adjust or remove updater cert pinning
The updater uses a couple of hidden prefs. to do its own form of cert pinning. But changes are afoot on the server side; see https://bugzilla.mozilla.org/show_bug.cgi?id=1219185
Here are the hidden prefs we currently use inside Tor Browser:
pref("app.update.certs.1.issuerName", "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US"); pref("app.update.certs.1.commonName", "*.torproject.org");
These prefs are consulted when the update code connects to https://www.torproject.org
I am not an expert in this area, but it seems like it might be better to just disable the updater-specific checks that use the above prefs. and instead rely on the more general pinning that is defined inside security/manager/boot/src/StaticHPKPins.h (when we added these updater prefs, we did not yet have the more general form of pinning in place).