fixup! Bug 13379: Allow using NSS to sign and verify MAR signatures

Bug 41668: Port some updater patches to Base Browser Use a configure-time flag to force using NSS for MARs signatures.

fixup! Bug 13379: Allow using NSS to sign and verify MAR signatures
16f42e30 · Pier Angelo Vendrame · eb16c8cc · 16f42e30 · 16f42e30 · 16f42e30
Verified Commit 16f42e30 authored 2 years ago by Pier Angelo Vendrame
--- a/build/moz.configure/update-programs.configure
+++ b/build/moz.configure/update-programs.configure
@@ -32,6 +32,14 @@ set_config(
    "MOZ_VERIFY_MAR_SIGNATURE", depends_if("--enable-verify-mar")(lambda _: True)
 )

+# Use NSS for MAR signatures even on platforms where system libraries are
+# supported (currently Windows and macOS).
+# ==============================================================
+
+option("--enable-nss-mar", help="Always use NSS for MAR signatures")
+
+set_config("MOZ_USE_NSS_FOR_MAR", True, when="--enable-nss-mar")
+
 # Maintenance service (Windows only)
 # ==============================================================


--- a/modules/libmar/tool/moz.build
+++ b/modules/libmar/tool/moz.build
@@ -43,7 +43,7 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging":
        "verifymar",
    ]

-    if CONFIG["TOR_BROWSER_UPDATE"]:
+    if CONFIG["MOZ_USE_NSS_FOR_MAR"]:
        DEFINES["MAR_NSS"] = True

    if CONFIG["OS_ARCH"] == "WINNT":
@@ -52,12 +52,12 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging":
        OS_LIBS += [
            "ws2_32",
        ]
-        if not CONFIG["TOR_BROWSER_UPDATE"]:
+        if not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
            OS_LIBS += [
                "crypt32",
                "advapi32",
            ]
-    elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["TOR_BROWSER_UPDATE"]:
+    elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
        OS_LIBS += [
            "-framework CoreFoundation",
            "-framework Security",

--- a/modules/libmar/verify/moz.build
+++ b/modules/libmar/verify/moz.build
@@ -15,12 +15,15 @@ FORCE_STATIC_LIB = True

 if CONFIG["OS_ARCH"] == "WINNT":
    USE_STATIC_LIBS = True
-elif CONFIG["OS_ARCH"] == "Darwin":
-    USE_LIBS += [
-        "nspr",
-        "nss",
-        "signmar",
+    use_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"]
+elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
+    UNIFIED_SOURCES += [
+        "MacVerifyCrypto.cpp",
    ]
+    OS_LIBS += [
+        "-framework Security",
+    ]
+    use_nss = False
 else:
    USE_LIBS += [
        "nspr",
@@ -34,14 +37,16 @@ else:
    OS_LIBS += [
        "-Wl,-rpath=\\$$ORIGIN",
    ]
-
-DEFINES["MAR_NSS"] = True
-LOCAL_INCLUDES += ["../sign"]
+    use_nss = True

 LOCAL_INCLUDES += [
    "../src",
 ]

+if use_nss:
+    LOCAL_INCLUDES += ["../sign"]
+    DEFINES["MAR_NSS"] = True
+
 # C11 for static_assert
 c11_flags = ["-std=gnu11"]
 if CONFIG["CC_TYPE"] == "clang-cl":

--- a/toolkit/mozapps/update/updater/updater-common.build
+++ b/toolkit/mozapps/update/updater/updater-common.build
@@ -4,9 +4,11 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

-DEFINES["MAR_NSS"] = True
-
-link_with_nss = DEFINES["MAR_NSS"] or (CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"])
+link_with_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"] or (
+    CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"]
+)
+if link_with_nss:
+    DEFINES["MAR_NSS"] = True

 srcs = [
    "archivereader.cpp",

--- a/toolkit/xre/moz.build
+++ b/toolkit/xre/moz.build
@@ -232,8 +232,8 @@ for var in ("APP_VERSION", "APP_ID"):
 if CONFIG["MOZ_BUILD_APP"] == "browser":
    DEFINES["MOZ_BUILD_APP_IS_BROWSER"] = True

-if CONFIG['TOR_BROWSER_UPDATE']:
-    DEFINES['MAR_NSS'] = True
+if CONFIG["MOZ_USE_NSS_FOR_MAR"]:
+    DEFINES["MAR_NSS"] = True

 LOCAL_INCLUDES += [
    "../../other-licenses/nsis/Contrib/CityHash/cityhash",

--- a/toolkit/xre/nsUpdateDriver.cpp
+++ b/toolkit/xre/nsUpdateDriver.cpp
@@ -293,8 +293,7 @@ static bool IsOlderVersion(nsIFile* versionFile, const char* appVersion) {
  return mozilla::Version(appVersion) > buf;
 }

-#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \
-    defined(MAR_NSS) && defined(XP_MACOSX)
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && defined(MAR_NSS) && defined(XP_MACOSX)
 /**
 * Ideally we would save and restore the original library path value after
 * the updater finishes its work (and before firefox is re-launched).
@@ -605,8 +604,7 @@ static void ApplyUpdate(nsIFile* greDir, nsIFile* updateDir, nsIFile* appDir,
    PR_SetEnv("MOZ_SAFE_MODE_RESTART=1");
  }

-#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \
-    defined(MAR_NSS) && defined(XP_MACOSX)
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && defined(MAR_NSS) && defined(XP_MACOSX)
  // On macOS, append the app directory to the shared library search path
  // so the system can locate the shared libraries that are needed by the
  // updater, e.g., libnss3.dylib).