Enable signature verification for addons/gfx/plugins collections

RESOLVED FIXED in Firefox 61

Status

()

enhancement
RESOLVED FIXED
a year ago
11 months ago

People

(Reporter: leplatrem, Assigned: leplatrem)

Tracking

57 Branch
mozilla61
Points:
---

Firefox Tracking Flags

(firefox61 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

a year ago
Currently, we only verify the signature of the certificates collection during remote settings synchronization.

Since the addons/plugins/gfx are properly on the server side, we should enable the client side verification for them too.

Note: As we can see here: https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons the certificate is also called *onecrl* so we should use this signer too.
(Assignee)

Updated

a year ago
Assignee: nobody → mathieu
(Assignee)

Updated

a year ago
See Also: → 1451027

Comment 2

a year ago
mozreview-review
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review241816

::: services/common/blocklist-clients.js:145
(Diff revision 1)
>    OneCRLBlocklistClient.on("change", updateCertBlocklist);
>  
>    AddonBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_BLOCKLIST_ADDONS_COLLECTION), {
>      bucketName: Services.prefs.getCharPref(PREF_BLOCKLIST_BUCKET),
>      lastCheckTimePref: PREF_BLOCKLIST_ADDONS_CHECKED_SECONDS,
> -    signerName: "",  // disabled
> +    signerName: BLOCKLISTS_SIGNER,

What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled?
(Assignee)

Comment 3

a year ago
mozreview-review-reply
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review241816

> What generates the records for the (non-OneCRL) blocklists? What tooling is used? How is access controlled?

It works the exact same way as OneCRL (users write into kinto-admin, review-request/approve changes, signing happens, clients poll and perform diff-based sync...)

Comment 4

a year ago
mozreview-review
Comment on attachment 8967372 [details]
Bug 1450985 - Enable signature verification for addons/gfx/plugins blocklists

https://reviewboard.mozilla.org/r/236064/#review242256

I have a preference to keep the security state (certificate blocklist, pinning, intermediates) signing keys separate. Given that these other use-cases are all blocklists and that there are controls (including an approval step) in place for ensuring changes are reviewed, I think this is OK for now. My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all); it's not a huge issue though.
Attachment #8967372 - Flags: review?(mgoodwin) → review+
(Assignee)

Comment 5

a year ago
Thanks for your review!

> My main remaining concern is that the naming is a bit weird (these are not all onecrl, after all)

Yes indeed, on the server side the whole blocklists bucket is configured to be signed with the same onecrl certificate.

If we want to rename it in the future, we can also put the signer name in a preferences and leverage Normandy preference rollout (Bug 1440782) to switch to another one.

What do you think?
Flags: needinfo?(mgoodwin)
Comment hidden (mozreview-request)
(In reply to Mathieu Leplatre (:leplatrem) from comment #5)
> If we want to rename it in the future, we can also put the signer name in a
> preferences and leverage Normandy preference rollout (Bug 1440782) to switch
> to another one.
> 
> What do you think?

That should work.

With regards to keeping security state signers separate; I wouldn't worry about this for now. We are doing some work on revocation that will move the vast majority of revocations from the certificate blocklist to another mechanism; once this work is complete, we can move the OneCRL blocklist (which should then be fairly small) to the security state bucket and do the signer name changes at that point.

Does that sound reasonable to you?
Flags: needinfo?(mgoodwin) → needinfo?(mathieu)
(Assignee)

Comment 8

a year ago
Yes OK, sounds good!

(I land this patch then)
Flags: needinfo?(mathieu)
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 9

a year ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/c6aaeb90c4b0
Enable signature verification for addons/gfx/plugins blocklists r=mgoodwin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/c6aaeb90c4b0
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
(Assignee)

Updated

11 months ago
See Also: → 1461750
You need to log in before you can comment on or make changes to this bug.