Last Comment Bug 593571 - Support signed updates in Thunderbird
: Support signed updates in Thunderbird
Status: RESOLVED FIXED
:
Product: Thunderbird
Classification: Client Software
Component: Preferences (show other bugs)
: Trunk
: All All
: -- normal (vote)
: Thunderbird 17.0
Assigned To: Mark Banner (:standard8)
:
Mentors:
Depends on: 544442 583408 745536
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-04 04:22 PDT by Mark Banner (:standard8)
Modified: 2012-10-11 04:49 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
+
fixed
+
fixed
15+
fixed


Attachments
The fix (3.17 KB, patch)
2012-08-03 11:56 PDT, Mark Banner (:standard8)
irving: review+
standard8: approval‑comm‑aurora+
standard8: approval‑comm‑beta+
standard8: approval‑comm‑esr10+
Details | Diff | Splinter Review

Description Mark Banner (:standard8) 2010-09-04 04:22:56 PDT
Bug 583408 added a few default prefs, see that bug and bug 593135 for some of the things we need to pull across.
Comment 1 Robert Strong [:rstrong] (use needinfo to contact me) 2010-09-04 04:28:03 PDT
Hi Mark, I moved this over to preferences since that is all that needs to be added to implement this and it has nothing to do with the installer code.
Comment 2 Mark Banner (:standard8) 2012-08-03 11:56:53 PDT
Created attachment 648795 [details] [diff] [review]
The fix

This ports the necessary work of the dependent bugs to Thunderbird. Now we're on aus3, this is much easier, as it is just a matter of matching Firefox's prefs.

I've been running with these set manually for a month or so now (and Ludovic also ran for a bit) and its been fine, so I think we should just get on and do this and make our updates even more secure.

In the patch I also moved a couple of prefs just to match closer the diffs to the ones in the firefox.js file.

I'll be looking to get this into the beta on Tuesday, so that we've a couple of cycles to test it.
Comment 3 :Irving Reid (No longer working on Firefox) 2012-08-03 13:50:40 PDT
Comment on attachment 648795 [details] [diff] [review]
The fix

Review of attachment 648795 [details] [diff] [review]:
-----------------------------------------------------------------

The preferences look fine, and my trunk Thunderbird loads without complaint with this patch applied, but there's not much more I can say about it without testing against an update server (beyond just clicking "check for updates" and having it reply "none found", which I did try).

Do you know if the Firefox team has a test harness for this including servers with bad certificates, incorrectly signed updates, etc?
Comment 4 Robert Strong [:rstrong] (use needinfo to contact me) 2012-08-03 14:31:50 PDT
These changes are only for the cert attribute check when checking for an update and there are toolkit tests under
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/test/chrome/

Specifically:
test_0121_check_requireBuiltinCert.xul
test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
test_0123_check_allowNonBuiltinCert_noCertAttrsCheck.xul
test_0131_check_invalidCertAttrs_noUpdate.xul
test_0132_check_invalidCertAttrs_hasUpdate.xul
test_0141_notify_invalidCertAttrs_noUpdate.xul
test_0142_notify_invalidCertAttrs_hasUpdate.xul
Comment 5 Mark Banner (:standard8) 2012-08-08 11:46:35 PDT
Checked in: https://hg.mozilla.org/comm-central/rev/8c305d4656a7
Comment 6 Mark Banner (:standard8) 2012-08-08 11:47:53 PDT
Comment on attachment 648795 [details] [diff] [review]
The fix

[Triage Comment]
I want to deploy this everywhere as an additional security layer for updates.
Comment 8 gabriel 2012-10-11 04:49:54 PDT
Unfortunately, this patch broke updates through our locally hosted Thunderbird ESR update server. See bug 800307.

Note You need to log in before you can comment on or make changes to this bug.