Closed Bug 1951564 Opened 15 days ago Closed 2 days ago

only use content signatures for gmp update verification

Categories

(Core :: Audio/Video: GMP, task)

Product:
Core
Component:
Audio/Video: GMP
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1886799

People

(Reporter: bhearsum, Unassigned)

Details

In https://bugzilla.mozilla.org/show_bug.cgi?id=1760527 and https://bugzilla.mozilla.org/show_bug.cgi?id=1714621 we switched from using certificate pinning to content signature verification as part of pulling updated GMP plugins from Balrog (aus5.mozilla.org). However, there is still code that can fall back to certificate pinning. This is unfortunate, because the intermediate certificate we pin to is from a root that expires in 2026. We need to renew the aus5.mozilla.org certificate in the next few months, and it is not yet clear if we can get a cert from the pinned root.

We should remove the certificate pinning fallback code, and always require content signature verification as our means of validating the updates.

Status: NEW → RESOLVED
Closed: 2 days ago
Duplicate of bug: 1886799
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.