Periodic update permafailures due to failure parsing Chrome certificate file during HPKP update
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox100 | --- | unaffected |
firefox101 | + | verified |
firefox102 | + | verified |
People
(Reporter: RyanVM, Assigned: keeler)
Details
(Keywords: intermittent-failure, Whiteboard: [psm-assigned])
Attachments
(1 file)
Only seems to affect 101+. Didn't we change something around that recently?
https://firefoxci.taskcluster-artifacts.net/ZE8Bf5RBSvyxU4nCPsuntg/0/public/logs/live_backing.log
+ ./xpcshell /home/worker/scripts/genHPKPStaticPins.js /builds/worker/data/PreloadedHPKPins.json /builds/worker/data/StaticHPKPins.h.out
JavaScript error: /home/worker/scripts/genHPKPStaticPins.js, line 246: Error: ERROR: couldn't parse Chrome certificate file line: 1650844800
+ echo 'HPKP preload list generation failed'
HPKP preload list generation failed
+ exit 54
Reporter | ||
Comment 1•2 years ago
|
||
Bug 1764424 is what I was thinking of.
Reporter | ||
Comment 2•2 years ago
|
||
Looks like there was a recent upstream change:
https://chromium.googlesource.com/chromium/src/+/f12eac9342eb88971851d46e31c97af8c2c27c87
Reporter | ||
Comment 3•2 years ago
|
||
Yeah, looks related to the newly-added timestamp in that commit:
diff --git a/net/http/transport_security_state_static.pins b/net/http/transport_security_state_static.pins
index b7d22a05..a83b411 100644
--- a/net/http/transport_security_state_static.pins
+++ b/net/http/transport_security_state_static.pins
@@ -43,6 +43,10 @@
# hash function for preloaded entries again (we have already done so once).
#
+# Last updated: 2022-04-25 00:00 UTC
+PinsListTimestamp
+1650844800
+
TestSPKI
sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Assignee | ||
Comment 4•2 years ago
|
||
Chrome's transport_security_state_static.pins (used by Gecko to glean static
pinning information) recently added a timestamp to note its creation time.
This patch updates genHPKPStaticPins.js to handle the timestamp's presence by
ignoring it.
This also removes the obsolete security/manager/tools/genHPKPStaticPins.js.
The canonical version of that file is
taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js.
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3b050bb98ee0 handle PinsListTimestamp entry in Chrome's static pinning list r=jschanck DONTBUILD
Reporter | ||
Comment 6•2 years ago
|
||
bugherder uplift |
Comment hidden (Intermittent Failures Robot) |
Reporter | ||
Comment 9•2 years ago
|
||
Verified with today's runs, thanks!
Description
•