Closed Bug 824198 Opened 12 years ago Closed 11 years ago

Create a way to add the marketplace-dev and marketplace reviewer certs to the user profile certificate database

Categories

(Marketplace Graveyard :: General, defect, P5)

Product:
Marketplace Graveyard
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Note that it is important that bug 822943 undoes this before we ship!

I will attach a patch to this bug that adds a pre-generated NSS user database to the Gaia profile so that apps signed by marketplace-dev and apps signed for reviewers will work without any manual configuration by the user.

Again, this needs to be undone before we ship.

The alternative to adding these certs to the default user profile is to have people that need to test marketplace-dev and/or reviewer functionality use the scripts I will attach to this bug to manually modify the user profile's certificate database manually. Krupa is familiar with the older version of this script and I recommend asking her for help if you have trouble doing this.
Why couldn't we just add these prerequisite certs to be enabled in engineering builds only? Basically, enable them only in a debug environment, not a production environment that others testing can still get access to. That way, we can generate custom builds with these certs built in automatically.
(In reply to Jason Smith [:jsmith] from comment #1)
> Why couldn't we just add these prerequisite certs to be enabled in
> engineering builds only? Basically, enable them only in a debug environment,
> not a production environment that others testing can still get access to.
> That way, we can generate custom builds with these certs built in
> automatically.

IMO, that is part of bug 822943, as I think the same argument applies to the marketplace-dev and -staging apps themselves; they should only be present in engineering builds.

I suggest that we land the patch I am about to attach for this now, and then make things conditional based on build flags (engineering vs. prod, or whatever) later.
Moving to the marketplace component. It is better for the Marketplace to hold these certs and scripts since Gecko proper doesn't have any use for them. That way, Marketplace team can update them without being blocked on the Platform or Gaia teams.
Product: Boot2Gecko → Marketplace
Summary: Add the marketplace-dev and marketplace reviewer certs to the user profile certificate database → Create a way to add the marketplace-dev and marketplace reviewer certs to the user profile certificate database
Version: unspecified → 1.0
https://github.com/briansmith/marketplace-certs/commit/c0b4ba9488cc46afaef951c3ac27fa455a3fe7f0

The documentation is in README.txt as an example set of commands to execute which will result in the device trusting the dev public cert and the dev reviewer cert for privileged apps installed from marketplace-dev, along with the normal support for https://marketplace.firefox.com.

I wrote this scripts as building blocks from which I expect that you guys will want to write easier-to-use scripts. Or, maybe you guys will want to hack them apart and do this a completely different way.

Which repository should I integrate this into, and which subdirectory of that repository would you like it in?

rtilder: Any feedback on the details of the implementation?

krupa, jsmith? Were you able to get the scripts to work?
Flags: needinfo?(rtilder)
Flags: needinfo?(krupa.mozbugs)
Flags: needinfo?(jsmith)
(In reply to Antonio Manuel Amaya Calvo from bug 829679 comment 16)
> (In reply to Brian Smith (:bsmith) from bug 829679 comment 15)
> > (In reply to Antonio Manuel Amaya Calvo from bug 829679 comment 14)
> > > Do the change_trusted_servers.sh work for you? Besides not stopping b2g
> > > before modifying the prefs file... I could never get a change in that file
> > > to stick. Whenever I change it it changes back when the process restart.
> > > That's why I ended modifying the /system/b2g/defaults/pref/user.js file
> > > instead.
> > 
> > I did test it out and it worked. But I only tried a couple of times; it is
> > possible I just got lucky in winning some race. I do see how why it is at
> > best unreliable. AFAICT, it would be better to modify my scripts to kill b2g
> > before the modifications are done and then restart it after the
> > modifications are done.
> 
> Strange. I was stopping the process and even so when the process started
> again the changes on that file were sent to the changes heaven. I'll have to
> check that again, thanks.

krupa, rtilder, jsmith, have you tried the scripts yet? If so, did they work or not?
An email from Krupa contained this:

> I tried to install privileged apps from marketplace-dev after installing
> the certs you linked to without much luck. I do not know if I am doing
> anything foolish or if there is a bug here.
>
> Instructions I used:
> ./push_certdb.sh full_unagi marketplace-dev-public-root.der
> * daemon not running. starting it now on port 5037 *
> * daemon started successfully *
> 
> Error message:
> 01-09 22:42:54.554 E/GeckoConsole(  108): Content JS INFO at 
> app://system.gaiamobile.org/js/app_install_manager.js:187 in
> ai_handleDownloadError: downloadError event, error code is INVALID_SIGNATURE
Sorry for taking way too long to get back to you on this.

On Ubuntu, I am successfully installing privileged apps as a reviewer with your scripts. But I was unsuccessful in being able to install a privileged app off of marketplace dev with your scripts.
Flags: needinfo?(jsmith)
Dev certs work fine on the device.
Flags: needinfo?(krupa.mozbugs)
This is months old - is there still work to be done here?  What's next?
Priority: -- → P5
we still need certs for stage but that is being tracked at bug 877531. So, I'm closing this bug as fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: needinfo?(rtilder)
You need to log in before you can comment on or make changes to this bug.