Include marketplace-dev app signing cert in B2G Eng builds

NEW
Unassigned

Status

Firefox OS
Gaia
5 years ago
2 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

+++ This bug was initially created as a clone of Bug #855143 +++

AFAICT, the steps required are:

1. The B2G build system must pass a flag to the Gecko build process indicating that the Gecko build is an Eng build.
2. security/build/b2g-certdata.mk needs to be modified to add the marketplace-dev cert to the build if and only if that flag is set.
3. security/manager/ssl/tests/unit/test_signed_apps-marketplace.js needs to be modified to test that the marketplace-dev cert is trusted on Eng builds and to test that the marketplace-dev cert is NOT trusted on production builds.
4. There is some pref that I forget the name of that controls which domain names signed apps may be signed from. It needs to be modified to include both https://marketplace.firefox.com and https://marketplace-dev.allizom.org (.com?).
(In reply to Brian Smith (:bsmith) from comment #1)
> 4. There is some pref that I forget the name of that controls which domain
> names signed apps may be signed from. It needs to be modified to include
> both https://marketplace.firefox.com and https://marketplace-dev.allizom.org
> (.com?).

This is dom.mozApps.signed_apps_installable_from
Brian / Fabrice, 
  quick question here is that i have been able to generate self signed certificates, however the format is not the same as b2g-certdata.txt. 
  I have create private keys, pem files, but I think what i need to create is a certificate object file ? Could you provide some guidance as to hwo the cert was created. 
  My thought is we need to install one of these for testing, so for the test eng build will need to add to this list. 
  Also need to make sure it is the same public key hanging off of the mochi.test domain. I imagine this cert data is contained somewhere within gecko/build/pgo
(resubmitting) 

Brian / Fabrice, 
 
Quick question: I am trying to create signed packages and verify them against a cert. Similar to how the marketplace is delivering apps onto devices. I have been able to generate self signed certificates, however the format is not the same as b2g-certdata.txt. 

I have created private keys, pem files, but I think what i need to create
is a certificate object file ? Could you provide some guidance as to how the
cert was created. 

My thought is that we need one certificate for dev-marketplace, but we also need a second certificate which can be used for testing. 

Below should be a question: 

Do we ever verify the certificate installed on the b2g device is matched with a domain name.  Or is the assumption that the cert is considered valid by virtue of being in a read only location on the device.
Component: Builds → Gaia
(In reply to dclarke@mozilla.com  [:onecyrenus] from comment #4)
> Quick question: I am trying to create signed packages and verify them
> against a cert. Similar to how the marketplace is delivering apps onto
> devices. I have been able to generate self signed certificates, however the
> format is not the same as b2g-certdata.txt. 
> 
> I have created private keys, pem files, but I think what i need to create
> is a certificate object file ? Could you provide some guidance as to how the
> cert was created. 
> 
> My thought is that we need one certificate for dev-marketplace, but we also
> need a second certificate which can be used for testing. 
> 
> Below should be a question: 
> 
> Do we ever verify the certificate installed on the b2g device is matched
> with a domain name.  Or is the assumption that the cert is considered valid
> by virtue of being in a read only location on the device.

We assume that any/all certificates are valid for any/all marketplaces that are enabled for the device. We don't have a mapping between certificates and marketplace hostnames.

security/manager/ssl/tests/unit/test_signed_apps.js shows how to add a temporary cert. That only works for B2G and (kinda) Android. You need the cert in binary DER form, not PEM, IIRC.
Brian, 
  Sorry this was an old question i should have updated the bug. I think we just need to get the public cert for marketplace-dev.
Unless it turns into a huge time sink I'm hoping to add the dev cert in bug 855143
You need to log in before you can comment on or make changes to this bug.