Open Bug 1792954 Opened 2 years ago Updated 2 years ago

Change signature verification order for MV2, drop RSA for MV3+

Categories

(Toolkit :: Add-ons Manager, enhancement, P2)

Product:
Toolkit
Component:
Add-ons Manager
Type:
enhancement

Tracking

()

People

(Reporter: TheOne, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [addons-jira])

Add-ons have been (co-)signed using RSA and COSE for a long time.

For MV2 add-ons, we want to change the order of signature verification to the following:

  1. Check COSE
    a) If it succeeds, DONE
    b) If it is invalid, FAIL
    c) If it is non-existent, go to 2
  2. Check RSA
    a) If it succeeds, DONE
    b) If it is invalid, FAIL
    c) If it is non-existent, FAIL
    d) If SHA1 is disabled, FAIL

For MV3 add-ons, we will use a simplified process that no longer uses RSA:

  1. Check COSE
    a) If it succeeds, DONE
    b) If it is invalid or non-existent, FAIL
See Also: → 1471186
Blocks: 1682613
See Also: → 1772152

We don't need to tie this to MV3. This can be done as:

1) Check COSE first
    a) If it succeeds, DONE
    b) If it is invalid, FAIL
    c) If it is non-existent, go to 2
2) Check RSA
    a) If RSA is disabled in Firefox FAIL
    b) If it succeeds, DONE
    c) If it is invalid, FAIL
    d) If it is non-existent, FAIL

We will need to make this change in firefox, then send the email[1] with a target version where RSA is disabled. After that, stop adding that signature in AMO.

[1] https://github.com/mozilla/addons-server/blob/f73f923058200520d135d8915f87c4d4478e1c26/src/olympia/lib/crypto/tasks.py#L25

Severity: -- → N/A
Priority: -- → P2

(In reply to Shane Caraveo (:mixedpuppy) from comment #1)

We don't need to tie this to MV3. This can be done as:

1) Check COSE first
    a) If it succeeds, DONE
    b) If it is invalid, FAIL
    c) If it is non-existent, go to 2
2) Check RSA
    a) If RSA is disabled in Firefox FAIL
    b) If it succeeds, DONE
    c) If it is invalid, FAIL
    d) If it is non-existent, FAIL

We will need to make this change in firefox, then send the email[1] with a target version where RSA is disabled. After that, stop adding that signature in AMO.

[1] https://github.com/mozilla/addons-server/blob/f73f923058200520d135d8915f87c4d4478e1c26/src/olympia/lib/crypto/tasks.py#L25

The reason to tie this to MV3 is that we can safely remove RSA as soon as we remove MV2. John expressed the desire to remove RSA sooner rather than later. Alternatively, we could not sign MV3 add-ons with RSA from the start, so that this condition isn't needed in Firefox.

You need to log in before you can comment on or make changes to this bug.