Confirmed users, Bureaucrats and Sysops emeriti
1,737
edits
AMO/SigningService: Difference between revisions
Jump to navigation
Jump to search
m
no edit summary
mNo edit summary |
|||
| Line 5: | Line 5: | ||
Hi. This project is the AMO piece of the larger [https://docs.google.com/a/mozilla.com/document/d/1KhpDteoHFmVRkzlrT8v0N3F-KrPxLoZFM3mWmEmOses/edit Add-on Signature System]. Please read that document so the rest of this wiki page makes sense. | Hi. This project is the AMO piece of the larger [https://docs.google.com/a/mozilla.com/document/d/1KhpDteoHFmVRkzlrT8v0N3F-KrPxLoZFM3mWmEmOses/edit Add-on Signature System]. Please read that document so the rest of this wiki page makes sense. | ||
We will need to modify several pieces of AMO and its libraries in order to accommodate this new system. Those changes are roughly laid out below and divided up into phases. | We will need to modify several pieces of AMO and its libraries in order to accommodate this new system. Those changes are roughly laid out below and divided up into phases. See the diagram below (which compares to Marketplace for a reference) for a high level view: | ||
[[File:Add-on_Signing_-_Main_Flow.png]] | |||
'''Notes:''' | |||
* The flows are very similar. Apps load a certificate from disk and get signed. For add-ons we'll load a certificate from disk, but we'll generate a new certificate as well, use the loaded certificate to sign the new certificate, and then sign the add-on with the new certificate. | |||
* When we're done signing we discard the new certificate. | |||
* Any pre-existing signatures on the add-on are replaced. This includes developers who have signed the add-on with a valid AMO certificate already. The expected flow for self-hosting in addition to AMO hosting is to download the signed add-on from AMO, not do any manual signing. | |||
* We don't do any signing before the add-on is approved for the public. Reviewers are expected to use developer versions or debug versions of Firefox so won't need to have the add-ons signed to test them. | |||
* Should not need any API changes since this is all after add-on review | |||
== Roadmap == | == Roadmap == | ||
=== Phase 1: Signing === | === Phase 1: Signing with Trunion=== | ||
{| | {| | ||
|- | |- | ||
| Line 17: | Line 25: | ||
|- | |- | ||
! Owners | ! Owners | ||
| Wil Clouser | | Ryan Tilder, Wil Clouser | ||
|} | |} | ||
'''Summary:''' | '''Summary:''' | ||
We currently don't sign add-ons at all on AMO, but we do sign apps on the Marketplace using [https://github.com/mozilla/trunion/ trunion] and could use the same system (with modifications). A rough summary of | We currently don't sign add-ons at all on AMO, but we do sign apps on the Marketplace using [https://github.com/mozilla/trunion/ trunion] and could use the same system (with modifications). A rough summary of the Trunion overview is as follows: | ||
1. This CA will be entirely automated and self contained | 1. This CA will be entirely automated and self contained | ||
1. The CA's root certificate will be hard coded into Firefox/Fennec | 1. The CA's root certificate will be hard coded into Firefox/Fennec | ||
in a similar manner to the privileged | in a similar manner to the privileged FxOS apps | ||
2. For every request to sign an addon: | 2. For every request to sign an addon: | ||
o a brand new 2048 bit or stronger RSA key pair will be | o a brand new 2048 bit or stronger RSA key pair will be | ||
| Line 38: | Line 46: | ||
o the ephemeral private key and certificate are thrown away | o the ephemeral private key and certificate are thrown away | ||
In practical terms, this means: | |||
* Modifying Trunion to accept meta-data about what it is signing (at least an add-on ID) | |||
* Modifying Trunion to send meta-data about what it signed (at least the certificate serial number) | |||
* Modifying Trunion to generate certs on-the-fly | |||
=== Phase 2: Initial AMO Support === | |||
{| | |||
|- | |||
! Current Status | |||
| <span style="color:red; font-weight:bold">Needs Review</span> | |||
|} | |||
* Modifying the Validator to warn about pre-existing signatures which will be clobbered | * Modifying the Validator to warn about pre-existing signatures which will be clobbered | ||
* Modifying the Reviewer Tools to send add-on data to Trunion and using the returned data to save a signed add-on to disk | * Modifying the Reviewer Tools to send add-on data to Trunion and using the returned data to save a signed add-on to disk | ||
| Line 55: | Line 65: | ||
* Modifying AMO to add a signing script which will sign the latest versions of existing add-ons to bootstrap the system | * Modifying AMO to add a signing script which will sign the latest versions of existing add-ons to bootstrap the system | ||
* Modifying MDN by adding any necessary documentation about this project | * Modifying MDN by adding any necessary documentation about this project | ||
=== Phase | === Phase 3: Blocklist === | ||
{| | {| | ||
| Line 77: | Line 84: | ||
</certificates> | </certificates> | ||
=== Phase | === Phase 4: Non-AMO hosted add-ons === | ||
{| | {| | ||