663055 - Mozilla nightly builds are not code signed

Status: RESOLVED DUPLICATE of bug 509158

(Release Engineering :: General, defect, P3)

Description

[Anthony Penta]

User-Agent:       Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Build Identifier: 7.0a1

Mozilla products that offer nightly builds (firefox, thunderbird, etc) are not code signed. Code signing offers protection from tampering and make the nature of these nightly builds clear when the show up hosted on non-mozilla web properties.

Reproducible: Always

Steps to Reproduce:
1. Download nightly build
2. it's not code signed


Actual Results:  
downloaded file is not code signed

Expected Results:  
Mozilla ought to code sign all distributed installers/apps

Comment 1

[bhearsum@mozilla.com (:bhearsum)]

Yep. This is conscious decision. If you think this is really important, please start a discussion in the mozilla.dev.planning newsgroup, and re-open this bug if it results in consensus.

Comment 2

[Asa Dotzler [:asa]]

This is still being debated. You can follow along or join that conversation here: http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/16a26afbedf97637/#

Comment 3

[Brian R. Bondy [:bbondy]]

One possible use case for signing Nightly builds is for bug 481815 (Provide a Windows service to update applications).

The service currently runs udpater.exe to perform an actual update.  
It would be nice to check that updater.exe is signed by us before executing it.
 
This extra check is not currently being implemented because Nightly builds are not signed by us.
I don't think this is a security blocker as you need to be an elevated process to replace updater.exe in our Program Files directory.

Since silent updates will not have a UAC prompt soon, it would be nice to have this extra check on behalf of a user who normally clicks to elevate.

Comment 4

[Brian R. Bondy [:bbondy]]

It seems a core security part of bug 481815 (P1) will depend on using signed bins.
To ensure testing on Nightly and Aurora first this makes this bug very important.

Otherwise bug 481815 would check the signed bin and fail on that check and would not use the service for updates.  So the task would only be tested once it reached a build with a signed bin by us.  Since bug 481815  is directly related to the update process, this is something that should get testing on Aurora and Nightly. 

I was wondering if you guys knew who could work on this or how we could move it along faster?
It is fine by me if we used a different certificate for Aurora and Nightly but I'd like it if Beta used the same certificate as the Release so there are no surprises on release day (I think Beta/Release signing is already the case).

All of this only matters to me in Windows using authenticode certificates as bug 481815 is only for Windows.

Comment 5

[Chris AtLee [:catlee]]

We're hoping to have the signing-on-demand done by the end of Q4. That should allow us to have a separate nightly signing server where we can sign windows nightlies with a different cert.

Comment 6

[Lawrence Mandel [:lmandel] (use needinfo)]

Chris, given the focus on Firefox updates and the need to get the change for bug 481815 landed is there anything your team can do to move up this work to earlier in 4Q?

Comment 7

[Chris AtLee [:catlee]]

(In reply to Lawrence Mandel [:lmandel] from comment #6)
> Chris, given the focus on Firefox updates and the need to get the change for
> bug 481815 landed is there anything your team can do to move up this work to
> earlier in 4Q?

It's my priority right now, but realistically I don't see this happening before late November.

Comment 8

[bhearsum@mozilla.com (:bhearsum)]

We ended up doing this work in bug 509158.

Comment 9

[Steffen Wilberg]

Duping to the correct bug 509158 per comment 8.