The Marketplace team wants the client to require all marketplace apps be signed, even unprivileged. Presumably, this is to minimize risk of using the CDN and to have a consistent and predictable app update and versioning story for apps they distribute. Also, to enforce the requirement that only the Mozilla Marketplace is allowed to install privileged apps, we're also going to limit the installation of signed apps only from the Mozilla Marketplace.

Okay, a tad confused - so...what's trying to be solved here? The client-side equivalent of this is usually doing validation. Is that was this bug is about? We'd probably need a separate bug for having marketplace making sure every packaged app is signed.

(In reply to Jason Smith [:jsmith] from comment #1) > We'd probably need a separate bug for having marketplace making sure every > packaged app is signed. We're already doing that by default.

Let's do this.

If Brian and the rest of the Packaged Apps team believe that we need this for v1, then I'm OK with doing this for v1. At the risk of restating the very obvious: the whole point of our program is to create an open Ecosystem, not a walled garden. We must enable other app stores to be able to do everything our Marketplace can do. As soon as possible, but no sooner :)

(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #4) > If Brian and the rest of the Packaged Apps team believe that we need this > for v1, then I'm OK with doing this for v1. > > At the risk of restating the very obvious: the whole point of our program is > to create an open Ecosystem, not a walled garden. We must enable other app > stores to be able to do everything our Marketplace can do. As soon as > possible, but no sooner :) Right. Everybody agrees with that 100%. This is just a quick hack to get things done.

(In reply to Brian Smith (:bsmith) from comment #5) > > At the risk of restating the very obvious: the whole point of our program is > > to create an open Ecosystem, not a walled garden. We must enable other app > > stores to be able to do everything our Marketplace can do. As soon as > > possible, but no sooner :) > > Right. Everybody agrees with that 100%. This is just a quick hack to get > things done. Right on. Keep on rockin'.

In order to allow for marketplace-dev to continue functioning, I will add a pref, dom.mozApps.privileged_apps_installable_from that currently will default to "https://marketplace.mozilla.org,https://marketplace-dev.allizom.org" but which will need to be changed to just "https://marketplace.mozilla.org" before we ship.

(In reply to Brian Smith (:bsmith) from comment #7) > In order to allow for marketplace-dev to continue functioning, I will add a > pref, dom.mozApps.privileged_apps_installable_from that currently will > default to > "https://marketplace.mozilla.org,https://marketplace-dev.allizom.org" but > which will need to be changed to just "https://marketplace.mozilla.org" > before we ship. I think you mean to say https://marketplace.firefox.com instead of https://marketplace.mozilla.org. We changed the URL recently.

(In reply to Brian Smith (:bsmith) from comment #5) > (In reply to Bill Walker [:bwalker] [@wfwalker] from comment #4) > > If Brian and the rest of the Packaged Apps team believe that we need this > > for v1, then I'm OK with doing this for v1. > > > > At the risk of restating the very obvious: the whole point of our program is > > to create an open Ecosystem, not a walled garden. We must enable other app > > stores to be able to do everything our Marketplace can do. As soon as > > possible, but no sooner :) > > Right. Everybody agrees with that 100%. This is just a quick hack to get > things done. Understood the pressure for having things done, but how are we going to enable other players to have a similar market? I am a bit worried about the following statement in the bug description "we're also going to limit the installation of signed apps only from the Mozilla Marketplace"

This sounds like a good defense in depth but I have to question whether this is really blocking. I'd be comfortable shipping the phone without this.

(In reply to Lucas Adamski from comment #10) > This sounds like a good defense in depth but I have to question whether this > is really blocking. I'd be comfortable shipping the phone without this. Back into triage it goes!

(In reply to Daniel Coloma:dcoloma from comment #9) > Understood the pressure for having things done, but how are we going to > enable other players to have a similar market? I am a bit worried about the > following statement in the bug description "we're also going to limit the > installation of signed apps only from the Mozilla Marketplace" Right now we don't have a plan for that which is why we're doing this. To be clear, we definitely *want* to allow that; we just haven't worked out how yet. I think a lot of the people involved (including Jonas, Lucas, and I) all have ideas about how to move forward, but that is a large conversation that would significantly slow down development on v1 if we try to have it now.

