Closed Bug 1476098 Opened 3 years ago Closed 3 years ago

Nightly ASAN builds are missing the Google and Mozilla API keys

Categories

(Firefox Build System :: General, defect)

defect
Not set
normal

Tracking

(firefox63 fixed)

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: francois, Assigned: decoder)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [adv-main63-])

Attachments

(1 file)

The Nightly ASAN builds don't include the Google and Mozilla API keys (see "Application Basics" in about:support).

This means that those builds do not have working Safe Browsing (or location services).

You can confirm that Safe Browsing works by going into about:url-classifier and doing an update of the "google4" provider (it should say "success"). There is also a test page maintained by Google at https://testsafebrowsing.appspot.com/.
Group: firefox-build-security → firefox-core-security
Moving the security groups for this bug per bug 1476102, because the firefox-build-security group is going away.
Keywords: sec-low
Unhiding because this isn't as much an attack vector as a dangerous working condition that users of those builds might want to know about.
Group: firefox-core-security
From build log, we're getting the keys .. 


[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - [mozharness: 2018-07-20 22:07:40.205422Z] Running get-secrets step.
[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - Running main action method: get_secrets
[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/gapi.data from API
[task 2018-07-20T22:07:40.408Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/mozilla-desktop-geoloc-api.key from API
[task 2018-07-20T22:07:40.513Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/adjust-sdk.token from API
[task 2018-07-20T22:07:41.448Z] 22:07:41     INFO - fetching secret project/releng/gecko/build/level-3/adjust-sdk-beta.token from API
[task 2018-07-20T22:07:41.546Z] 22:07:41     INFO - [mozharness: 2018-07-20 22:07:41.546587Z] Finished get-secrets step (success)

And then looking deeper, official builds specify a key file (for this and other things) in files like: https://dxr.mozilla.org/mozilla-central/source/browser/config/mozconfigs/linux32/common-opt

We don't specify them in the asan mozconfigs: https://dxr.mozilla.org/mozilla-central/source/browser/config/mozconfigs/linux64/nightly-asan-reporter nor do we source the common files.

..I'm hoping glandium or christian can help sort this out (as in, should the asan builds source the common files, or should they specify the keys directly)
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(choller)
Including the common file won't work for ASan in its current state. We might be able to refactor this to share more of the options, but for now, here is an easy patch to fix the missing keys in those builds.
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(choller)
triaging, assigning to :decoder since he attached patches
Assignee: nobody → choller
Comment on attachment 8993895 [details]
Bug 1476098 - Add Google and Mozilla API keys to ASan Nightly.

https://reviewboard.mozilla.org/r/258546/#review265904
Attachment #8993895 - Flags: review?(mh+mozilla) → review+
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3d633edc1c27
Add Google and Mozilla API keys to ASan Nightly. r=glandium
https://hg.mozilla.org/mozilla-central/rev/3d633edc1c27
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Whiteboard: [adv-main63-]
You need to log in before you can comment on or make changes to this bug.