Closed Bug 1460321 Opened Last year Closed Last year

Migrate addons/plugins/gfx content-signature certificate to the main one

Categories

(Toolkit :: Blocklist Implementation, enhancement)

61 Branch
enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox62 --- fixed

People

(Reporter: leplatrem, Assigned: leplatrem)

References

Details

Attachments

(1 file)

In Bug 1450985 we enabled signature verification of addons/plugins/gfx.

But it uses the same certificate as onecrl. 

As discussed in Bug 1438820 and Bug 1460311, we want those 3 collections to use the same certificate as default remote settings.

We should take advantage of the fact that verification was enabled in 61 (and thus does not affect stable yet)
During the period of time between the landing of the patch and the next beta is released, either Nightly or Beta will have failing signatures:

- If we change the server configuration just when this patch lands, then signature validation will be successful in Nightly but will fail on Beta until a new release containing the fix is issued.
- If we land this patch but change the server configuration only when a new Beta release containing the fix is issued, then signature validation will fail in Nightly for the whole interval

Signature validation failing means that users won't receive addons/plugins/gfx updates. And their browser console will show error messages.

:ulfr, do you have any particular advice on how to proceed? Would this be worth releasing a "security fix" beta release to minimize the period of time between the patch landing and the release to be issued?
BTW, I never pushed anything to Beta and will probably need help.

Also if that helps to decide: the frequency of updates in the blocklists is really low (more or less one change every two weeks in average)

Thanks!
Flags: needinfo?(jvehent)
Blocks: 1460311
No longer depends on: 1460311
I don't have a strong opinion. I think this falls more on the preference of the platform team, so needinfo mark.
Ideally, we add code that handles both cases and prevents any release from breaking, and remove that code later on. Failing that, I think breaking nightly is better than breaking beta, but I don't know if that's at all acceptable.
Flags: needinfo?(jvehent) → needinfo?(mgoodwin)
See Also: → 1461750
After having talked to mythmon and mostlygeek, we realized there were other options:

- Plan A: Back out the changes made in Bug 1450985 to disable signature verification, so that we could change the certificate signature on the server without any impact. I created Bug 1461750 for that
- Plan B: Rely on the new pref rollout feature from Normandy to remotely change the certificate name on client just after we change the server config and refresh its signatures
Depends on: 1461750
Bug 1461750 was merged, once 61.0b6 is released and a significant uptake is reached, I will migrate the signature on the server. Then, I will land this patch just after.

I would need it to be r+ though ;)
Depends on: 1462171
(In reply to Mathieu Leplatre (:leplatrem) from comment #4)
> After having talked to mythmon and mostlygeek, we realized there were other
> options:

Solutions which prevent breakage seem advantageous to me.
Flags: needinfo?(mgoodwin)
Comment on attachment 8974540 [details]
Bug 1460321 - Change addons/plugins/gfx blocklist content-signature certificate

https://reviewboard.mozilla.org/r/242878/#review252472

Do we still want this change, given the other options?
Comment on attachment 8974540 [details]
Bug 1460321 - Change addons/plugins/gfx blocklist content-signature certificate

https://reviewboard.mozilla.org/r/242878/#review252480
Attachment #8974540 - Flags: review?(mgoodwin) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/3f64d5a8174e
Change addons/plugins/gfx blocklist content-signature certificate r=mgoodwin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/3f64d5a8174e
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Component: Blocklist Policy Requests → Blocklist Implementation
You need to log in before you can comment on or make changes to this bug.