Closed Bug 1593041 Opened 1 year ago Closed 1 year ago

Add com.apple.security.smartcard entitlement to Firefox

Categories

(Core :: Security: Process Sandboxing, defect)

Unspecified
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
relnote-firefox --- 70+
firefox-esr68 --- fixed
firefox70 + wontfix
firefox71 --- fixed
firefox72 --- fixed

People

(Reporter: mkaply, Assigned: haik)

Details

Attachments

(1 file)

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1497522#c11

We need this entitlement in order for Smartcards to work on Catalina.

I was looking for some more information about this. I couldn't find mention of the entitlement in Apple's online docs, but found the need for this is documented in the SmartCardServices(7) man page:

ENTITLEMENT
     Sandboxed PCSC clients require 'com.apple.security.smartcard=YES' entitlement.
     Non-sandboxed PCSC clients do not require such entitlement (in order to keep
     backward compatibility with macOS < 10.10). Users of TKSmartCard* API from
     CryptoTokenKit.framework always require that entitlement no matter whether
     they are sandboxed or not.

We can add this to the entitlements.

Assignee: nobody → haftandilian
OS: Unspecified → macOS

Add the com.apple.security.smartcard entitlement to Firefox's entitlements list.

Needed for clients of some CryptoTokenKit.framework API's, per SmartCardServices(7).

Adding dkeeler as an FYI.

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/12f20c87bf8d
Add com.apple.security.smartcard entitlement to Firefox r=spohl
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Is this something we can uplift? As users upgrade to Catalina, they're going to need this change to be able to use client certificates on smart cards.

Flags: needinfo?(haftandilian)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

Is this something we can uplift? As users upgrade to Catalina, they're going to need this change to be able to use client certificates on smart cards.

Yes, this would be low risk and safe to uplift. Dana or Mike, are you in a position to validate that the fix works as expected on Nightly? It would be ideal if someone with a physical smart configuration could validate it in Nightly.

Flags: needinfo?(mozilla)
Flags: needinfo?(haftandilian)
Flags: needinfo?(dkeeler)

In https://github.com/mozkeeler/osclientcerts/issues/9 I've been talking with someone who indicated it didn't work before but now it does.

Flags: needinfo?(dkeeler)
Flags: needinfo?(mozilla)

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

Beta/Release Uplift Approval Request

  • User impact if declined: SmartCards can not be used from Firefox on macOS Catalina 10.15.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change only adds a macOS application entitlement to our entitlement list which is used to codesign the application bundle. The change doesn't include any other source code changes.
  • String changes made/needed: None

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: SmartCard support might be important in some enterprise or government environments. See bug 1497522 comment 4.
  • User impact if declined: SmartCards can not be used from Firefox on macOS Catalina 10.15.
  • Fix Landed on Version: 72
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change only adds a macOS application entitlement to our entitlement list which is used to codesign the application bundle. The change doesn't include any other source code changes.
  • String or UUID changes made by this patch: None
Attachment #9105596 - Flags: approval-mozilla-release?
Attachment #9105596 - Flags: approval-mozilla-esr68?
Attachment #9105596 - Flags: approval-mozilla-beta?

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

low risk, uplift approved for 71 beta 8, thanks.

Attachment #9105596 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

71 wasn't marked as affected so it didn't show on the sheriffs radar for today's uplift. This patch will be in beta 9.

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

From comment 11, fix verified by a user.
OK for uplift to m-r for the 70.0.2 dot release.

Attachment #9105596 - Flags: approval-mozilla-release? → approval-mozilla-release+

Noting for 70.0.2 as "Smart cards now work correctly with macOS 10.15"

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

Setting the flag back to "?" until we have a definite need for a 70.0.2 dot release.

Attachment #9105596 - Flags: approval-mozilla-release+ → approval-mozilla-release?

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

OK for uplift for ESR 68.3.0.

Attachment #9105596 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+

Comment on attachment 9105596 [details]
Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r?spohl!

No 70.0.2 dot release, we build 71RC today.

Attachment #9105596 - Flags: approval-mozilla-release? → approval-mozilla-release-
You need to log in before you can comment on or make changes to this bug.