Closed
Bug 906466
Opened 11 years ago
Closed 11 years ago
Updates not properly signed on the nightly-ux branch: Certificate did not match issuer or name.
Categories
(Release Engineering :: General, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: steffen.wilberg, Assigned: bhearsum)
References
Details
Attachments
(3 files)
2.27 KB,
patch
|
catlee
:
review+
nthomas
:
checked-in+
|
Details | Diff | Splinter Review |
13.86 KB,
patch
|
catlee
:
review+
nthomas
:
checked-in+
|
Details | Diff | Splinter Review |
880 bytes,
patch
|
robert.strong.bugs
:
review+
bhearsum
:
feedback+
bhearsum
:
checked-in+
|
Details | Diff | Splinter Review |
The UX nightly is not properly signed. It therefore can't use the Maintenance Service to prevent the Windows UAC prompt.
This is from my C:\ProgramData\Mozilla\logs\maintenanceservice.log:
Executing service command software-update, ID: bab8956f-0c60-4b2f-bcd4-0f4c592852fa
Passed in path: 'C:\Users\Steffen\AppData\Local\Mozilla\updates\253E8F7686B240C5\updates\0\updater.exe'; Using this path for updating: 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'.
updater.exe was compared successfully to the installation directory updater.exe.
The updater.exe application contains the Mozilla updater identity.
*** Warning: Certificate did not match issuer or name. (1168)***
*** Warning: Error on certificate check. (1168)***
*** Warning: Could not start process due to certificate check error on updater.exe. Updating update.status. (0)***
Service command software-update complete.
service command MozillaMaintenance complete with result: Failure.
Comment 1•11 years ago
|
||
This is something releng would have to take care of.
You could alternately compile without enabling the maintenance service, then it wouldn't even attempt to use the service. Or set the pref app.update.service.enabled = false.
Updated•11 years ago
|
Assignee: nobody → nthomas
Priority: -- → P2
Comment 2•11 years ago
|
||
Attachment #791992 -
Flags: review?(catlee)
Comment 3•11 years ago
|
||
This is a bunch of other tidying related to signing servers. It fixes signing for elm, where the latest tenant has asked for nightlies (bug 900212), and for oak where mac builds were signed with the wrong cert. The rest is assorted cleanup (inbound and profiling don't do nightlies any more (which is the default), remove definitions for debug platforms, reset birch now that it's not b2g-inbound).
re Android, there's a bunch of places we're not setting the nightly server, eg x86 on m-c, all nightly builds on aurora/elm/fig. I'm not sure what the impact of this is, particularly to existing installs, but happy to add them to the patch if they should be set.
Attachment #791994 -
Flags: review?(catlee)
Updated•11 years ago
|
Attachment #791992 -
Flags: review?(catlee) → review+
Updated•11 years ago
|
Attachment #791994 -
Flags: review?(catlee) → review+
Comment 4•11 years ago
|
||
Comment on attachment 791992 [details] [diff] [review]
[buildbot-configs] Fix ux win32
http://hg.mozilla.org/build/buildbot-configs/rev/9bd33c91a3e5
Attachment #791992 -
Flags: checked-in+
Comment 5•11 years ago
|
||
Comment on attachment 791994 [details] [diff] [review]
[buildbot-configs] Fix other branches & cleanup
http://hg.mozilla.org/build/buildbot-configs/rev/7edb94db7b3a
Attachment #791994 -
Flags: checked-in+
Comment 6•11 years ago
|
||
These will go live in the next reconfig, ~ Thursday unless it's more urgent. The rest of the birch work I moved out to bug 906946.
Comment 7•11 years ago
|
||
Will this change the mar private key too? If it does we need to change the cert used to verify it. Also if it is, then people will have to download new nightly builds and install them manually to get updates moving forward.
If this only changes the signing on the exes, then ignore the above paragraph.
Comment 8•11 years ago
|
||
My understanding is that we're building in the nightly cert in the updater, but signing the mar with the cert from the dep builds. This change should change the signing of both the installer and mar file to the nightly cert.
Comment 9•11 years ago
|
||
Actually it looks like we're already using the nightly mar private key to sign the profiling branch:
http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/updater/Makefile.in#109
Otherwise I'm not sure how any updates are working right now for the profiling branch. Mar verification happens for both the updater and the service.
So we should be fine, and I think this change only signs updater.exe using the Nightly cert now.
Comment 10•11 years ago
|
||
Profiling has no nightlies any more, and hence no updates, but we're talking about ux here, right ?
