Closed Bug 991993 Opened 9 years ago Closed 8 years ago

Disable NSS for updater in OSX and enable native APIs


(Toolkit :: Application Update, defect)

Not set





(Reporter: bbondy, Assigned: bbondy)




(1 file, 2 obsolete files)

This is different from bug 978596 and bug 978597 in that it's to use the work in those bugs for updater.

Currently updater in OSX is i) initializing NSS, ii) linking to NSS, iii) Using NSS when the following patches are applied:
(apply last) Bug 903135 - Link updater to NSS and enable MAR verification on Linux and OSX
Bug 903126 - Replace DER file with XPCShell cert. r=rstrong
Bug 903126 - Don't use an xpcshell cert for verification. r=rstrong
Bug 903135 - Multi platform MAR verification updater support. r=rstrong
Bug 903135 - Multi platform MAR verification build config. r=rstrong
Bug 903135 - Updates to libmar needed to support B2G MAR signature verification. r=bbondy
Bug 902761 - Stop storing certs used for MAR verification in EXE resource files. r=rstrong
(apply first) Bug 902761 - Build configuration for turning .der files into .h files. r=rstrong

This bug should be applied after the last patch in that series and it should use and link to the native APIs and not NSS.
Depends on: 978596, 978597
Here is my current understanding of what we need to do in this bug:
1. With all dependent patches applied, the "aCertData" that is being passed to CryptoMac_LoadPublicKey is now the content of the cert file (rather than the path to the cert file). This simplifies this function quite a bit and I've confirmed locally that this is working fine. This will also bring the behavior of the Mac function in line with the behavior of other platforms.
2. Set MOZ_VERIFY_MAR_SIGNATURE=1 for Mac (and presumably Linux) in [1].
3. Change the logic in [2] to allow signature verification on Linux and Mac.

Try appears to be clogged up at the moment, but I'll test this as soon as pushes go through again.

Attached patch Patch (obsolete) — Splinter Review
This appears to (finally) pass on try, including B2G emulators:
Assignee: nobody → spohl.mozilla.bugs
Attachment #8421873 - Flags: review?(smichaud)
Attachment #8421873 - Flags: review?(robert.strong.bugs)
Attachment #8421873 - Flags: review?(robert.strong.bugs) → review+
Comment on attachment 8421873 [details] [diff] [review]

Looks fine to me.
Attachment #8421873 - Flags: review?(smichaud) → review+
Unless I hear otherwise, I'll prepare all the patches from the dependent bugs as well as this one here for checkin tomorrow morning. I will have to push all of them at the same time to avoid compilation and/or test failures on inbound.
Before landing check in with bbondy since there are a lot of moving parts here and a second "everything is ready to go" check would be a good thing. Thanks!
Brian, do you think this (and dependent bugs) are ready to go? FWIW, the try build in comment 2 had all the latest patches from the dependent bugs applied.
Flags: needinfo?(netzen)
Do you mean everything in bug 973933? I think we should test it on oak first and also test to make sure all tests pass with dep, pgo, and nightly work via the self serve api page.
Flags: needinfo?(netzen)
Attached patch Patch. rev2 (obsolete) — Splinter Review
Attachment #8421873 - Attachment is obsolete: true
Attachment #8509994 - Flags: review+
Attached patch Patch. rev3.Splinter Review
Fix linking problem from last patch.
Attachment #8509994 - Attachment is obsolete: true
Attachment #8510002 - Flags: review+
Brian, I think you were going to land this once it's ready, so assigning to you. Let me know if that's not the case. Thanks!
Assignee: spohl.mozilla.bugs → netzen
Yep that's the right call, thanks. I'm working on some test failure stuff relating to multi platform mar signing and when that's resolved I'll be landing this.
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.