MozillaWiki

AMO/SigningService

< AMO
Revision as of 21:06, 2 September 2014 by Clouserw (talk | contribs)
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

Add-on Signature System

Hi. This project is the AMO piece of the larger Add-on Signature System. Please read that document so the rest of this wiki page makes sense.

We will need to modify several pieces of AMO and its libraries in order to accomodate this new system. Those changes are roughly laid out below.

Areas that need modifying

Signing / Trunion

Current Status Needs Review
Owners Wil Clouser, Ryan Tilder

Summary:

We currently don't sign add-ons at all on AMO, but we do sign apps on the Marketplace using trunion and could use the same system (with modifications). Review the diagrams below to see a rough plan of the changes:

 

Notes:

  • The flows are very similar. Apps load a certificate from disk and get signed. For add-ons we'll load a certificate from disk, but we'll generate a new certificate as well, use the loaded certificate to sign the new certificate, and then sign the add-on with the new certificate.
  • When we're done signing we discard the new certificate.
  • Any pre-existing signatures on the add-on are replaced. This includes developers who have signed the add-on with a valid AMO certificate already. The expected flow for self-hosting in addition to AMO hosting is to download the signed add-on from AMO, not do any manual signing.
  • We don't do any signing before the add-on is approved for the public. Reviewers are expected to use developer versions of Firefox so won't need to have the add-ons signed to test them.
  • Should not need any API changes since this is all after add-on review

In practical terms, this means:

  • Modifying the Validator to warn about pre-existing signatures which will be clobbered
  • Modifying the Reviewer Tools to send add-on data to Trunion and using the returned data to save a signed add-on to disk
  • Modifying AMO to add a storage area for signed add-ons and ensuring the front-end only serves add-ons coming from this area
  • Modifying AMO to add a signing script which will sign the latest versions of existing add-ons to bootstrap the system
  • Modifying MDN by adding any necessary documentation about this project
  • Modifying Trunion to accept meta-data about what it is signing (at least an add-on ID)
  • Modifying Trunion to send meta-data about what it signed (at least the certificate serial number)
  • Modifying Trunion to generate certs on-the-fly

Blocklist

This system expects to use the blocklist until a more official cert revocation system can be implemented. Blocklist administration will use the administrative scaffolding it currently uses. A new top level item will be added called <certificates>. An example entry is below: 

 <certificates>
   <certificate blockID="100">
     <issuer>mozilla.com</issuer>
     <serialnumber>00245EADBDE07F113DEE</serialnumber>
   </certificate>
 </certificates>


TBD

  • Payments
  • Scenario where user doesn't want to host on AMO but wants a certificate (needs UX)
Retrieved from "https://wiki.mozilla.org/index.php?title=AMO/SigningService&oldid=1011429"