Closed
Bug 1225629
Opened 9 years ago
Closed 9 years ago
Always verify signatures for hotfixes and system add-on updates
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: mossop, Assigned: mossop)
References
Details
Attachments
(1 file)
|
40 bytes,
text/x-review-board-request
|
rhelmer
:
review+
lizzard
:
approval-mozilla-aurora+
lizzard
:
approval-mozilla-beta+
|
Details |
When signature verification is completely bypassed for regular add-ons (as in Thunderbird) we should still be verifying signatures for Mozilla shipped app updates like hotfixes and system add-ons.
|
Assignee | |
Comment 1•9 years ago
|
||
Bug 1225629: Always verify signatures for hotfixes and system add-on updates. r?rhelmer
Attachment #8688656 -
Flags: review?(rhelmer)
|
||
Updated•9 years ago
|
Attachment #8688656 -
Flags: review?(rhelmer) → review+
|
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8688656 [details]
MozReview Request: Bug 1225629: Always verify signatures for hotfixes and system add-on updates. r?rhelmer
https://reviewboard.mozilla.org/r/25371/#review22959
|
||
Comment 4•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
||
Updated•9 years ago
|
status-firefox43:
--- → affected
status-firefox44:
--- → affected
|
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8688656 [details]
MozReview Request: Bug 1225629: Always verify signatures for hotfixes and system add-on updates. r?rhelmer
Approval Request Comment
[User impact if declined]: dev edition can't be hotfixed, and verification issues with system add-ons when add-on signing isn't enabled
[Describe test coverage new/current, TreeHerder]: thunderbird (where add-on signing is disabled atm) tests became green after the fix.
[Risks and why]:
[String/UUID change made/needed]: none
Attachment #8688656 -
Flags: approval-mozilla-beta?
Attachment #8688656 -
Flags: approval-mozilla-aurora?
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8688656 [details]
MozReview Request: Bug 1225629: Always verify signatures for hotfixes and system add-on updates. r?rhelmer
Adds test coverage, also, We want to be able to hotfix aurora.
Please uplift to aurora and beta.
Attachment #8688656 -
Flags: approval-mozilla-beta?
Attachment #8688656 -
Flags: approval-mozilla-beta+
Attachment #8688656 -
Flags: approval-mozilla-aurora?
Attachment #8688656 -
Flags: approval-mozilla-aurora+
|
||
Comment 7•9 years ago
|
||
| bugherder uplift | ||
I had to do some fudging in the test to uplift it to beta, but mossop says it was alright to do:
https://hg.mozilla.org/releases/mozilla-beta/rev/ca8e41ac5c2b
Less alright than I'd like, the test broke: https://treeherder.mozilla.org/logviewer.html#?job_id=654661&repo=mozilla-beta
Backed out in https://hg.mozilla.org/releases/mozilla-beta/rev/64f08f88a6ab
|
|
Assignee | |
Comment 10•9 years ago
|
||
I had to do some different fudging because bug 1212059 isn't fixed on beta so we always expect system add-ons to be signed regardless.
You need to log in
before you can comment on or make changes to this bug.
Description
•