Closed Bug 1350859 Opened 3 years ago Closed 3 years ago

March 2017 batch of root CA changes

Categories

(NSS :: CA Certificates Code, task)

3.30.2
task
Not set

Tracking

(Not tracked)

RESOLVED FIXED
3.30.2

People

(Reporter: KaiE, Assigned: KaiE)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 1 obsolete file)

April 2017 batch of root CA changes
Assignee: nobody → kaie
Summary: April 2017 batch of root CA changes → March 2017 batch of root CA changes
Kai, 

How about if we proceed with all of these except for bug #1349727?

Let's take some time to consider bug #1349727 more, and handle it separately if we still decide to go that route.

Thanks,
Kathleen
Attached patch 1350859-v1.patch (obsolete) — Splinter Review
This patch excludes bug 1349705 and excludes bug 1349727.
Based on recent discussion in bug 1349727 and in bug 1349762, I'm removing bug 1349727 from the dependency list.
No longer blocks: 1349727
Attached patch 1350859-v2.patchSplinter Review
Patch v2 adds the requested addition from bug 1349705.

We should get the code constraints patch from bug 1349705 included into the same release.
Attachment #8851948 - Attachment is obsolete: true
Attachment #8852938 - Flags: review?(kwilson)
I forgot to increase the version number in file nssckbi.h, this is done in this separate patch.

Then I remembered that I should update the outdated documentation for the version numbering (bug 1342085).

I've included updated rules as comments in this header file, which should work for us.
Blocks: 1342085
Comment on attachment 8852938 [details] [diff] [review]
1350859-v2.patch

I have reviewed the patch, and confirm that the requested root certs have been removed, and the requested root certs have been added and their trust bits set correctly.
Attachment #8852938 - Flags: review?(kwilson) → review+
I'm running macOS Sierra version 10.12.3, and I haven't been able to figure out how to test this patch.
https://it.uoregon.edu/fix-security-settings doesn't work anymore, because the "Anywhere" option is gone.
https://support.apple.com/kb/PH25088 doesn't work for me either.
Anyone know how to do this?
Here's the error I get: “Nightly.app” is damaged and can’t be opened. You should move it to the Trash.

So maybe the test build is broken?
Kathleen, I doubt that the very small recipient list from this bug has someone knowledgeable to help you. I don't use Mac.

If you suspect that only this very specific build might be broken, you can easily test if it's a general problem that applies to all builds, or just this one build.

I looked at other recent try builds, and I found one that looks to have been successfully built:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=062194d9d3bbffacd59b0cb5bc07f30b497af2ff

The download directory for that build is:
https://archive.mozilla.org/pub/firefox/try-builds/btseng@mozilla.com-062194d9d3bbffacd59b0cb5bc07f30b497af2ff/

If this also fails, please try a regular nightly build (not from try):
e.g. 
https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-28-03-02-07-mozilla-central/
or
https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-29-03-02-40-mozilla-central/

Please let me know if oly the try builds are failing for you, or the latest nightly ones, too.

If it's really only the one build that I made that's failing, let me know, and I'll resubmit that build.

However, if all of the above are failing for you, then I cannot help. In that case I'd recommend that you try to reach out to experienced Mac people at Mozilla, or maybe you help some internal helpdesk?
(In reply to Kai Engert (:kaie) from comment #10)
> Kathleen, I doubt that the very small recipient list from this bug has
> someone knowledgeable to help you. I don't use Mac.
> 
> If you suspect that only this very specific build might be broken, you can
> easily test if it's a general problem that applies to all builds, or just
> this one build.
> 
> I looked at other recent try builds, and I found one that looks to have been
> successfully built:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=062194d9d3bbffacd59b0cb5bc07f30b497af2ff
> 
> The download directory for that build is:
> https://archive.mozilla.org/pub/firefox/try-builds/btseng@mozilla.com-
> 062194d9d3bbffacd59b0cb5bc07f30b497af2ff/

Tried and failed.

