Remove marketplace test cert

RESOLVED FIXED in mozilla22

Status

P1
normal
RESOLVED FIXED
6 years ago
10 months ago

People

(Reporter: briansmith, Assigned: briansmith)

Tracking

unspecified
mozilla22
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking-b2g:tef+, b2g18 fixed, b2g18-v1.0.0 affected, b2g18-v1.0.1 fixed)

Details

(Whiteboard: [target:3/8/2013][qa-])

Attachments

(1 attachment)

+++ This bug was initially created as a clone of Bug #822944 +++
+++ This bug was initially created as a clone of Bug #772365 +++

In bug 822944, we will add the marketplace production cert. In this bug, we will remove the test cert. There will be a short period of time when both certificates are trusted, to maximize the flexibility in doing the migration on the server side.
Assignee: nobody → bsmith

Updated

6 years ago
No longer depends on: 819053
Whiteboard: [target 28/2]
Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14. We aren't getting this done by 2/28.
Whiteboard: [target 28/2]
(In reply to Jason Smith [:jsmith] from comment #1)
> Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14.
> We aren't getting this done by 2/28.

Making tef? so that we can either decide this is not a blocker, or know we missed the deadline.
blocking-b2g: tef+ → tef?
(In reply to Milan Sreckovic [:milan] from comment #2)
> (In reply to Jason Smith [:jsmith] from comment #1)
> > Same rationale as - https://bugzilla.mozilla.org/show_bug.cgi?id=822944#c14.
> > We aren't getting this done by 2/28.
> 
> Making tef? so that we can either decide this is not a blocker, or know we
> missed the deadline.

We basically have to do this. Leaving this in creates a problem where we can allow privileged apps with the test cert, which is a security problem.
Then I'm confused - the comment 3 says "we aren't getting this done by 2/28", and the comment 5 says "we basically have to do this".  Which one is it?
(In reply to Milan Sreckovic [:milan] from comment #4)
> Then I'm confused - the comment 3 says "we aren't getting this done by
> 2/28", and the comment 5 says "we basically have to do this".  Which one is
> it?

Both. We can't do it by 2/28 because of MWC demos using marketplace signed packaged apps. We have do this for the reasons mentioned in comment 3.
OK, you're assuming that we can miss the 2/28 deadline and still have the code show up in the build.  That may very well end up happening, but it's dangerous to get used to that. When would it get done?
(In reply to Milan Sreckovic [:milan] from comment #6)
> OK, you're assuming that we can miss the 2/28 deadline and still have the
> code show up in the build.  That may very well end up happening, but it's
> dangerous to get used to that. When would it get done?

This was already discussed on b2g-release-drivers. I agree it is bad but it is a special case. I suggest we keep discussing it in b2g-release-drivers if we are worried about it.

Comment 8

6 years ago
(In reply to Jason Smith [:jsmith] from comment #5)
> (In reply to Milan Sreckovic [:milan] from comment #4)
> > Then I'm confused - the comment 3 says "we aren't getting this done by
> > 2/28", and the comment 5 says "we basically have to do this".  Which one is
> > it?
> 
> Both. We can't do it by 2/28 because of MWC demos using marketplace signed
> packaged apps. We have do this for the reasons mentioned in comment 3.

Jason called out this risk ahead of 2/28. We'll leave this on tef+ and call out the fact that this work isn't yet complete in our rollup to partners.
blocking-b2g: tef? → tef+
Wil mentions he'll be targeting getting the resigning of packaged apps done with the production cert by this Thursday. If all goes to plan and nothing blows up, we should target a fix for this on Friday - 3/8/2013.

Updated

6 years ago
Whiteboard: [target:3/8/2013]
(In reply to Jason Smith [:jsmith] from comment #9)
> Wil mentions he'll be targeting getting the resigning of packaged apps done
> with the production cert by this Thursday. If all goes to plan and nothing
> blows up, we should target a fix for this on Friday - 3/8/2013.

Did things go as planned?
(In reply to Andrew Overholt [:overholt] from comment #10)
> (In reply to Jason Smith [:jsmith] from comment #9)
> > Wil mentions he'll be targeting getting the resigning of packaged apps done
> > with the production cert by this Thursday. If all goes to plan and nothing
> > blows up, we should target a fix for this on Friday - 3/8/2013.
> 
> Did things go as planned?

Yessir, packaged apps were resigned with the new cert and installed successfully on the device.
Awesome, sounds like we're ready to remove the test cert now?
thumbs up from me
Brian, are you still the best assignee here?
Flags: needinfo?(bsmith)
Created attachment 724773 [details] [diff] [review]
Remove trust from the Firefox Marketplace test cert

Honza, in another bug I added the production cert and left the test cert, to facilitate the transition from the test cert to the production cert. This bug is about removing the test cert so that we only trust the production cert.
Attachment #724773 - Flags: review?(honzab.moz)
Flags: needinfo?(bsmith)
Attachment #724773 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/mozilla-central/rev/34ca09eff02d
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22

Updated

6 years ago
Whiteboard: [target:3/8/2013] → [target:3/8/2013][qa-]
Blocks: 957451

Updated

10 months ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.