Closed Bug 1213919 Opened 4 years ago Closed 4 years ago
Need to use a 'permitted-list' for handling certificates when opening signed packages for reviewers
In https://mxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3726, the reviewer certs are associated with the root "/reviewers/" which is true for webapps, but not for add-ons (those are using /content/addon/review/). Fabrice suggested a permitted list instead of additional hard-coding. This is currently blocking reviewer approval of submitted add-ons for 2.5.
David, can you test this patch locally to verify?
Assignee: nobody → fabrice
Attachment #8672775 - Flags: review?(ferjmoreno)
(In reply to [:fabrice] Fabrice Desré from comment #1) > Created attachment 8672775 [details] [diff] [review] > reviewer-cert-paths.patch It needs to apply to production as well as a dev - the patch is only changing dev.
Comment on attachment 8672775 [details] [diff] [review] reviewer-cert-paths.patch Review of attachment 8672775 [details] [diff] [review]: ----------------------------------------------------------------- LGTM
Attachment #8672775 - Flags: review?(ferjmoreno) → review+
can you fix this to apply to production marketplace too?
Bustage follow up: https://hg.mozilla.org/integration/b2g-inbound/rev/2bd66074e01a (In reply to Andrew Williamson [:eviljeff] from comment #5) > can you fix this to apply to production marketplace too? I did in the followup.
Reopening based on https://bugzilla.mozilla.org/show_bug.cgi?id=1213860#c6
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Pasting here from bug 1213860 to save you a crosslink) https://marketplace.firefox.com/extension/1ee2f3ed13e842fab67afed75492333b/manifest.json is 404 because it's the public mini-manifest URL. The reviewer mini-manifest URL is different, it's per version and the prefix is /extension/reviewers/. I'm not sure what's causing your issue, but in any case the whitelist to pick reviewer certs in Gecko seems wrong to me: https://dxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#1068 https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3746 Instead of whitelisting "/reviewers/,/content/addon/review/" it should whitelist "/reviewers/,/extension/reviewers/", since it's the manifest that needs to be whitelisted, not the install origin.
Priority: P2 → P1
Status: REOPENED → RESOLVED
Closed: 4 years ago → 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.