Closed Bug 1771523 Opened 2 years ago Closed 2 years ago

Add Telemetry Probe for the signatures present on addons

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- fixed
firefox102 --- fixed
firefox103 --- fixed

People

(Reporter: djackson, Assigned: djackson)

Details

Attachments

(2 files)

Bug 1771523 - Add telemetry probe for app signature verification outcomes. r=keeler
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
Details | Review
data-review-addon-signature.md
3.58 KB, text/plain
chutten
: data-review+
Details

Mozilla has signed addons with both PKCS#7 signatures and COSE signatures since 2019. This probe records the outcome of this verification and which signatures were present. This let us know whether we can deprecate the PKCS#7 signature entirely.

Attachment #9278795 - Flags: data-review?(chutten)

Comment on attachment 9278795 [details]
data-review-addon-signature.md

DATA COLLECTION REVIEW RESPONSE:

Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes.

Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.

If the request is for permanent data collection, is there someone who will monitor the data over time?

Yes, Dennis Jackson is responsible.

Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 1, Technical.

Is the data collection request for default-on or default-off?

Default on for all channels.

Does the instrumentation include the addition of any new identifiers?

No.

Is the data collection covered by the existing Firefox privacy notice?

Yes.

Does the data collection use a third-party collection tool?

No.

Result: datareview+

Attachment #9278795 - Flags: data-review?(chutten) → data-review+
Pushed by djackson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6e40ddd6505
Add telemetry probe for app signature verification outcomes. r=keeler

https://hg.mozilla.org/mozilla-central/rev/d6e40ddd6505

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

Comment on attachment 9278510 [details]
Bug 1771523 - Add telemetry probe for app signature verification outcomes. r=keeler

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This patch adds telemetry which is needed to support decision making about changes to addon signing. It has been approved for release channels by Data.
  • User impact if declined: Without this information, we can't make a decision about deprecating RSA PKCS#7 addon signatures.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch adds telemetry only and has been running in Nightly.
Attachment #9278510 - Flags: approval-mozilla-esr91?
Attachment #9278510 - Flags: approval-mozilla-esr102?
Attachment #9278510 - Flags: approval-mozilla-esr102? → approval-mozilla-beta?

Comment on attachment 9278510 [details]
Bug 1771523 - Add telemetry probe for app signature verification outcomes. r=keeler

Approved for 102 beta 7, thanks.

Attachment #9278510 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9278510 [details]
Bug 1771523 - Add telemetry probe for app signature verification outcomes. r=keeler

Approved for 91.11esr.

Attachment #9278510 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: