I spoke with Kev about whether or not we want to do bug 758188. As part of that, he pointed out that having distribution/, extensions/, and mozilla.cfg excluded from the signature allows for behavioral modification of Firefox without invalidating the signature. For example, a bad guy could add malware or other such things, repack it, and distribute it. The signature would still be "Mozilla Corporation". We need to lock this down. Kev doesn't think it needs to block 13.0 since 10.8 hasn't shipped yet, but we should look at doing this soon. Doing this means that our partner repacks (the ones run with release automation) and BYOB builds will need to resign the .app as part of their process.

Concur, per comment #0.

wip in https://github.com/bhearsum/partner-repacks/compare/master...mac-signing

Let's let the security team weigh in on this topic. See my comment in https://bugzilla.mozilla.org/show_bug.cgi?id=758188#c8.

My initial patch doesn't seem to be working as I would expect....the CodeResources file I used no longer excludes distribution et. al, and the partner repack scripts do send a new thing to the signing server to be resigned, and CodeResources gets modified....but distribution/distribution.ini don't end up being in it. I wonder if codesign only re-checksums existing files in the CodeResources file when it resigns a file, rather than gathering a new set of files. I don't think this will make it for 13.0 final.

(In reply to Ben Hearsum [:bhearsum] from comment #5) > My initial patch doesn't seem to be working as I would expect....the > CodeResources file I used no longer excludes distribution et. al, and the > partner repack scripts do send a new thing to the signing server to be > resigned, and CodeResources gets modified....but > distribution/distribution.ini don't end up being in it. I wonder if codesign > only re-checksums existing files in the CodeResources file when it resigns a > file, rather than gathering a new set of files. Oops, turns out that I was comparing an en-US vanilla vs. a localized repack which explains why CodeResources differed. Found a quick fix for that.

We need to port this to Thunderbird too.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour Review of attachment 627942 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/app/macbuild/Contents/_CodeSignature/CodeResources @@ -22,5 @@ > - <key>omit</key> > - <true/> > - <key>weight</key> > - <real>10</real> > - </dict> Curious, is this going to break BYOB? Do we have to re-sign BYOB builds then?

(In reply to Ted Mielczarek [:ted] from comment #8) > Comment on attachment 627942 [details] [diff] [review] > stop excluding things that can modify behaviour > > Review of attachment 627942 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: browser/app/macbuild/Contents/_CodeSignature/CodeResources > @@ -22,5 @@ > > - <key>omit</key> > > - <true/> > > - <key>weight</key> > > - <real>10</real> > > - </dict> > > Curious, is this going to break BYOB? Do we have to re-sign BYOB builds then? Now that you mention it, it probably will. We do have a bug on file for getting mac signing machines for BYOB, but no progress there yet: bug 563798.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour http://hg.mozilla.org/mozilla-central/rev/708f3d693a84

Landed cleanly.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour This patch increases the number of files included in the signature of Firefox. I believe it's important to get on Aurora, Beta, and ESR so that we can make sure nobody can effect behaviour in these builds without breaking the signature.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour Approving for Aurora and Beta, but let's see if this is needed for the ESR.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour Landed on Aurora & Beta: https://hg.mozilla.org/releases/mozilla-aurora/rev/142acc2c3da4 https://hg.mozilla.org/releases/mozilla-beta/rev/1800e1e150ef https://tbpl.mozilla.org/?tree=Mozilla-Aurora&rev=b92a17096308 https://tbpl.mozilla.org/?tree=Mozilla-Beta&rev=6599b65306d2

We backed out the distribution/ part of the CodeResources patch in bug 770996, because it completely broken partial updates for partner builds.

Comment on attachment 627942 [details] [diff] [review] stop excluding things that can modify behaviour Waiting for ESR17 to roll this out.