Closed Bug 1647360 Opened 4 years ago Closed 4 years ago

cleanup require builtin cert logic for install/update

Categories

(Toolkit :: Add-ons Manager, enhancement, P1)

Product:
Toolkit
Component:
Add-ons Manager
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: mixedpuppy, Assigned: mixedpuppy)

References

Details

Attachments

(1 file)

Bug 1647360 consolidate logic for requiring builtin certs for addon install/update
47 bytes, text/x-phabricator-request
Details | Review

As a followup to bug 1308251, cleanup the repetitive code for determining the default require cert values.

It is common in secure environments for users of Firefox to be very limited in what they are allowed to do.
Forcing a configuration which is insecure by default risks Firefox being banned in these environments. This is in no one's best interests.
These environments typically either ban addons altogether or require addon security updates to accept private CA(s) configured in the Mozilla trust store.
I'm unclear on this code. It seems to be bringing back behavior which was fixed in 1308251 which 100% prevented all addon updates including security updates. We cannot assume users in secure environments are limited to ESR. Please don't cause addon updates to fail again due to built in certificate pining or equivalent behavior.

It seems to be bringing back behavior which was fixed in 1308251

It's not. If you see a logic error in the patch, please point it out.

It was specifically the quotes section below of this patch that I was talking about:
diff --git a/toolkit/mozapps/extensions/internal/AddonSettings.jsm b/toolkit/mozapps/extensions/internal/AddonSettings.jsm
"/**

  • Require the use of certs shipped with Firefox for
  • addon install and update, if the distribution does
  • not require addon signing and is not ESR.
    */"

I may not be understanding the details of the code. The comment in that patch suggests it still enables the built in cert checks if browser isn't ESR and signing is off. I would not expect to be using ESR. I've seen networks that have to turn off signing in offline or partially offline networks as it can cause applications to stall as they attempt and fail to validate signing and either the CRL or OCSP traffic isn't allowed.
This should still work for my use case as signing is on but it might not for all affected users.

(In reply to rhardy from comment #4)

It was specifically the quotes section below of this patch that I was talking about:
diff --git a/toolkit/mozapps/extensions/internal/AddonSettings.jsm b/toolkit/mozapps/extensions/internal/AddonSettings.jsm
"/**

  • Require the use of certs shipped with Firefox for
  • addon install and update, if the distribution does
  • not require addon signing and is not ESR.
    */"

I may not be understanding the details of the code. The comment in that patch suggests it still enables the built in cert checks if browser isn't ESR and signing is off. I would not expect to be using ESR. I've seen networks that have to turn off signing in offline or partially offline networks as it can cause applications to stall as they attempt and fail to validate signing and either the CRL or OCSP traffic isn't allowed.
This should still work for my use case as signing is on but it might not for all affected users.

This is not a change from bug 1308251. The builtin cert requirement is enabled "if the distribution does not require addon signing and is not esr". Thus, builtin certs are not required by default in Firefox ESR, Beta or Release.

The builtin cert requirement as added due to the lack of signing in legacy extensions. Now that webextensions exist, and in releases are required to be signed, we can relax the builtin cert requirement. That was done in 1308251, this just consolidates the settings.

If you need something that both disables addon signing requirements and builtin cert requirements, you'll have to change some prefs to make it work.

Pushed by scaraveo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ef2824384b3d consolidate logic for requiring builtin certs for addon install/update r=rpl
Pushed by scaraveo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8da9f55c54cd consolidate logic for requiring builtin certs for addon install/update r=rpl

https://hg.mozilla.org/mozilla-central/rev/8da9f55c54cd

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Flags: needinfo?(mixedpuppy)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: