1768105 - Consider verifying contents of GMP zip files rather than the zip file itself

Status: NEW

(Core :: Audio/Video: GMP, task, P3)

Description

[Bryce Seager van Dyk [:bryce] (he/him) - Not reading bugmail]

We currently verify the GMP zip files we download by checking the hash of the downloaded zip against a hash we receive from balrog. However, this can lead to issues where the contents of the zips change. Specifically, we've encountered issues on multiple occasions where the files inside the zip have different timestamps. I.e. the files are the same, but have different timestamps for creation and/or modification.

In these cases, the updating of timestamps means the zip file changes, which changes its hash. This breaks GMP updates, even though the contents of the zip is binary equivalent to the zip we're expect. See bug 1767953 for a recent case of this.

This could be prevented if we instead verified on the hashes of the contents of these files.

So instead of checking the hash on some zip, e.g. 4.10.2449.0-win-x64.zip, we would instead check hashes for the contents, [LICENSE.txt, manifest.json, widevinecdm.dll, widevinecdm.dll.lib, widevinecdm.dll.sig]. Even in cases where we don't use all the files in a zip (the .dll.lib is not used for win IIRC), we should probably verify all contents are as expected for security.

This would mean us updating both toolkit and balrog code to do this. We would need to handle general GMPs, so that both Widevine and OpenH264 work -- we can't just target Widevine.

Comment 1

[Jim Mathies [:jimm]]

In the shorter term, maybe we can work with balrog people to get regular monitoring of these hashes for changes. Or may, we could just host the files ourselves so they can't change? Our attitude toward the way we distribute may have changed since we originally set all this up.