The "require signatures from marketplace apps" is a nice-to-have technically. The second part of only allowing the mozila marketplace to install signed apps is however a blocker. Adjusting the summary to reflect which part we are blocking on. However feel free to also fix the "require signatures from marketplace apps" here too if it's easy (which I strongly suspect it is). (In reply to Daniel Coloma:dcoloma from comment #9) > Understood the pressure for having things done, but how are we going to > enable other players to have a similar market? I am a bit worried about the > following statement in the bug description "we're also going to limit the > installation of signed apps only from the Mozilla Marketplace" Please note that this (basically) only affects marketplaces that wants to host privileged apps. We already support anyone setting up a marketplace which hosts only non-privileged packaged and hosted apps. That will continue to work no matter what. Allowing 3rd party stores to install privileged apps is mostly a non-coding problem. What we need to do is to develop code-review guidelines for each privileged API. I.e. for each API we need to define what reviewers should look for, what actions are required (always ask the user before deleting all of his/her pictures), and which actions are forbidden (don't use the TCPSocket API to search for servers behind corporate firewalls). Note that these reviews have to be code-level reviews. There is no way you can simply use the app and make sure that it doesn't take malicious actions. Part of developing these guide lines is to also verify that they are working. I.e. that stores don't end up filled with malware and other bad software. So this is why we're starting "small" by only allowing the mozilla marketplace to do privileged apps for now. And thus only requiring that marketplace to do reviews of the application code. But our goal is definitely to start allowing 3rd party stores to do the same, as soon as we have gotten confidence in that these reviews work.

FYI - To the person who writes this patch and anyone wanting to know how to test this easily: 1. Go to http://people.mozilla.com/~fdesre/openwebapps/test.html 2. Select signed app If the installation fails with an appropriate error, then this patch was implemented correctly. If it successfully installs (which it does right now), then the patch doesn't work.

This requires the WIP Gaia patch to work correctly: https://github.com/briansmith/gaia/commit/551b551545492e6ef05cff8361fd3cd7950cc052 I manually verified that this only allows installation from the listed domains by removing marketplace-dev and/or marketplace-prod from the pref's value and verifying that this caused the respective store to lose the ability to install signed apps. I have not verified the other aspect (whether it forbids unsigned packaged apps from being installed from those origins). I am not sure what the correct way of doing "same origin" checks is in JS. I will learn when I read Jonas's feedback on January 2. Jonas, Lucas, let me know if these are the (exact) semantics you think we're supposed to be implementing for v1.

Comment on attachment 695161 [details] [diff] [review] WIP: Install signed apps only from the Mozilla Marketplace, and require all Mozilla Marketplace packaged apps to be signed Hmm...so you are doing this via a pref against the installing origin. I recall a past argument that Chris Jones and Antonio brought up where we considered using a pref for the dev mode in which some people got quite unconfortable that we had the power to flip a security check simply by changing a pref. I'm adding Antonio onto the feedback list to see what he thinks about this situation.

ccing Chris as well in case he has any thoughts on comment 17

IIRC the argument wasn't so much against using preferences to govern something that impacts security as because dev_mode as it was was too dangerous as defined. And it was controllable from the UI on top of that. For this use case, and assuming it's really something temporary I'm ok with it.

Comment on attachment 695161 [details] [diff] [review] WIP: Install signed apps only from the Mozilla Marketplace, and require all Mozilla Marketplace packaged apps to be signed Review of attachment 695161 [details] [diff] [review]: ----------------------------------------------------------------- looks good, but please add a pref with the default value to at least the B2G prefs.js file. Along with an explanation of why modifying the pref is a bad idea, see comment below. ::: dom/apps/src/Webapps.jsm @@ +1859,5 @@ > + // and vice-versa, even though logically that should not be > + // allowed. > + let signedAppOriginsStr = > + Services.prefs.getCharPref( > + "dom.mozApps.signed_apps_installable_from"); I'm a little bit worried that distributors will tweak this preference hoping that it will let them support signed apps from their store, and then forget to tweak it back once they realize that their cert doesn't work. This does add additional risk to the ecosystem since it means that if those stores get hacked, an attacker could install old exploitable versions of apps onto users machines. I don't really have a great solution for this though, other than adding a big warning above the pref and explain that changing it doesn't actually provide any benefit.

