-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correctly documentation of Firefox client behavior #859
base: main
Are you sure you want to change the base?
Conversation
References: - https://bugzilla.mozilla.org/show_bug.cgi?id=1846866 ignores pref - https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 ignores notAfter - https://bugzilla.mozilla.org/show_bug.cgi?id=1713628 ignores notBefore "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): verified locally and also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.
1670d00
to
5b600a6
Compare
@hwine Could you review/merge this? I don't know who else to ask here. |
# In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
# chosen root is dependent on the app.normandy.api_url pref, see | ||
# https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/toolkit/components/normandy/lib/NormandyApi.sys.mjs#15-30 | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hwine to do
- also needs to be copied to production configs
# In Firefox 103+ (bug 1769669), roots are hard-coded in Firefox and the | ||
# chosen root is dependent on multiple conditions, see | ||
# https://searchfox.org/mozilla-central/rev/2bf90dc51ce7e8274ce208fbb9d68b3ff535185e/services/settings/Utils.sys.mjs#53-76,97-101,110-124 | ||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hwine to do
- also needs to be copied to production configs
@hwine the docs confused me last night when I was debugging staging content signature for remote settings, can we finalize this PR please? |
Thanks for nudge -- I'll cut a separate ticket for the live config updates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm - they're the SMEs here 😁
The current documentation of content signature verification and add-on certificate verification is inaccurate. This PR fixes a few inaccuracies.
References:
About the comment "Only end-entity certs can potentially end up here." (in ERROR_EXPIRED_CERTIFICATE / ERROR_NOT_YET_VALID_CERTIFICATE): I verified this locally and we have also observed before in the armagadd-on-2.0 incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1548973); if expired intermediates were accepted, then we would not have had the incident.