Support signed updates in Thunderbird

RESOLVED FIXED in Thunderbird 17.0

Status

Thunderbird
Preferences
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: standard8, Assigned: standard8)

Tracking

Trunk
Thunderbird 17.0
Dependency tree / graph

Thunderbird Tracking Flags

(thunderbird15+ fixed, thunderbird16+ fixed, thunderbird-esr1015+ fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

7 years ago
Bug 583408 added a few default prefs, see that bug and bug 593135 for some of the things we need to pull across.
Hi Mark, I moved this over to preferences since that is all that needs to be added to implement this and it has nothing to do with the installer code.
Component: Installer → Preferences
QA Contact: installer → preferences
(Assignee)

Updated

5 years ago
Depends on: 745536
(Assignee)

Updated

5 years ago
Assignee: nobody → mbanner
(Assignee)

Comment 2

5 years ago
Created attachment 648795 [details] [diff] [review]
The fix

This ports the necessary work of the dependent bugs to Thunderbird. Now we're on aus3, this is much easier, as it is just a matter of matching Firefox's prefs.

I've been running with these set manually for a month or so now (and Ludovic also ran for a bit) and its been fine, so I think we should just get on and do this and make our updates even more secure.

In the patch I also moved a couple of prefs just to match closer the diffs to the ones in the firefox.js file.

I'll be looking to get this into the beta on Tuesday, so that we've a couple of cycles to test it.
Attachment #648795 - Flags: review?(irving)
(Assignee)

Updated

5 years ago
tracking-thunderbird15: --- → +
tracking-thunderbird16: --- → +
tracking-thunderbird-esr10: --- → 15+
Comment on attachment 648795 [details] [diff] [review]
The fix

Review of attachment 648795 [details] [diff] [review]:
-----------------------------------------------------------------

The preferences look fine, and my trunk Thunderbird loads without complaint with this patch applied, but there's not much more I can say about it without testing against an update server (beyond just clicking "check for updates" and having it reply "none found", which I did try).

Do you know if the Firefox team has a test harness for this including servers with bad certificates, incorrectly signed updates, etc?
Attachment #648795 - Flags: review?(irving) → review+
These changes are only for the cert attribute check when checking for an update and there are toolkit tests under
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/test/chrome/

Specifically:
test_0121_check_requireBuiltinCert.xul
test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
test_0123_check_allowNonBuiltinCert_noCertAttrsCheck.xul
test_0131_check_invalidCertAttrs_noUpdate.xul
test_0132_check_invalidCertAttrs_hasUpdate.xul
test_0141_notify_invalidCertAttrs_noUpdate.xul
test_0142_notify_invalidCertAttrs_hasUpdate.xul
(Assignee)

Comment 5

5 years ago
Checked in: https://hg.mozilla.org/comm-central/rev/8c305d4656a7
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Target Milestone: --- → Thunderbird 17.0
(Assignee)

Comment 6

5 years ago
Comment on attachment 648795 [details] [diff] [review]
The fix

[Triage Comment]
I want to deploy this everywhere as an additional security layer for updates.
Attachment #648795 - Flags: approval-comm-esr10+
Attachment #648795 - Flags: approval-comm-beta+
Attachment #648795 - Flags: approval-comm-aurora+
(Assignee)

Comment 7

5 years ago
Checked in:

https://hg.mozilla.org/releases/comm-aurora/rev/f64150ef70df
https://hg.mozilla.org/releases/comm-beta/rev/e1a2535b2646
https://hg.mozilla.org/releases/comm-esr10/rev/1d4617eeb9bd
status-thunderbird15: --- → fixed
status-thunderbird16: --- → fixed
status-thunderbird-esr10: --- → fixed

Comment 8

5 years ago
Unfortunately, this patch broke updates through our locally hosted Thunderbird ESR update server. See bug 800307.
You need to log in before you can comment on or make changes to this bug.