Open Bug 1341397 Opened 3 years ago Updated 10 months ago

Distribute binary transparency information with releases

Categories

(Firefox :: Security, defect, P3)

defect

Tracking

()

People

(Reporter: rbarnes, Unassigned)

References

(Blocks 1 open bug)

Details

For each release, need to provide:

* Certificate including a Merkle tree head for the release
* Proof that the certificate has been publicly logged (Inclusion proof / SCT)

For each file in the release, need to provide:

* Inclusion proof to the Merkle tree head
Priority: -- → P3
Is the intention that these things need to be in the releases directory, like https://archive.mozilla.org/pub/firefox/releases/59.0.1/ ? The inclusion proofs are present in SHA256SUMMARY.
I think it would be great if we could include the x509 cert (the full chain, just one file). That would be really convenient.

But the rest, no we don't need to put those in the release directory. I think the intent for this bug was to document what we needed to include in the update.xml file.
You need to log in before you can comment on or make changes to this bug.