I checked the most recent nightly for ux on windows (https://tbpl.mozilla.org/php/getParsedLog.php?id=26719820&tree=UX&full=1). It talks to the dep signing server for both executables, mar, and installers (port 9110 on the signing servers, vs 9100 for nightly cert). But I'm worried now that nightly-ux isn't in that channel list at http://hg.mozilla.org/projects/ux/file/default/toolkit/mozapps/update/updater/Makefile.in#l109
Unfortunately the RC_FLAGS aren't echoed during the log, but perhaps attachment 791992 [details] [diff] [review] is not the right fix ?
Comment 11•11 years ago
|
||
(In reply to Nick Thomas [:nthomas] from comment #10)
> Profiling has no nightlies any more, and hence no updates, but we're talking
> about ux here, right ?
ugh sorry you're right on that.
> I checked the most recent nightly for ux on windows
> (https://tbpl.mozilla.org/php/getParsedLog.php?id=26719820&tree=UX&full=1).
> It talks to the dep signing server for both executables, mar, and installers
> (port 9110 on the signing servers, vs 9100 for nightly cert). But I'm
> worried now that nightly-ux isn't in that channel list at
> http://hg.mozilla.org/projects/ux/file/default/toolkit/mozapps/update/
> updater/Makefile.in#l109
>
Yes this is the point I was making before I got ux and profiling confused.
> Unfortunately the RC_FLAGS aren't echoed during the log, but perhaps
> attachment 791992 [details] [diff] [review] is not the right fix ?
Right, so what this bug is asking for is to have the windows binaries signed with the nightly cert. But the MAR private key used for signing should not change. I.e. it should still be dep.
A build before your change will be using the dep public key to verify the mar. If it tries to consume a MAR signed with a nightly key, then it will fail.
If you do want to change it though, then we need to update that code location I referenced, and you need to force users through a mandatory update which is signed with the dep cert, and which upgrades the user with the code change that I referenced. Or just accept that people will need to manually download and install a new build in order to update to the new MAR files.
Comment 12•11 years ago
|
||
Can you think of any reason it is broken now ? It seems to me that we're signing with the dep key, and also verifying against it, so I dunno why the update service is not working.
Also can't reproduce using WinXP. In the Browser Console there are messages indicating the service is being used:
[19:01:40.493] AUS:SVC Downloader:onStopRequest - setting state to: pending-service
[19:01:40.499] AUS:SVC getCanStageUpdates - able to stage updates because we'll use the service
[19:01:40.499] AUS:SVC Downloader:onStopRequest - attempting to stage update: UX 26.0a1
[19:01:44.362] AUS:SVC readStatusFile - status: applied, path: C:\Documents and Settings\mozilla\Local Settings\Application Data\Mozilla\Firefox\UX\updates\0\update.status
[19:01:44.374] AUS:SVC UpdateManager:refreshUpdateStatus - Notifying observers that the update was staged. state: applied-service, status: applied
The update works fine, but I can't find a maintenanceservice.log file to check on.
Perhaps I should be backing out my changes until we get to the bottom of this, and design a strategy to transfer existing users. There are about 1.5K users which the UX folks probably don't want to lose right now.
Comment 13•11 years ago
|
||
On Windows 8 I reproduce, seeing this in maintenanceservice.log:
Passed in path: 'C:\Users\mozilla\AppData\Local\Mozilla\updates\E880E39E569BDD82\updates\0\updater.exe'; Using this path for updating: 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'.
updater.exe was compared successfully to the installation directory updater.exe.
The updater.exe application contains the Mozilla updater identity.
*** Warning: Certificate did not match issuer or name. (1168)***
*** Warning: Error on certificate check. (1168)***
*** Warning: Could not start process due to certificate check error on updater.exe. Updating update.status. (0)***
Service command software-update complete.
service command MozillaMaintenance complete with result: Failure.
Updated•11 years ago
|
Component: Release Automation → General Automation
QA Contact: bhearsum → catlee
Comment 14•11 years ago
|
||
(In reply to Nick Thomas [:nthomas] from comment #12)
> Can you think of any reason it is broken now ? It seems to me that we're
> signing with the dep key, and also verifying against it, so I dunno why the
> update service is not working.
The dep key for MARs is different and independent to the authenticode cert used for udpater.exe verification. The authenticode check that the service does on updater.exe ensures that it is signed and from a trusted issuer. For dep builds it is not from a trusted issuer.
Comment 15•11 years ago
|
||
Ok, if I'm following this correctly the current state is that windows builds can't use the maintenance service because updater.exe has the wrong authenticode cert (dep rather than nightly). The updater falls back to a UAC prompt, so people are still getting updated (confirmed this by looking at blocklist pings).
