Closed Bug 1450985 Opened 6 years ago Closed 6 years ago

Enable signature verification for addons/gfx/plugins collections

Categories

(Toolkit :: Blocklist Policy Requests, enhancement)

57 Branch
enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: leplatrem, Assigned: leplatrem)

References

Details

Attachments

(1 file)

Currently, we only verify the signature of the certificates collection during remote settings synchronization.

Since the addons/plugins/gfx are properly on the server side, we should enable the client side verification for them too.

Note: As we can see here: https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons the certificate is also called *onecrl* so we should use this signer too.
Assignee: nobody → mathieu
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review241816

::: services/common/blocklist-clients.js:145
(Diff revision 1)
>    OneCRLBlocklistClient.on("change", updateCertBlocklist);
>  
>    AddonBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_BLOCKLIST_ADDONS_COLLECTION), {
>      bucketName: Services.prefs.getCharPref(PREF_BLOCKLIST_BUCKET),
>      lastCheckTimePref: PREF_BLOCKLIST_ADDONS_CHECKED_SECONDS,
> -    signerName: "",  // disabled
> +    signerName: BLOCKLISTS_SIGNER,

What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled?
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review241816

> What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled?

It works the exact same way as OneCRL (users write into kinto-admin, review-request/approve changes, signing happens, clients poll and perform diff-based sync...)
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review242256

I have a preference to keep the security state (certificate blocklist, pinning, intermediates) signing keys separate. Given that these other use-cases are all blocklists and that there are controls (including an approval step) in place for ensuring changes are reviewed, I think this is OK for now. My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all); it's not a huge issue though.
Attachment #8967372 - Flags: review?(mgoodwin) → review+
Thanks for your review!

> My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all)

Yes indeed, on the server side the whole blocklists bucket is configured to be signed with the same onecrl certificate.

If we want to rename it in the future, we can also put the signer name in a preferences and leverage Normandy preference rollout (Bug 1440782) to switch to another one.

What do you think?
Flags: needinfo?(mgoodwin)
(In reply to Mathieu Leplatre (:leplatrem) from comment #5)
> If we want to rename it in the future, we can also put the signer name in a
> preferences and leverage Normandy preference rollout (Bug 1440782) to switch
> to another one.
> 
> What do you think?

That should work.

With regards to keeping security state signers separate; I wouldn't worry about this for now. We are doing some work on revocation that will move the vast majority of revocations from the certificate blocklist to another mechanism; once this work is complete, we can move the OneCRL blocklist (which should then be fairly small) to the security state bucket and do the signer name changes at that point.

Does that sound reasonable to you?
Flags: needinfo?(mgoodwin) → needinfo?(mathieu)
Yes OK, sounds good!

(I land this patch then)
Flags: needinfo?(mathieu)
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/c6aaeb90c4b0
Enable signature verification for addons/gfx/plugins blocklists r=mgoodwin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/c6aaeb90c4b0
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
See Also: → 1461750
You need to log in before you can comment on or make changes to this bug.