canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/Packaged Apps: Difference between revisions
Security/Reviews/Packaged Apps (view source)
Revision as of 15:16, 10 December 2012
, 10 December 2012no edit summary
(Created page with "{{SecReviewInfo |SecReview name=Packaged Apps: Signing & Revocation }} {{SecReview}} {{SecReviewActionStatus |SecReview action item status=None }}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecReviewInfo | {{SecReviewInfo | ||
|SecReview name=Packaged Apps: Signing & Revocation | |SecReview name=Packaged Apps: Signing & Revocation | ||
|SecReview target=<bugzilla> | |||
{ | |||
"id":"772365,816282" | |||
} | |||
</bugzilla> | |||
Spec document: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService | |||
}} | |||
{{SecReview | |||
|SecReview feature goal=* reuse xpi signing for apps in B2G | |||
** same bits we are using for signing receipts | |||
Signing parts: | |||
* Server Side | |||
** How do we control signing (access to signing machine)? | |||
** How do we deal with multiple signing (signing many apps) Is it manual? | |||
***Marketplace | |||
***Client | |||
Reviewers get/generate a test cert | |||
* tool to install cert into the phone | |||
* tool to sign using that cert | |||
* after review the reviewer-signed app is sent to marketplace | |||
* marketplace verifies reviewer's signature and logs who signed which app | |||
* marketplace re-signs the app and puts it in the store. | |||
Install: | |||
* download zip | |||
* check signature | |||
* if no sig max privilege is "installed" | |||
* if there's a valid signature max priv is "trusted" | |||
* if the signature is invalid the app is not installed | |||
* process manifest requested permissions limited by max priv | |||
* signature never used again until we update that app | |||
|SecReview threat brainstorming=* Receipts signing certs were rotated to avoid people signing receipts for ever. What happens if someone gets access to the certs? Do we have a plan for revocation? | |||
** re-sign all the apps | |||
** push a firmware update to revoke the cert | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status= | |SecReview action item status=In Progress | ||
|SecReview action items=* Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?) | |||
* Marketplace team: Add a link to the mini-manifest inside the packaged. (Merge into bug 814131?) | |||
* Platform team (bsmith): require that mini-manifest link inside the signed JAR and make sure that the mini-manifest inside the JAR overrides the original (download) mini-manifest URI. (Merge into bug 814136?) | |||
}} | }} | ||