Closed
Bug 917551
Opened 11 years ago
Closed 11 years ago
Test installation of apps from multiple domains
Categories
(Marketplace Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cgalimidi, Assigned: fabrice)
References
Details
Steps to Test install of apps from multiple domains (supporting China Marketplace)
get builds ready with both marketplaces installed (fabrice)
dev = marketplace-dev.allizom.org
stage = marketplace.allizom.org
change two preferences: (fabrice)
1) The marketplace domain whitelist to verify the signatures
(https://mxr.mozilla.org/mozilla-central/source/modules/libpref/src/init/all.js#4329).
2) The url of the marketplace manifest that we use to track ADU pings
(https://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#742).
(?) add both domains in this pref: dom.mozApps.signed_apps_installable_from
a packaged app for testing
https://marketplace.firefox.com/app/loqui
Comment 1•11 years ago
|
||
This seems like something that shouldn't be in the Marketplace component
Assignee | ||
Comment 2•11 years ago
|
||
To clarify: from a platform point of view, doing 1) and 2) should be enough to install apps from any of the marketplaces if they use the same certificate for signing. Doing some testing as soon as we have the mirror site set up would be even better of course.
Comment 3•11 years ago
|
||
[Brian, feel free to call me a liar on this.]
I don't think app signing is likely to be an problem as we ship the root signing certificate with builds.
Receipt signing is a different story since it relies on DNS and HTTPS to provide a valid root certificate. As a result, the certificate used to verify every receipt would be unreachable if its origin gets stricken from DNS in China. This should not result in a complete DoS since the receipt verification doesn't require the receipt be available each time it's run. The situation that would result would be suboptimal.
Flags: needinfo?(brian)
Comment 4•11 years ago
|
||
You can test out https://marketplace-cn.allizom.org/
The changes are pretty basic, just a CNAME and an additional supported "server name" in our nginx config.
Assignee | ||
Comment 5•11 years ago
|
||
I'm closing this bug since we confirmed that we could install apps from 2 different marketplaces using the same signing key.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(brian)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•