1769058 - Periodic update permafailures due to failure parsing Chrome certificate file during HPKP update

Status: VERIFIED FIXED

(Core :: Security: PSM, defect, P1)

Description

[Ryan VanderMeulen [:RyanVM]]

Only seems to affect 101+. Didn't we change something around that recently?
https://firefoxci.taskcluster-artifacts.net/ZE8Bf5RBSvyxU4nCPsuntg/0/public/logs/live_backing.log

+ ./xpcshell /home/worker/scripts/genHPKPStaticPins.js /builds/worker/data/PreloadedHPKPins.json /builds/worker/data/StaticHPKPins.h.out
JavaScript error: /home/worker/scripts/genHPKPStaticPins.js, line 246: Error: ERROR: couldn't parse Chrome certificate file line: 1650844800
+ echo 'HPKP preload list generation failed'
HPKP preload list generation failed
+ exit 54

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Bug 1764424 is what I was thinking of.

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Looks like there was a recent upstream change:
https://chromium.googlesource.com/chromium/src/+/f12eac9342eb88971851d46e31c97af8c2c27c87

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Yeah, looks related to the newly-added timestamp in that commit:

diff --git a/net/http/transport_security_state_static.pins b/net/http/transport_security_state_static.pins
index b7d22a05..a83b411 100644
--- a/net/http/transport_security_state_static.pins
+++ b/net/http/transport_security_state_static.pins

@@ -43,6 +43,10 @@
 #   hash function for preloaded entries again (we have already done so once).
 #
 
+# Last updated: 2022-04-25 00:00 UTC
+PinsListTimestamp
+1650844800
+
 TestSPKI
 sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Attachment: Bug 1769058 - handle PinsListTimestamp entry in Chrome's static pinning list r?jschanck

Chrome's transport_security_state_static.pins (used by Gecko to glean static
pinning information) recently added a timestamp to note its creation time.
This patch updates genHPKPStaticPins.js to handle the timestamp's presence by
ignoring it.
This also removes the obsolete security/manager/tools/genHPKPStaticPins.js.
The canonical version of that file is
taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js.

Comment 5

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3b050bb98ee0
handle PinsListTimestamp entry in Chrome's static pinning list r=jschanck DONTBUILD

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/2368bd4ab5e1

Comment 7

[bszekely]

https://hg.mozilla.org/mozilla-central/rev/3b050bb98ee0

Comment 8

[Intermittent Failures Robot]

2 failures in 3317 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-beta: 1
• mozilla-central: 1

Platform and build breakdown:

• linux64: 2
  • opt: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1769058&startday=2022-05-09&endday=2022-05-15&tree=all

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Verified with today's runs, thanks!