Closed Bug 1476098 Opened 3 years ago Closed 3 years ago

Nightly ASAN builds are missing the Google and Mozilla API keys


(Firefox Build System :: General, defect)

Not set


(firefox63 fixed)

Tracking Status
firefox63 --- fixed


(Reporter: francois, Assigned: decoder)


(Blocks 1 open bug)


(Keywords: sec-low, Whiteboard: [adv-main63-])


(1 file)

The Nightly ASAN builds don't include the Google and Mozilla API keys (see "Application Basics" in about:support).

This means that those builds do not have working Safe Browsing (or location services).

You can confirm that Safe Browsing works by going into about:url-classifier and doing an update of the "google4" provider (it should say "success"). There is also a test page maintained by Google at
Group: firefox-build-security → firefox-core-security
Moving the security groups for this bug per bug 1476102, because the firefox-build-security group is going away.
Keywords: sec-low
Unhiding because this isn't as much an attack vector as a dangerous working condition that users of those builds might want to know about.
Group: firefox-core-security
From build log, we're getting the keys .. 

[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - [mozharness: 2018-07-20 22:07:40.205422Z] Running get-secrets step.
[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - Running main action method: get_secrets
[task 2018-07-20T22:07:40.205Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/ from API
[task 2018-07-20T22:07:40.408Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/mozilla-desktop-geoloc-api.key from API
[task 2018-07-20T22:07:40.513Z] 22:07:40     INFO - fetching secret project/releng/gecko/build/level-3/adjust-sdk.token from API
[task 2018-07-20T22:07:41.448Z] 22:07:41     INFO - fetching secret project/releng/gecko/build/level-3/adjust-sdk-beta.token from API
[task 2018-07-20T22:07:41.546Z] 22:07:41     INFO - [mozharness: 2018-07-20 22:07:41.546587Z] Finished get-secrets step (success)

And then looking deeper, official builds specify a key file (for this and other things) in files like:

We don't specify them in the asan mozconfigs: nor do we source the common files.

..I'm hoping glandium or christian can help sort this out (as in, should the asan builds source the common files, or should they specify the keys directly)
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(choller)
Including the common file won't work for ASan in its current state. We might be able to refactor this to share more of the options, but for now, here is an easy patch to fix the missing keys in those builds.
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(choller)
triaging, assigning to :decoder since he attached patches
Assignee: nobody → choller
Comment on attachment 8993895 [details]
Bug 1476098 - Add Google and Mozilla API keys to ASan Nightly.
Attachment #8993895 - Flags: review?(mh+mozilla) → review+
Pushed by
Add Google and Mozilla API keys to ASan Nightly. r=glandium
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Whiteboard: [adv-main63-]
You need to log in before you can comment on or make changes to this bug.