Closed Bug 1552221 Opened 6 years ago Closed 6 years ago

ship system add-ons to remediate armagadd-on 2.0 - 57-60

Categories

(Firefox :: System Add-ons: Off-train Deployment, task)

Product:
Firefox
Component:
System Add-ons: Off-train Deployment
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: shell, Assigned: rehandalal+mozilla)

References

Details

Attachments

(1 file)

hotfix_for_firefox_bug_1548973_armagaddon_20_mitigation-1.1.3.xpi
8.10 KB, application/x-xpinstall
Details

This bug is tracking work to ship the add-on fix listed on AMO[1] for 57-60, with a GUID of hotfix-bug-1548973-mozextou@mozilla.org

We cannot filter to avoid pushing to people who have this already.

https://addons.mozilla.org/en-US/firefox/addon/disabled-add-on-fix-57-60/

Type: defect → task
Component: General → System Add-ons: Off-train Deployment
Summary: ship legacy system add-ons to remediate armagadd-on 2.0 - 57-60 → ship system add-ons to remediate armagadd-on 2.0 - 57-60

potential issue: we are investigating if we should expect to hit bug 1454820 on the 57-60 push - where the balrog system add-on update mechanism expects a certain cert and fails otherwise.

rhelmer: gguthe and I tried a bunch of combinations and but couldn't find the combo that worked.

mythmon: We know that Normandy has shipped bootstrap, mozilla-signed add-ons to 57-60, but we don't know much about balrog handling in that range.

This has been staged on the test channel (release-sysaddon) and is ready for QA testing

@Dana: Selena asked me to tag you in for your opinion about an issue with this addon.

To install it via Balrog it needs to be signed with the systemaddon key however in order to pass the isPrivileged() check to allow use of an experimental API it must be signed with the mozextension key.

In all likelihood there is no solution that both allows use of an experimental API as well as Balrog compatibility but maybe you have some ideas?

From Selena (on Slack):

selenamarie [8:19 PM]
Can we just mash them together, I wonder aloud

Flags: needinfo?(dkeeler)

We have completed our testing which targeted Firefox 57.0.4.

The hotfix-bug-1548973-mozextou@mozilla.org is not successfully installed.

For further information regarding our test results please access this link.

Assuming the isPrivileged() implementation is here: https://searchfox.org/mozilla-central/rev/0078b9e7d42c366b102d7aec918caf64fed1d574/toolkit/components/extensions/Extension.jsm#1594
I think those values come from: https://searchfox.org/mozilla-central/rev/0078b9e7d42c366b102d7aec918caf64fed1d574/toolkit/mozapps/extensions/internal/XPIInstall.jsm#710-715
Meaning we have to sign the add-on with a certificate with a subject organizational unit of "Mozilla Components" or "Mozilla Extensions".

What is the systemaddon key? Presumably it's in a certificate? It might work if we re-issue that certificate with the right subject OU. Then again, there may be a very good reason why such a certificate doesn't exist.

Flags: needinfo?(dkeeler)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

Assuming the isPrivileged() implementation is here: https://searchfox.org/mozilla-central/rev/0078b9e7d42c366b102d7aec918caf64fed1d574/toolkit/components/extensions/Extension.jsm#1594
I think those values come from: https://searchfox.org/mozilla-central/rev/0078b9e7d42c366b102d7aec918caf64fed1d574/toolkit/mozapps/extensions/internal/XPIInstall.jsm#710-715
Meaning we have to sign the add-on with a certificate with a subject organizational unit of "Mozilla Components" or "Mozilla Extensions".

What is the systemaddon key? Presumably it's in a certificate? It might work if we re-issue that certificate with the right subject OU. Then again, there may be a very good reason why such a certificate doesn't exist.

Note that

this.addonData.signedState === AddonManager.SIGNEDSTATE_SYSTEM ||

was added in bug 1454820 which was landed since Firefox 61. So 57-60 won't accept WebExtensions Experiments if they have a certificate with a subject OU of "Mozilla Components" that is the systemaddon key.

Rehan, do comment 6 and comment 7 give you enough information to proceed?

Flags: needinfo?(rdalal)

What is the systemaddon key?

This is a certificate with the subject "Mozilla Components".

Rehan, do comment 6 and comment 7 give you enough information to proceed?

Yeah, I think this is a unsolvable issue for 57-60 where "Mozilla Components" is required by Balrog but "Mozilla Extensions" is required for the addon to be marked as privileged. I think we will end up shipping this with Normandy instead of Balrog. Thanks for the input!

Flags: needinfo?(rdalal)

After talking about this with Rehan and Mythmon - we will try a Normandy push for the 57-60 version add-on only.

Reasoning: 57-60 balrog can only handle add-ons signed with system add-on key (mozilla components) - but during the legacy>webextension transition, system add-ons were briefly signed differently.

CAVEAT: If you install an add-on via normandy and that also exists on AMO… that add-on will get an updates from AMO. We want to make sure the add-on shipping via Normandy has a different add-on ID - and just doesn't install if the AMO add-on ID is present.

Filing another bug to change add-on ID. Work with rhelmer and gguthe to get the 57-60 resigned with MOZILLA EXTENSION (because that time period there was some transition with bootstrap and system add-ons privilege keys).

Assignee: nobody → mcooper
Component: System Add-ons: Off-train Deployment → General
Product: Firefox → Shield

Back to balrog

Assignee: mcooper → rdalal
Component: General → System Add-ons: Off-train Deployment
Product: Shield → Firefox

This has been is now on the release channel and pending relman sign off

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: