Closed
Bug 1350859
Opened 8 years ago
Closed 8 years ago
March 2017 batch of root CA changes
Categories
(NSS :: CA Certificates Code, task)
Tracking
(Not tracked)
RESOLVED
FIXED
3.30.2
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(2 files, 1 obsolete file)
|
56.71 KB,
patch
|
kathleen.a.wilson
:
review+
|
Details | Diff | Splinter Review |
|
2.69 KB,
patch
|
Details | Diff | Splinter Review |
April 2017 batch of root CA changes
|
Assignee | |
Updated•8 years ago
|
|
|
Assignee | |
Updated•8 years ago
|
Summary: April 2017 batch of root CA changes → March 2017 batch of root CA changes
|
||
Comment 1•8 years ago
|
||
Kai,
How about if we proceed with all of these except for bug #1349727?
Let's take some time to consider bug #1349727 more, and handle it separately if we still decide to go that route.
Thanks,
Kathleen
|
|
Assignee | |
Comment 2•8 years ago
|
||
This patch excludes bug 1349705 and excludes bug 1349727.
|
|
Assignee | |
Comment 3•8 years ago
|
||
Based on recent discussion in bug 1349727 and in bug 1349762, I'm removing bug 1349727 from the dependency list.
No longer blocks: 1349727
|
|
Assignee | |
Comment 4•8 years ago
|
||
Patch v2 adds the requested addition from bug 1349705.
We should get the code constraints patch from bug 1349705 included into the same release.
Attachment #8851948 -
Attachment is obsolete: true
Attachment #8852938 -
Flags: review?(kwilson)
|
|
Assignee | |
Comment 5•8 years ago
|
||
A test build, that includes the patches from this bug and from bug 1349705, is running here:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=331b1a3ecff20c883f4f5b135332cb1869243439
Once completed, test binaries should appear here:
https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-331b1a3ecff20c883f4f5b135332cb1869243439/
|
|
Assignee | |
Comment 6•8 years ago
|
||
I forgot to increase the version number in file nssckbi.h, this is done in this separate patch.
Then I remembered that I should update the outdated documentation for the version numbering (bug 1342085).
I've included updated rules as comments in this header file, which should work for us.
|
|
||
Comment 7•8 years ago
|
||
Comment on attachment 8852938 [details] [diff] [review]
1350859-v2.patch
I have reviewed the patch, and confirm that the requested root certs have been removed, and the requested root certs have been added and their trust bits set correctly.
Attachment #8852938 -
Flags: review?(kwilson) → review+
|
|
||
Comment 8•8 years ago
|
||
I'm running macOS Sierra version 10.12.3, and I haven't been able to figure out how to test this patch.
https://it.uoregon.edu/fix-security-settings doesn't work anymore, because the "Anywhere" option is gone.
https://support.apple.com/kb/PH25088 doesn't work for me either.
Anyone know how to do this?
|
|
||
Comment 9•8 years ago
|
||
Here's the error I get: “Nightly.app” is damaged and can’t be opened. You should move it to the Trash.
So maybe the test build is broken?
|
|
Assignee | |
Comment 10•8 years ago
|
||
Kathleen, I doubt that the very small recipient list from this bug has someone knowledgeable to help you. I don't use Mac.
If you suspect that only this very specific build might be broken, you can easily test if it's a general problem that applies to all builds, or just this one build.
I looked at other recent try builds, and I found one that looks to have been successfully built:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=062194d9d3bbffacd59b0cb5bc07f30b497af2ff
The download directory for that build is:
https://archive.mozilla.org/pub/firefox/try-builds/btseng@mozilla.com-062194d9d3bbffacd59b0cb5bc07f30b497af2ff/
If this also fails, please try a regular nightly build (not from try):
e.g.
https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-28-03-02-07-mozilla-central/
or
https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-29-03-02-40-mozilla-central/
Please let me know if oly the try builds are failing for you, or the latest nightly ones, too.
If it's really only the one build that I made that's failing, let me know, and I'll resubmit that build.
However, if all of the above are failing for you, then I cannot help. In that case I'd recommend that you try to reach out to experienced Mac people at Mozilla, or maybe you help some internal helpdesk?
|
|
||
Comment 11•8 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #10)
> Kathleen, I doubt that the very small recipient list from this bug has
> someone knowledgeable to help you. I don't use Mac.
>
> If you suspect that only this very specific build might be broken, you can
> easily test if it's a general problem that applies to all builds, or just
> this one build.
