In order to install privileged apps on FxAndroid, the production cert for privileged apps needs to be added to the certificate DB in FxAndroid. Without this, you won't be able to install privileged apps on FxAndroid, as the cert is required during install of a privileged app. There may be potentially be more work for getting privileged apps working on FxAndroid, but I know this is one implementation task needed. Putting needinfo on bsmith for input to find out on what's needed here and if any extra work is necessary.

For B2G, we replaced the meaning of the "code signing" bit of the NSS root certificate database to mean "can sign packaged apps" instead of "can sign extensions." For Firefox for Android, we can use the same mechanism *if* we are willing to forgo the installation of extensions from websites other than addons.mozilla.org and marketplace.firefox.com. This would give us an immediate solution with no new code required. Otherwise, if we need to support non-AMO/Marketplace addons in Firefox for Android, then we will need to rewrite the signature verification code. Right now I am rewriting the underlying code that such a rewrite would depend on. So, it would be about 2-3 weeks before I could even start on doing this.

(In reply to Brian Smith (:bsmith) from comment #1) > Otherwise, if we need to support non-AMO/Marketplace addons in Firefox for > Android We absolutely need to.

OK. What is the schedule for enabling privileged apps on Android?

(In reply to Brian Smith (:bsmith) from comment #3) > OK. What is the schedule for enabling privileged apps on Android? Brian, I am happy to say that jhugman's first patch for packaged apps has landed in Fennec last night (see bug 813736). I believe that among his next few tasks would be porting the permissions model and associated stuff to Fennec.

Brian - Are you best person to work on this?

We chatted a bit about this in email. We discovered a miscommunication and made some clarifications: In comment 1, Brian says: > For B2G, we replaced the meaning of the "code signing" bit of the NSS root certificate > database to mean "can sign packaged apps" instead of "can sign extensions." This is true, but it does not mean we need to give up non-AMO add-ons. It means we need to give up signed add-ons (AMO and non-AMO). We (Myself, Brian and Jorge) feel this might be something we could do, especially for Android. Jorge is going to take a look for the number of signed add-ons for Android, if any, to help make the decision. In fact, instead of just failing to install a code signed add-on, we think we could just skip the code signing check and act like the add-on is not code signed. Brian laid out a plan of action: > 1. Change confvars.sh to be MOZ_B2G_CERTDATA=1 for FxAndroid as is done for B2G. > 2. Tweak the automated tests for this are in security/manager/ssl/tests/unit/test_signed_apps-marketplace.js so they expect the signature verification to succeed for FxAndroid like is expected for B2G. > 3. Tweak the addon downloading and installing code to ignore signatures for FxAndroid. > 4. Ensure that the debugger protocol support on FxAndroid supports the privileged/packaged app testing mechanism (unsigned packaged app pushed from desktop onto the device) like B2G does. I think the Android team can get someone assigned, get some guidance from Brian and Blair McBride, and land some patches.

(In reply to Mark Finkle (:mfinkle) from comment #6) > > 3. Tweak the addon downloading and installing code to ignore signatures for FxAndroid. This will be pretty easy to do. Look for usage of verifyZipSigning in XPIProvider.jsm, and put it all behind a preference that FxAndroid sets (want to avoid having that code explicitly check for a specific product). We did have runtime checks for signed add-ons, but IIRC that was all removed by bug 726125.

(In reply to Blair McBride [:Unfocused] (Back from the dead. Mostly.) from comment #7) > (In reply to Mark Finkle (:mfinkle) from comment #6) > > > 3. Tweak the addon downloading and installing code to ignore signatures for FxAndroid. > > This will be pretty easy to do. Look for usage of verifyZipSigning in > XPIProvider.jsm, and put it all behind a preference that FxAndroid sets > (want to avoid having that code explicitly check for a specific product). > > We did have runtime checks for signed add-ons, but IIRC that was all removed > by bug 726125. Is this even necessary? If the XPI is signed by an untrusted cert then we still install the add-on, we just treat it as unsigned IIRC.

(In reply to Dave Townsend (:Mossop) from comment #8) > Is this even necessary? If the XPI is signed by an untrusted cert then we > still install the add-on, we just treat it as unsigned IIRC. Oh, huh - didn't realise that (tests/xpinstall/browser_signed_untrusted.js seems to confirm that).

