cleanup require builtin cert logic for install/update
Categories
(Toolkit :: Add-ons Manager, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox80 | --- | fixed |
People
(Reporter: mixedpuppy, Assigned: mixedpuppy)
References
Details
Attachments
(1 file)
As a followup to bug 1308251, cleanup the repetitive code for determining the default require cert values.
Assignee | ||
Comment 1•4 years ago
|
||
It is common in secure environments for users of Firefox to be very limited in what they are allowed to do.
Forcing a configuration which is insecure by default risks Firefox being banned in these environments. This is in no one's best interests.
These environments typically either ban addons altogether or require addon security updates to accept private CA(s) configured in the Mozilla trust store.
I'm unclear on this code. It seems to be bringing back behavior which was fixed in 1308251 which 100% prevented all addon updates including security updates. We cannot assume users in secure environments are limited to ESR. Please don't cause addon updates to fail again due to built in certificate pining or equivalent behavior.
Assignee | ||
Comment 3•4 years ago
|
||
It seems to be bringing back behavior which was fixed in 1308251
It's not. If you see a logic error in the patch, please point it out.
It was specifically the quotes section below of this patch that I was talking about:
diff --git a/toolkit/mozapps/extensions/internal/AddonSettings.jsm b/toolkit/mozapps/extensions/internal/AddonSettings.jsm
"/**
- Require the use of certs shipped with Firefox for
- addon install and update, if the distribution does
- not require addon signing and is not ESR.
*/"
I may not be understanding the details of the code. The comment in that patch suggests it still enables the built in cert checks if browser isn't ESR and signing is off. I would not expect to be using ESR. I've seen networks that have to turn off signing in offline or partially offline networks as it can cause applications to stall as they attempt and fail to validate signing and either the CRL or OCSP traffic isn't allowed.
This should still work for my use case as signing is on but it might not for all affected users.
Assignee | ||
Comment 5•4 years ago
|
||
(In reply to rhardy from comment #4)
It was specifically the quotes section below of this patch that I was talking about:
diff --git a/toolkit/mozapps/extensions/internal/AddonSettings.jsm b/toolkit/mozapps/extensions/internal/AddonSettings.jsm
"/**
- Require the use of certs shipped with Firefox for
- addon install and update, if the distribution does
- not require addon signing and is not ESR.
*/"I may not be understanding the details of the code. The comment in that patch suggests it still enables the built in cert checks if browser isn't ESR and signing is off. I would not expect to be using ESR. I've seen networks that have to turn off signing in offline or partially offline networks as it can cause applications to stall as they attempt and fail to validate signing and either the CRL or OCSP traffic isn't allowed.
This should still work for my use case as signing is on but it might not for all affected users.
This is not a change from bug 1308251. The builtin cert requirement is enabled "if the distribution does not require addon signing and is not esr". Thus, builtin certs are not required by default in Firefox ESR, Beta or Release.
The builtin cert requirement as added due to the lack of signing in legacy extensions. Now that webextensions exist, and in releases are required to be signed, we can relax the builtin cert requirement. That was done in 1308251, this just consolidates the settings.
If you need something that both disables addon signing requirements and builtin cert requirements, you'll have to change some prefs to make it work.
Comment 7•4 years ago
|
||
Backed out for perma failures.
Logs:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307684783&repo=autoland&lineNumber=13490
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307687583&repo=autoland&lineNumber=5531
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307685919&repo=autoland&lineNumber=2540
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307686508&repo=autoland&lineNumber=5290
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307688416&repo=autoland&lineNumber=5110
Backout: https://hg.mozilla.org/integration/autoland/rev/5ffc7bb2e09f931de4fd1e767c52635452cc3ebf
Comment 9•4 years ago
|
||
bugherder |
Assignee | ||
Updated•4 years ago
|
Description
•