>
> I looked at other recent try builds, and I found one that looks to have been
> successfully built:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=062194d9d3bbffacd59b0cb5bc07f30b497af2ff
>
> The download directory for that build is:
> https://archive.mozilla.org/pub/firefox/try-builds/btseng@mozilla.com-
> 062194d9d3bbffacd59b0cb5bc07f30b497af2ff/
Tried and failed.
>
> If this also fails, please try a regular nightly build (not from try):
> e.g.
> https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-28-03-02-07-
> mozilla-central/
This works.
|
|
Assignee | |
Comment 12•8 years ago
|
||
I don't know why try builds are failing for you. My only theory is, maybe Mac nowadays requires some programs to contain some kind of digital signature, and official nightly builds contain it? But that is pure speculation. Could you reach out to Mac experts at Mozilla?
|
|
||
Comment 13•8 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #12)
> I don't know why try builds are failing for you. My only theory is, maybe
> Mac nowadays requires some programs to contain some kind of digital
> signature, and official nightly builds contain it? But that is pure
> speculation. Could you reach out to Mac experts at Mozilla?
Will do.
|
|
Assignee | |
Comment 14•8 years ago
|
||
If your Mac indeed restricts you from running our experimental "try" builds, then you'd probably need to find a computer that runs a different operating system.
Or possibly you could setup an empty USB stick to act as a live linux system, which you could boot with you Mac hardware. Such live linux distributions are designed to not modify the data on your computer (unless you select some install option, and of course, no guarantees given at all, that this is safe).
For example, a quick search gave me this:
http://www.makeuseof.com/tag/how-to-boot-a-linux-live-usb-stick-on-your-mac/
|
|
||
Comment 15•8 years ago
|
||
JC provided the solution for running try builds on Mac Sierra in Bug #1352203.
This works for me, so I'll do the testing now.
|
|
||
Comment 16•8 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #5)
> A test build, that includes the patches from this bug and from bug 1349705,
> is running here:
> https://treeherder.mozilla.org/#/
> jobs?repo=try&revision=331b1a3ecff20c883f4f5b135332cb1869243439
>
> Once completed, test binaries should appear here:
> https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-
> 331b1a3ecff20c883f4f5b135332cb1869243439/
Tested. Looks good.
I will ask the CAs to test.
|
|
||
Comment 17•8 years ago
|
||
(In reply to Kathleen Wilson from comment #16)
> (In reply to Kai Engert (:kaie) from comment #5)
> > A test build, that includes the patches from this bug and from bug 1349705,
> > is running here:
> > https://treeherder.mozilla.org/#/
> > jobs?repo=try&revision=331b1a3ecff20c883f4f5b135332cb1869243439
> >
> > Once completed, test binaries should appear here:
> > https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-
> > 331b1a3ecff20c883f4f5b135332cb1869243439/
>
> Tested. Looks good.
>
> I will ask the CAs to test.
The CAs have tested, and confirmed their correct root additions/changes.
So, this patch is ready.
(The name constraints of Kamu SM's root is being handled via Bug #1349705.)
Thanks!
Kathleen
|
|
Assignee | |
Comment 18•8 years ago
|
||
Both patches (data and version) checked in:
https://hg.mozilla.org/projects/nss/rev/dc97a49304791b6738f667da8b1646b26ea9e7c8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.31
|
|
Assignee | |
Comment 19•8 years ago
|
||
(In reply to Kathleen Wilson from comment #17)
>
> (The name constraints of Kamu SM's root is being handled via Bug #1349705.)
Those have been checked in, too.
|
|
Assignee | |
Comment 20•8 years ago
|
||
CA changes checked in to NSS 3.30 branch for NSS 3.30.2, because Kathleen has requested to include these fixes with Firefox 54.
https://hg.mozilla.org/projects/nss/rev/5fc62adc06b9
|
|
Assignee | |
Comment 21•8 years ago
|
||
CA changes checked in to NSS 3.28 branch for NSS 3.28.5, because Kathleen has requested to include these fixes with Firefox 52.2.
https://hg.mozilla.org/projects/nss/rev/e3fec265eb55
|
|
Assignee | |
Updated•8 years ago
|
Target Milestone: 3.31 → 3.30.2
Version: 3.31 → 3.30.2
|
||
Comment 22•6 years ago
|
||
(In reply to Kai Engert (:kaie:) from comment #6)
> Created attachment 8852994 [details] [diff] [review]
> 1350859-version-v1.patch
>
> I forgot to increase the version number in file nssckbi.h, this is done in
> this separate patch.
>
> Then I remembered that I should update the outdated documentation for the
> version numbering https://oxfordtricks.com/worldfree4u-best-300mb-movie-download/(bug 1342085).
>
> I've included updated rules as comments in this header file, which should
> work for us.
You need to log in
before you can comment on or make changes to this bug.
Description
•