This attachment would fix the signing of updater.exe, but also change the signing of the mar file. This breaks updates on windows completely, which I simulated by taking a beta build and changing the channel to nightly.
--> backout: https://hg.mozilla.org/build/buildbot-configs/rev/92dac386a813
Need to figure out how to implement the last part of comment #11.
Comment 16•11 years ago
|
||
Comment on attachment 791992 [details] [diff] [review]
[buildbot-configs] Fix ux win32
Meant to make that comment on this attachment.
Attachment #791992 -
Flags: checked-in+ → checked-in-
Comment 17•11 years ago
|
||
(In reply to Nick Thomas [:nthomas] from comment #15)
> Ok, if I'm following this correctly the current state is that windows builds
> can't use the maintenance service because updater.exe has the wrong
> authenticode cert (dep rather than nightly).
Yep, more specifically it is probably signed by something issued from Mozilla Fake CA and not a trusted authority, so that's why the maintenance service won't accept it.
> The updater falls back to a UAC
> prompt, so people are still getting updated (confirmed this by looking at
> blocklist pings).
Right when there is a signature error on updater.exe we still allow the update without the service, because that way the user of the system can confirm if they trust the UAC prompt or not.
> This attachment would fix the signing of updater.exe, but also change the
> signing of the mar file. This breaks updates on windows completely, which I
> simulated by taking a beta build and changing the channel to nightly.
Yep that's what I mentioned would happen in the previous comment. Thanks for confirming :)
> --> backout: https://hg.mozilla.org/build/buildbot-configs/rev/92dac386a813
>
> Need to figure out how to implement the last part of comment #11.
The easiest way to fix without breaking updates is to not change how the MAR file is signed, but do nightly authenticode signing.
Comment 18•11 years ago
|
||
Live in production.
Assignee | ||
Comment 20•11 years ago
|
||
Nick and I talked about this the other day. I'm pretty sure that this is happening because "nightly-ux" isn't in the list of branches defined here:
https://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/updater/moz.build#79
Comment 21•11 years ago
|
||
Will this work? This bug is really nagging me...(the workaround in comment 1 doesn't work for me).
Attachment #8402755 -
Flags: review?(robert.strong.bugs)
Attachment #8402755 -
Flags: feedback?(bhearsum)
Assignee | ||
Comment 22•11 years ago
|
||
Comment on attachment 8402755 [details] [diff] [review]
patch.diff
Review of attachment 8402755 [details] [diff] [review]:
-----------------------------------------------------------------
I'm pretty sure this will do it.
Attachment #8402755 -
Flags: feedback?(bhearsum) → feedback+
Comment 23•11 years ago
|
||
Comment on attachment 8402755 [details] [diff] [review]
patch.diff
I checked the cert on nightly-ux and that should do it
Attachment #8402755 -
Flags: review?(robert.strong.bugs) → review+
Updated•11 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 24•11 years ago
|
||
So, looks like I was wrong about the in-tree patch being the only thing that's needed. Nick pointed out to me that if we just do that, we'll embed the right fingerprints, but things will be signed wrong, because Buildbot will still use the self signed certs. I believe that's what Brian is talking about in comment #17, too.
Please don't land the latest patch yet - I'm going to look into this some more and see what the options are.
Assignee: nthomas → bhearsum
Updated•11 years ago
|
Keywords: checkin-needed
Comment 25•11 years ago
|
||
For reference, this is what I have for the firefox.exe cert on today's ux
CN = DigiCert Assured ID Code Signing CA-1
OU = www.digicert.com
O = DigiCert Inc
C = US
Assignee | ||
Comment 26•11 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #25)
> For reference, this is what I have for the firefox.exe cert on today's ux
> CN = DigiCert Assured ID Code Signing CA-1
> OU = www.digicert.com
> O = DigiCert Inc
> C = US
Which should be OK. I _think_ we're more concerned about the MAR certs here. Can you see what the current MARs are using, or tell me how to? I couldn't get mar or signmar to give me anything beyond a base64 dump of the signature...
Flags: needinfo?(robert.strong.bugs)
Comment 27•11 years ago
|
||
Verify a MAR file:
mar [-C workingDir] -D DERFilePath -v signed_archive.mar
At most 8 signature certificate DER files are specified by -D0 DERFilePath1 -D1 DERFilePath2, ...
At most 8 verification certificate names are specified by -n0 certName -n1 certName2, ...
