Confirmed users
394
edits
Software Update:MAR Signing and Verification: Difference between revisions
Software Update:MAR Signing and Verification (view source)
Revision as of 03:34, 15 April 2015
, 15 April 2015no edit summary
(Added an implementation section) |
No edit summary |
||
| Line 32: | Line 32: | ||
==Multiple Signatures and signing from multiple parties== | ==Multiple Signatures and signing from multiple parties== | ||
A MAR file can be signed by at most 8 different parties. The actual limit is defined in `modules/libmar/src/mar.h` with MAX_SIGNATURES. | A MAR file can be signed by at most 8 different parties. The actual limit is defined in `modules/libmar/src/mar.h` with `MAX_SIGNATURES`. | ||
To support multiple parties signing a MAR file, one party can export their MAR file's signature and send it to the 2nd party to import it into that party's already signed MAR file. | To support multiple parties signing a MAR file, one party can export their MAR file's signature and send it to the 2nd party to import it into that party's already signed MAR file. | ||
| Line 86: | Line 86: | ||
This model of not using NSS everywhere was decided early on because it wasn't wanted for an NSS bug to stop updates from working. | This model of not using NSS everywhere was decided early on because it wasn't wanted for an NSS bug to stop updates from working. | ||
Technically there's also a problem with us not building NSS as a static library as well making updates using NSS harder. | Technically there's also a problem with us not building NSS as a static library as well making updates using NSS harder. | ||
==Where MAR verification happens== | |||
MAR verification is always done for Firefox updates in Windows. It happens in the updater binary, even if the Mozilla Maintenance service is used. | |||
As of Firefox 40, MAR verification is enabled on OS X too. | |||
MAR verification is currently disabled by default on Linux due to some shared library errors because of the dynamic link to NSS. | |||