> 
> If this also fails, please try a regular nightly build (not from try):
> e.g. 
> https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-28-03-02-07-
> mozilla-central/

This works.
I don't know why try builds are failing for you. My only theory is, maybe Mac nowadays requires some programs to contain some kind of digital signature, and official nightly builds contain it? But that is pure speculation. Could you reach out to Mac experts at Mozilla?
(In reply to Kai Engert (:kaie) from comment #12)
> I don't know why try builds are failing for you. My only theory is, maybe
> Mac nowadays requires some programs to contain some kind of digital
> signature, and official nightly builds contain it? But that is pure
> speculation. Could you reach out to Mac experts at Mozilla?

Will do.
If your Mac indeed restricts you from running our experimental "try" builds, then you'd probably need to find a computer that runs a different operating system.

Or possibly you could setup an empty USB stick to act as a live linux system, which you could boot with you Mac hardware. Such live linux distributions are designed to not modify the data on your computer (unless you select some install option, and of course, no guarantees given at all, that this is safe).

For example, a quick search gave me this:
http://www.makeuseof.com/tag/how-to-boot-a-linux-live-usb-stick-on-your-mac/
JC provided the solution for running try builds on Mac Sierra in Bug #1352203.
This works for me, so I'll do the testing now.
(In reply to Kai Engert (:kaie) from comment #5)
> A test build, that includes the patches from this bug and from bug 1349705,
> is running here:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=331b1a3ecff20c883f4f5b135332cb1869243439
> 
> Once completed, test binaries should appear here:
> https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-
> 331b1a3ecff20c883f4f5b135332cb1869243439/

Tested. Looks good.

I will ask the CAs to test.
(In reply to Kathleen Wilson from comment #16)
> (In reply to Kai Engert (:kaie) from comment #5)
> > A test build, that includes the patches from this bug and from bug 1349705,
> > is running here:
> > https://treeherder.mozilla.org/#/
> > jobs?repo=try&revision=331b1a3ecff20c883f4f5b135332cb1869243439
> > 
> > Once completed, test binaries should appear here:
> > https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-
> > 331b1a3ecff20c883f4f5b135332cb1869243439/
> 
> Tested. Looks good.
> 
> I will ask the CAs to test.

The CAs have tested, and confirmed their correct root additions/changes.

So, this patch is ready. 

(The name constraints of Kamu SM's root is being handled via Bug #1349705.)

Thanks!
Kathleen
Both patches (data and version) checked in:
  https://hg.mozilla.org/projects/nss/rev/dc97a49304791b6738f667da8b1646b26ea9e7c8
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.31
(In reply to Kathleen Wilson from comment #17)
> 
> (The name constraints of Kamu SM's root is being handled via Bug #1349705.)

Those have been checked in, too.
CA changes checked in to NSS 3.30 branch for NSS 3.30.2, because Kathleen has requested to include these fixes with Firefox 54.
https://hg.mozilla.org/projects/nss/rev/5fc62adc06b9
Depends on: 1358162
CA changes checked in to NSS 3.28 branch for NSS 3.28.5, because Kathleen has requested to include these fixes with Firefox 52.2.
https://hg.mozilla.org/projects/nss/rev/e3fec265eb55
Target Milestone: 3.31 → 3.30.2
Version: 3.31 → 3.30.2
(In reply to Kai Engert (:kaie:) from comment #6)
> Created attachment 8852994 [details] [diff] [review]
> 1350859-version-v1.patch
> 
> I forgot to increase the version number in file nssckbi.h, this is done in
> this separate patch.
> 
> Then I remembered that I should update the outdated documentation for the
> version numbering https://oxfordtricks.com/worldfree4u-best-300mb-movie-download/(bug 1342085).
> 
> I've included updated rules as comments in this header file, which should
> work for us.
You need to log in before you can comment on or make changes to this bug.