You can also see a usage of it in the following test
http://mxr.mozilla.org/mozilla-central/source/modules/libmar/tests/unit/test_sign_verify.js#132
Flags: needinfo?(robert.strong.bugs)
Comment 28•11 years ago
|
||
that is using signmar btw
Assignee | ||
Comment 29•11 years ago
|
||
Thanks Rob. I guess I have an older version, but I managed to make it work:
[cltsign@signing4.srv.releng.scl3.mozilla.com ~]$ /tools/signmar/bin/signmar -d /builds/signing/nightly-key-signing-server/secrets/mar/ -n nightly1 -v firefox-31.0a1.en-US.win32.complete.mar
[cltsign@signing4.srv.releng.scl3.mozilla.com ~]$ echo $?
0
[cltsign@signing4.srv.releng.scl3.mozilla.com ~]$ /tools/signmar/bin/signmar -d /builds/signing/dep-key-signing-server/secrets/mar -n dep1 -v firefox-31.0a1.en-US.win32.complete.mar
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
[cltsign@signing4.srv.releng.scl3.mozilla.com ~]$ echo $?
255
So, AFAICT our current state is that all new UX nightlies' installers/exes/mars are being signed by the nightly certs, but embedding dep certs. This means that no updates for these users are working. Just landing Nochum's patch will fix this for new installs, but it won't help existing users. If we want to help them get up-to-date we can do the following:
1) Revert back to dep signing
2) Ship an update that embeds dep+nightly mar certs (ux only, _NOT_ mozilla-central)
3) wait some period of time for people to get the update
4) Switch back to nightly certs and revert to only embedding nightly certs
Or we can just land Nochum's patch and live the fact that people will need to re-install.
Comment 30•11 years ago
|
||
I'd leave that decision up to the maintainers of the ux branch who should have knowledge of the number of users, etc.
Assignee | ||
Comment 31•11 years ago
|
||
OK, so the UX branch averages about 1,500 users per day (over the last week). That seems low enough to just suck it up and live with stranding those users. It's a Nightly channel, anyways.
Gavin, can you make this call, or tell me who can?
Flags: needinfo?(gavin.sharp)
Assignee | ||
Comment 32•11 years ago
|
||
Metrics are here, for those who have access: https://metrics.mozilla.com/pentaho/content/pentaho-cdf/RenderHTML?solution=metrics&path=blocklist/blocklist_0&dashboard=template.html&template=new-metrics&title=Firefox%20Usage
Comment 33•11 years ago
|
||
Can the fix here get checked in and later decide whether to fix old users automatically?
Assignee | ||
Comment 34•11 years ago
|
||
Comment on attachment 8402755 [details] [diff] [review]
patch.diff
(In reply to Nochum Sossonko [:Natch] from comment #33)
> Can the fix here get checked in and later decide whether to fix old users
> automatically?
Good idea. Now that you mention it, there's no downside to doing that. I landed this on inbound and ux. Anyone who installed after the buildbot-configs patches landed (roughly august last year) should get an update tomorrow.
https://hg.mozilla.org/integration/mozilla-inbound/rev/82187deb2938
https://hg.mozilla.org/projects/ux/rev/4cd1722578eb
Attachment #8402755 -
Flags: checked-in+
Comment 35•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 36•11 years ago
|
||
Re-opening because we may do something with older users still.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 37•11 years ago
|
||
Comment on attachment 791992 [details] [diff] [review]
[buildbot-configs] Fix ux win32
I was confused, until I noticed that this got relanded in another bug
http://hg.mozilla.org/build/buildbot-configs/rev/44dfa7abc482
March 17 2014.
Attachment #791992 -
Flags: checked-in- → checked-in+
Comment 38•11 years ago
|
||
I assume that "Windows users that installed in the affected window" are a further subset of those 1500.
Sounds like we probably shouldn't do anything here.
Flags: needinfo?(gavin.sharp)
Assignee | ||
Comment 39•11 years ago
|
||
(In reply to :Gavin Sharp (email gavin@gavinsharp.com) from comment #38)
> I assume that "Windows users that installed in the affected window" are a
> further subset of those 1500.
>
> Sounds like we probably shouldn't do anything here.
Yeah, looks about 80% are Windows.
Thanks Gavin, we're all done here now.
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Comment 40•11 years ago
|
||
Been getting updates for some time now. Yay!
Thank you very much.
Status: RESOLVED → VERIFIED
Updated•7 years ago
|
Component: General Automation → General
You need to log in
before you can comment on or make changes to this bug.
Description
•