991993 - Disable NSS for updater in OSX and enable native APIs

Status: RESOLVED FIXED

(Toolkit :: Application Update, defect)

Description

[Brian R. Bondy [:bbondy]]

This is different from bug 978596 and bug 978597 in that it's to use the work in those bugs for updater.

Currently updater in OSX is i) initializing NSS, ii) linking to NSS, iii) Using NSS when the following patches are applied:
(apply last) Bug 903135 - Link updater to NSS and enable MAR verification on Linux and OSX
Bug 903126 - Replace DER file with XPCShell cert. r=rstrong
Bug 903126 - Don't use an xpcshell cert for verification. r=rstrong
Bug 903135 - Multi platform MAR verification updater support. r=rstrong
Bug 903135 - Multi platform MAR verification build config. r=rstrong
Bug 903135 - Updates to libmar needed to support B2G MAR signature verification. r=bbondy
Bug 902761 - Stop storing certs used for MAR verification in EXE resource files. r=rstrong
(apply first) Bug 902761 - Build configuration for turning .der files into .h files. r=rstrong

This bug should be applied after the last patch in that series and it should use and link to the native APIs and not NSS.

Comment 1

[Stephen A Pohl [:spohl]]

Here is my current understanding of what we need to do in this bug:
1. With all dependent patches applied, the "aCertData" that is being passed to CryptoMac_LoadPublicKey is now the content of the cert file (rather than the path to the cert file). This simplifies this function quite a bit and I've confirmed locally that this is working fine. This will also bring the behavior of the Mac function in line with the behavior of other platforms.
2. Set MOZ_VERIFY_MAR_SIGNATURE=1 for Mac (and presumably Linux) in confvars.sh [1].
3. Change the logic in configure.in [2] to allow signature verification on Linux and Mac.

Try appears to be clogged up at the moment, but I'll test this as soon as pushes go through again.

[1] http://mxr.mozilla.org/mozilla-central/source/browser/confvars.sh#12
[2] http://mxr.mozilla.org/mozilla-central/source/configure.in#6365

Comment 2

[Stephen A Pohl [:spohl]]

Attachment: Patch

This appears to (finally) pass on try, including B2G emulators:
https://tbpl.mozilla.org/?tree=Try&rev=3edee85e9a93

Comment 3

[Steven Michaud [:smichaud] (Retired)]

Comment on attachment 8421873 [details] [diff] [review]
Patch

Looks fine to me.

Comment 4

[Stephen A Pohl [:spohl]]

Unless I hear otherwise, I'll prepare all the patches from the dependent bugs as well as this one here for checkin tomorrow morning. I will have to push all of them at the same time to avoid compilation and/or test failures on inbound.

Comment 5

[Robert Strong (they/them - no direct email)]

Before landing check in with bbondy since there are a lot of moving parts here and a second "everything is ready to go" check would be a good thing. Thanks!

Comment 6

[Stephen A Pohl [:spohl]]

Brian, do you think this (and dependent bugs) are ready to go? FWIW, the try build in comment 2 had all the latest patches from the dependent bugs applied.

Comment 7

[Brian R. Bondy [:bbondy]]

Do you mean everything in bug 973933? I think we should test it on oak first and also test to make sure all tests pass with dep, pgo, and nightly work via the self serve api page.

Comment 8

[Brian R. Bondy [:bbondy]]

Attachment: Patch. rev2

Rebased

Comment 9

[Brian R. Bondy [:bbondy]]

Attachment: Patch. rev3.

Fix linking problem from last patch.

Comment 10

[Stephen A Pohl [:spohl]]

Brian, I think you were going to land this once it's ready, so assigning to you. Let me know if that's not the case. Thanks!

Comment 11

[Brian R. Bondy [:bbondy]]

Yep that's the right call, thanks. I'm working on some test failure stuff relating to multi platform mar signing and when that's resolved I'll be landing this.

Comment 12

[Brian R. Bondy [:bbondy]]

https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=883e17fc475f