Have create an APK with the MOZ_B2G_CERTDATA=1 line added to the confvars.sh file. Could I get people with more knowledge than I to help test by installing signed and unsigned add-ons and generally see if anything else is broken in the relevant areas? https://www.dropbox.com/s/e2p49m89xq6en7s/fennec-23.0a1.en-US.android-arm.apk

Brian - We have builds that set MOZ_B2G_CERTDATA=1 but privileged webapps are still not installing in Firefox for Android. We get a failure here: http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#2433 The same app will install fine in b2g. Looking at: http://mxr.mozilla.org/mozilla-central/source/security/build/Makefile.in#281 I wonder if something special needs to happen during the build process inside b2g-certdata.mk that is not being done in a Firefox for Android build. Andy ideas? The app in question is https://marketplace.firefox.com/app/kitchensink

What is the exact value of aRv at the time of the failure? That is an nsresult and you may be able to use one of the nsresult -> error message tools to translate the error into something we can understand. cviecco: This is the thing I mentioned to you. The same kind of issue as before: they want to know why the packaged app signature verification fails. See comment 10 and comment 11. Can you help them out here if they have more trouble?

James - From the last Android/WebRT triage, I think we are no longer blocked by this issue. Is that right?

Yes, that's right. The patch suggested in comment 6 has worked, and will be part of the patch for bug 860782.

James, is the issue then solved?

The task is done, but not yet pushed. Can be closed when bug 860782 is closed.

Also pushed to try.

(In reply to James Hugman [:jhugman] [@jhugman] from comment #17) > Created attachment 762757 [details] [diff] [review] > Added entry to convars as suggested. > > Also pushed to try. Can you include a link to the try run?

(In reply to Jason Smith [:jsmith] from comment #18) > (In reply to James Hugman [:jhugman] [@jhugman] from comment #17) > > Created attachment 762757 [details] [diff] [review] > > Added entry to convars as suggested. > > > > Also pushed to try. > > Can you include a link to the try run? https://tbpl.mozilla.org/?tree=Try&rev=48d203914671

(In reply to Aaron Train [:aaronmt] from comment #19) > https://tbpl.mozilla.org/?tree=Try&rev=48d203914671 I looked at the xpcshell log, and neither security/manager/ssl/tests/unit/test_signed_apps.js nor test_signed_apps-marketplace.js seemed to have run. We should add the security/manager/ssl/tests/unit to xpcshell_b2g.ini and xpcshell_android.ini. If the patch for this bug is correct then test_signed_apps-marketplace.js will pass. Compare to this run on Ubuntu, for example: https://tbpl.mozilla.org/php/getParsedLog.php?id=24192960&tree=Try&full=1 07:01:32 INFO - TEST-INFO | /builds/slave/test/build/tests/xpcshell/tests/security/manager/ssl/tests/unit/test_signed_apps.js | running test ... 07:01:32 INFO - TEST-PASS | /builds/slave/test/build/tests/xpcshell/tests/security/manager/ssl/tests/unit/test_signed_apps.js | test passed (time: 598.535ms) 07:01:32 INFO - TEST-INFO | /builds/slave/test/build/tests/xpcshell/tests/security/manager/ssl/tests/unit/test_signed_apps-marketplace.js | running test ... 07:01:33 INFO - TEST-PASS | /builds/slave/test/build/tests/xpcshell/tests/security/manager/ssl/tests/unit/test_signed_apps-marketplace.js | test passed (time: 461.936ms)

Oops: I wrote "If the patch for this bug is correct then test_signed_apps-marketplace.js will pass," but the test has to be tweaked: (In reply to Mark Finkle (:mfinkle) from comment #6) > > 1. Change confvars.sh to be MOZ_B2G_CERTDATA=1 for > > FxAndroid as is done for B2G. > > 2. Tweak the automated tests for this are in > > security/manager/ssl/tests/unit/test_signed_apps-marketplace.js > > so they expect the signature verification to succeed for FxAndroid > > like is expected for B2G. For this step #2: We already have: const isB2G = ("@mozilla.org/b2g-keyboard;1" in Components.classes); in test_signed_apps-marketplace.js. It would be great if isB2G and the (new) isAndroid could be moved/added to head_psm.js in the same directory, and then the "isB2G" tests in the test itself can be replaced with "isB2G || isAndroid". > > 3. Tweak the addon downloading and installing code to ignore > > signatures for FxAndroid. > > 4. Ensure that the debugger protocol support on FxAndroid > > supports the privileged/packaged app testing mechanism > > (unsigned packaged app pushed from desktop onto the device) > > like B2G does.