Comment on attachment 695161 [details] [diff] [review] WIP: Install signed apps only from the Mozilla Marketplace, and require all Mozilla Marketplace packaged apps to be signed r=me if you also provide a fix to add this pref to gaia with a warning about why changing the pref is bad/useless.

I decided to add the default value to Gecko instead of Gaia, because: 1) OEMs and Carriers expect to customize Gaia, but there is less expectation that they can customize Gaia. This should help them avoid footgunning themselves. 2) We will need the same restriction on desktop Firefox if/when we support privileged packaged apps on desktop. 3) None of the functionality of this depends on Gaia anyway. 4) Gaia can override the pref value anyway.

I folded both patches together: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba13e1837b38 https://hg.mozilla.org/releases/mozilla-b2g18/rev/5d8d80878fdf

Closing per checkin policy for the work week - lands on inbound + b2g18 = resolved fixed.

Verified that we are allowing privileged apps to be installed from marketplace prod and that marketplace dev privileged apps can't be installed by default.

(In reply to Brian Smith (:bsmith) from comment #5) > (In reply to Bill Walker [:bwalker] [@wfwalker] from comment #4) > > If Brian and the rest of the Packaged Apps team believe that we need this > > for v1, then I'm OK with doing this for v1. > > > > At the risk of restating the very obvious: the whole point of our program is > > to create an open Ecosystem, not a walled garden. We must enable other app > > stores to be able to do everything our Marketplace can do. As soon as > > possible, but no sooner :) > > Right. Everybody agrees with that 100%. This is just a quick hack to get > things done. Brian, Here's what I now wish I had asked you back then -- how do you imagine a developer of a privileged app would do a real end-to-end test of installing their app and seeing it run on a real device after this patch lands? So far, we have offered developers _no_ way to do this. We let then simulate it with the Firefox OS Simulator, but that's not the same. -Bill

They can push their privileged app on device with the sideloading support. I think the simulator supports that.

(In reply to Fabrice Desré [:fabrice] from comment #28) > They can push their privileged app on device with the sideloading support. I > think the simulator supports that. I agree that the Simulator does support that, and does a good job. That's what I recommend to folks. However -- I had the understanding that sideloading is not the same as actually invoking mozApps.installPackaged() on the device and verifying the package signature. If that's true, then probably some developers won't see sideloading as a sufficiently realistic test.

Indeed we don't verify signatures, since the goal of sideloading is to not need signatures.

(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #27) > Here's what I now wish I had asked you back then -- how do you imagine a > developer of a privileged app would do a real end-to-end test of installing > their app and seeing it run on a real device after this patch lands? AFAICT, supporting such testing has never been given as a product requirement. We could build a very realistic way of doing that but it would require a clear statement of what the precise requirements are, because the requirements for supporting that are somewhat in conflict with other (security) requirements. (That should be done outside this bug.)

(In reply to Brian Smith (:bsmith) from comment #31) > (In reply to Bill Walker [:bwalker] [@wfwalker] from comment #27) > > Here's what I now wish I had asked you back then -- how do you imagine a > > developer of a privileged app would do a real end-to-end test of installing > > their app and seeing it run on a real device after this patch lands? > > AFAICT, supporting such testing has never been given as a product > requirement. We could build a very realistic way of doing that but it would > require a clear statement of what the precise requirements are, because the > requirements for supporting that are somewhat in conflict with other > (security) requirements. (That should be done outside this bug.) We can definitely provide some requirements on that, since developers really do need to test the whole end to end process for packaged apps. Sideloading using Simulator is a workaround, but not a substitute for a professional app developer who needs to see how the process works. Do you want some user stories in a separate bug as suggested or should we provide them to FFOS product managers for them to incorporate? BTW, all our BD people and execs are presenting to operator and OEM partners the ability to have their own stores, and those stores will be filled with games and other apps that are packaged and use privileged APIs. So it is something we will have to support on the platform reasonably soon (I suspect 1.2 time frame).

Not be the buzzkill on this conversation, but can we take this discussion out of the bug into an email thread? The bug is already fixed and verified, so there isn't value continuing the discussion here.