Last Comment Bug 783638 - (b2g-multi-signatures) [tracking] B2G Updates: Enable MAR security (signing / verification)
: [tracking] B2G Updates: Enable MAR security (signing / verification)
: feature
Product: Firefox OS
Classification: Client Software
Component: General (show other bugs)
: unspecified
: x86 Mac OS X
P1 normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on: 792452 793709 795921 797477 798413 798415
Blocks: b2g-v-next b2g-gecko-updates b2g-fota-updates
  Show dependency treegraph
Reported: 2012-08-17 11:53 PDT by Marshall Culpepper [:marshall_law]
Modified: 2015-04-15 10:41 PDT (History)
16 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Marshall Culpepper [:marshall_law] 2012-08-17 11:53:41 PDT
This is a security requirement for Gecko updates in B2G:

There are a number of requirements for this:
1. Build-time MAR verification enablement
2. Custom code and build changes for packaging and reading the signing cert(s). We can probably just package cert(s) directly in /system/b2g, but I'm open to alternatives (right now they are embedded into the updater.exe, but only for windows)
3. Define MOZ_VERIFY_MAR_SIGNATURE for the various talos configs in b2g/config/mozconfigs
4. Package update-settings.ini into /system/b2g (we will need some more clarification about the proper settings for this file)
Comment 1 User image Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2012-08-17 12:03:42 PDT
This feels more like a tracking bug but we can at least start the client-side work here.
Comment 2 User image Marshall Culpepper [:marshall_law] 2012-08-21 17:32:02 PDT
We will need the new B2G update channel IDs to update the various mozconfigs
Comment 3 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-10-15 13:29:40 PDT
Should we remove bug 799652 and bug 799655 from the depends-on list? I don't think we're going to do either of them soon.
Comment 4 User image Alex Keybl [:akeybl] 2012-11-07 15:12:58 PST
We're marking this bug with the C1 milestone since it follows the criteria of "unfinished feature work" (see

If this work is not finished by Nov19, this bug will need an exception and will be called out at the upcoming Exec Review.
Comment 5 User image Dietrich Ayala (:dietrich) 2012-11-08 15:15:37 PST
Is this a meta-bug, or will any work actually happen in this bug?
Comment 6 User image Brian R. Bondy [:bbondy] 2012-11-08 15:20:21 PST
Nothing to do here, it's just for tracking.
Comment 7 User image Dietrich Ayala (:dietrich) 2012-11-09 16:29:26 PST
Thanks. Cleared blocking flag, and confirmed that the bugs that block this one are themselves blockers.
Comment 8 User image Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2013-02-26 00:08:44 PST
Technology we thought we needed, but until then it's an important tool in our technical tool box.
Comment 9 User image Brian R. Bondy [:bbondy] 2015-04-15 10:41:44 PDT
Resolving since we have support for this now, but we don't use it.  No dependent bugs left.

Note You need to log in before you can comment on or make changes to this bug.