Closed Bug 917551 Opened 11 years ago Closed 11 years ago

Test installation of apps from multiple domains

Categories

(Marketplace Graveyard :: General, defect)

Product:
Marketplace Graveyard
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cgalimidi, Assigned: fabrice)

References

Details

Steps to Test install of apps from multiple domains (supporting China Marketplace) get builds ready with both marketplaces installed (fabrice) dev = marketplace-dev.allizom.org stage = marketplace.allizom.org change two preferences: (fabrice) 1) The marketplace domain whitelist to verify the signatures (https://mxr.mozilla.org/mozilla-central/source/modules/libpref/src/init/all.js#4329). 2) The url of the marketplace manifest that we use to track ADU pings (https://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#742). (?) add both domains in this pref: dom.mozApps.signed_apps_installable_from a packaged app for testing https://marketplace.firefox.com/app/loqui
Assignee: nobody → fabrice
Blocks: 909557
This seems like something that shouldn't be in the Marketplace component
To clarify: from a platform point of view, doing 1) and 2) should be enough to install apps from any of the marketplaces if they use the same certificate for signing. Doing some testing as soon as we have the mirror site set up would be even better of course.
[Brian, feel free to call me a liar on this.] I don't think app signing is likely to be an problem as we ship the root signing certificate with builds. Receipt signing is a different story since it relies on DNS and HTTPS to provide a valid root certificate. As a result, the certificate used to verify every receipt would be unreachable if its origin gets stricken from DNS in China. This should not result in a complete DoS since the receipt verification doesn't require the receipt be available each time it's run. The situation that would result would be suboptimal.
Flags: needinfo?(brian)
You can test out https://marketplace-cn.allizom.org/ The changes are pretty basic, just a CNAME and an additional supported "server name" in our nginx config.
I'm closing this bug since we confirmed that we could install apps from 2 different marketplaces using the same signing key.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(brian)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.