Closed Bug 841135 Opened 9 years ago Closed 9 years ago

Remove marketplace test cert

Categories

(Core Graveyard :: DOM: Apps, defect, P1)

defect

Tracking

(blocking-b2g:tef+, b2g18 fixed, b2g18-v1.0.0 affected, b2g18-v1.0.1 fixed)

RESOLVED FIXED
mozilla22
blocking-b2g tef+
Tracking Status
b2g18 --- fixed
b2g18-v1.0.0 --- affected
b2g18-v1.0.1 --- fixed

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

(Whiteboard: [target:3/8/2013][qa-])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #822944 +++
+++ This bug was initially created as a clone of Bug #772365 +++

In bug 822944, we will add the marketplace production cert. In this bug, we will remove the test cert. There will be a short period of time when both certificates are trusted, to maximize the flexibility in doing the migration on the server side.
Assignee: nobody → bsmith
No longer depends on: 819053
Whiteboard: [target 28/2]
Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14. We aren't getting this done by 2/28.
Whiteboard: [target 28/2]
(In reply to Jason Smith [:jsmith] from comment #1)
> Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14.
> We aren't getting this done by 2/28.

Making tef? so that we can either decide this is not a blocker, or know we missed the deadline.
blocking-b2g: tef+ → tef?
(In reply to Milan Sreckovic [:milan] from comment #2)
> (In reply to Jason Smith [:jsmith] from comment #1)
> > Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14.
> > We aren't getting this done by 2/28.
> 
> Making tef? so that we can either decide this is not a blocker, or know we
> missed the deadline.

We basically have to do this. Leaving this in creates a problem where we can allow privileged apps with the test cert, which is a security problem.
Then I'm confused - the comment 3 says "we aren't getting this done by 2/28", and the comment 5 says "we basically have to do this".  Which one is it?
(In reply to Milan Sreckovic [:milan] from comment #4)
> Then I'm confused - the comment 3 says "we aren't getting this done by
> 2/28", and the comment 5 says "we basically have to do this".  Which one is
> it?

Both. We can't do it by 2/28 because of MWC demos using marketplace signed packaged apps. We have do this for the reasons mentioned in comment 3.
OK, you're assuming that we can miss the 2/28 deadline and still have the code show up in the build.  That may very well end up happening, but it's dangerous to get used to that. When would it get done?
(In reply to Milan Sreckovic [:milan] from comment #6)
> OK, you're assuming that we can miss the 2/28 deadline and still have the
> code show up in the build.  That may very well end up happening, but it's
> dangerous to get used to that. When would it get done?

This was already discussed on b2g-release-drivers. I agree it is bad but it is a special case. I suggest we keep discussing it in b2g-release-drivers if we are worried about it.
(In reply to Jason Smith [:jsmith] from comment #5)
> (In reply to Milan Sreckovic [:milan] from comment #4)
> > Then I'm confused - the comment 3 says "we aren't getting this done by
> > 2/28", and the comment 5 says "we basically have to do this".  Which one is
> > it?
> 
> Both. We can't do it by 2/28 because of MWC demos using marketplace signed
> packaged apps. We have do this for the reasons mentioned in comment 3.

Jason called out this risk ahead of 2/28. We'll leave this on tef+ and call out the fact that this work isn't yet complete in our rollup to partners.
blocking-b2g: tef? → tef+
Wil mentions he'll be targeting getting the resigning of packaged apps done with the production cert by this Thursday. If all goes to plan and nothing blows up, we should target a fix for this on Friday - 3/8/2013.
Whiteboard: [target:3/8/2013]
(In reply to Jason Smith [:jsmith] from comment #9)
> Wil mentions he'll be targeting getting the resigning of packaged apps done
> with the production cert by this Thursday. If all goes to plan and nothing
> blows up, we should target a fix for this on Friday - 3/8/2013.

Did things go as planned?
(In reply to Andrew Overholt [:overholt] from comment #10)
> (In reply to Jason Smith [:jsmith] from comment #9)
> > Wil mentions he'll be targeting getting the resigning of packaged apps done
> > with the production cert by this Thursday. If all goes to plan and nothing
> > blows up, we should target a fix for this on Friday - 3/8/2013.
> 
> Did things go as planned?

Yessir, packaged apps were resigned with the new cert and installed successfully on the device.
Awesome, sounds like we're ready to remove the test cert now?
thumbs up from me
Brian, are you still the best assignee here?
Flags: needinfo?(bsmith)
Honza, in another bug I added the production cert and left the test cert, to facilitate the transition from the test cert to the production cert. This bug is about removing the test cert so that we only trust the production cert.
Attachment #724773 - Flags: review?(honzab.moz)
Flags: needinfo?(bsmith)
Attachment #724773 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/mozilla-central/rev/34ca09eff02d
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Whiteboard: [target:3/8/2013] → [target:3/8/2013][qa-]
Blocks: 957451
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.