1549010 - prepare patches to verify add-ons at a specific time and ensure that signatures are re-verified

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Comment 1

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

Attachment: Bug 1549010 - verify add-on signing certificates at 2019-04-27T02:43:20.000Z r?jcj

Comment 2

[Kris Maglione [:kmag]]

Attachment: Bug 1549010: Part 2 - Bump DB schema version to force certificate reverification.

Users who are affected by the intermediate add-on signing certificate expiry
need their add-on signatures re-verified as soon as possible after updating to
a version containging the fix. A database rebuild includes signature
reverifications, so a schema version achieves this.

Comment 3

[Kris Maglione [:kmag]]

Attachment: Bug 1549010: Part 2 - Bump DB schema version to force certificate reverification. r=zombie

Users who are affected by the intermediate add-on signing certificate expiry
need their add-on signatures re-verified as soon as possible after updating to
a version containging the fix. A database rebuild includes signature
reverifications, so a schema version achieves this.

Comment 4

[Kris Maglione [:kmag]]

Attachment: Bug 1549010: Part 2 - Bump DB schema version to force certificate reverification. r=zombie

Users who are affected by the intermediate add-on signing certificate expiry
need their add-on signatures re-verified as soon as possible after updating to
a version containging the fix. A database rebuild includes signature
reverifications, so a schema version achieves this.

Comment 5

[Kris Maglione [:kmag]]

Schema bump patches are, in order of submission, for nightly/beta, release, and esr60 respectively.

Comment 6

[Kris Maglione [:kmag]]

https://hg.mozilla.org/releases/mozilla-release/rev/9cdb06fa51891f31c4371b3d06d8e46148b5237a
https://hg.mozilla.org/releases/mozilla-release/rev/d4f7f9eb9e7d95b021ab00e4d78a915bd657f5b9

https://hg.mozilla.org/releases/mozilla-esr60/rev/635f3d3ecab0b5d10a101624e774dd5785320e65
https://hg.mozilla.org/releases/mozilla-esr60/rev/18a1c7a770e6317535bd4bd29d5097feecb7559f

Comment 7

[Pulsebot]

Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/mozilla-central/rev/fa013d593d02
verify add-on signing certificates at 2019-04-27T02:43:20.000Z r=jcj a=lizzard
https://hg.mozilla.org/mozilla-central/rev/e9bfe907b847
Part 2 - Bump DB schema version to force certificate reverification. r=zombie a=lizzard CLOSED TREE

Comment 8

[Kris Maglione [:kmag]]

https://hg.mozilla.org/releases/mozilla-beta/rev/d716b75b8ac3f4588061e720074c093dae08e43e
https://hg.mozilla.org/releases/mozilla-beta/rev/f272348572e8160a73001b85013f35db51397064

Comment 9

[Pulsebot]

Backout by emilio@crisal.io:
https://hg.mozilla.org/mozilla-central/rev/9419be649eff
Back out changeset fa013d593d02e29d9062900f89a14fd40a9ba687 . a=sylvestre

Comment 10

[Emilio Cobos Álvarez (:emilio)]

https://hg.mozilla.org/releases/mozilla-release/rev/8f9d95206d3f2ed91b9cab4721350e4dbd775d9d is the back out from m-r.
https://hg.mozilla.org/releases/mozilla-esr60/rev/4f576e1e39a6 / https://hg.mozilla.org/releases/mozilla-esr60/rev/9d658c1c2fae from esr60

Comment 11

[Emilio Cobos Álvarez (:emilio)]

https://hg.mozilla.org/releases/mozilla-beta/rev/ebb01d9ac1c9 from beta, and I think that should be all.