://dxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#1068
https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3746

Instead of whitelisting "/reviewers/,/content/addon/review/" it should whitelist "/reviewers/,/extension/reviewers/", since it's the manifest that needs to be whitelisted, not the install origin.
Priority: P2 → P1
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.