1374039 - Port bug 394984 to TB [Enable any admin user on OSX to update Firefox, front-end and updater changes]

Status: RESOLVED FIXED

(Thunderbird :: Installer, enhancement)

Description

[Richard Marti (:Paenglab)]

This is a bug I think we need to port.

Comment 1

[Richard Marti (:Paenglab)]

Attachment: OSXinstaller.patch

I ported all changes from browser except the ones in browser/base/content/browser.js. This, I think, are only for the update infos in their AppMenu.

Stefan, please can you check, if this patch should have all the needed changes?

Comment 2

[Stefan [:stefanh]]

Comment on attachment 8878867 [details] [diff] [review]
OSXinstaller.patch

Yes, from what I can see it ports all the relevant changes. Note that I'm not familiar with this code so I basically did the same comparison as you did.

Comment 3

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

Comment on attachment 8878867 [details] [diff] [review]
OSXinstaller.patch

Review of attachment 8878867 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with this comment considered:

::: mail/app/macbuild/Contents/Info.plist.in
@@ +65,5 @@
>          <string>GeckoNSApplication</string>
> +	<key>SMPrivilegedExecutables</key>
> +	<dict>
> +		<key>org.mozilla.updater</key>
> +		<string>identifier "org.mozilla.updater" and ((anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "43AQ936H96"))</string>

Do we have the same certificate information? I suspect yes, but would be good to get confirmation on this.

Comment 4

[Richard Marti (:Paenglab)]

(In reply to Philipp Kewisch [:Fallen] from comment #3)
> Comment on attachment 8878867 [details] [diff] [review]
> OSXinstaller.patch
> 
> Review of attachment 8878867 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> r+ with this comment considered:
> 
> ::: mail/app/macbuild/Contents/Info.plist.in
> @@ +65,5 @@
> >          <string>GeckoNSApplication</string>
> > +	<key>SMPrivilegedExecutables</key>
> > +	<dict>
> > +		<key>org.mozilla.updater</key>
> > +		<string>identifier "org.mozilla.updater" and ((anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9]) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "43AQ936H96"))</string>
> 
> Do we have the same certificate information? I suspect yes, but would be
> good to get confirmation on this.

Stephen, please can you confirm this is true? I know too less of this things.

Comment 5

[Stephen A Pohl [:spohl]]

I don't know who's responsible for signing TB binaries and could verify this. Ben, do you know?

Comment 6

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Stephen A Pohl [:spohl] from comment #5)
> I don't know who's responsible for signing TB binaries and could verify
> this. Ben, do you know?

Based on what I see in build logs (https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-release-l10n/release-mozilla-release_firefox_macosx64_l10n_repack-bm82-build1-build178.txt.gz and https://archive.mozilla.org/pub/thunderbird/candidates/52.2.1-candidates/build1/logs/release-comm-esr52-macosx64_build-bm84-build1-build7.txt.gz), it appears they are signed with the same certificate.

Comment 7

[Richard Marti (:Paenglab)]

Ben and Stephen, thank you for looking into this.

So I think, we are safe to land it as it is.

Comment 8

[Pulsebot]

Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/cc50be271afa
Port bug 394984 to TB [Enable any admin user on OSX to update Firefox, front-end and updater changes]. r=philipp