Correctly documentation of Firefox client behavior#859
Open
Rob--W wants to merge 2 commits intomozilla-services:mainfrom
Open
Correctly documentation of Firefox client behavior#859Rob--W wants to merge 2 commits intomozilla-services:mainfrom
Rob--W wants to merge 2 commits intomozilla-services:mainfrom
Conversation
References: - https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref - https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter - https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified locally and also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.
Rob--W
force-pushed
the
fix-doc-firefox-behavior
branch
from
1670d00 to
5b600a6
Compare
Author
|
@hwine Could you review/merge this? I don't know who else to ask here. |
hwine
reviewed
Aug 3, 2023
| # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
| # chosen root is dependent on the app.normandy.api_url pref, see | ||
| # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/toolkit/components/normandy/lib/NormandyApi.sys.mjs#15-30 | ||
| # |
Contributor
There was a problem hiding this comment.
@hwine to do
- also needs to be copied to production configs
hwine
reviewed
Aug 3, 2023
| # In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
| # chosen root is dependent on multiple conditions, see | ||
| # https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/services/settings/Utils.sys.mjs#53-76,97-101,110-124 | ||
| # |
Contributor
There was a problem hiding this comment.
@hwine to do
- also needs to be copied to production configs
Member
|
@hwine the docs confused me last night when I was debugging staging content signature for remote settings, can we finalize this PR please? |
Contributor
|
Thanks for nudge -- I'll cut a separate ticket for the live config updates |
hwine
approved these changes
Mar 22, 2024
Contributor
hwine
left a comment
hwine
left a comment
There was a problem hiding this comment.
lgtm - they're the SMEs here 😁
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The current documentation of content signature verification and add-on certificate verification is inaccurate. This PR fixes a few inaccuracies.
References:
About the comment "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): I verified this locally and we have also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.