Verified Commit 9a95e213 authored by Kathleen Brade's avatar Kathleen Brade Committed by Pier Angelo Vendrame
Browse files

Bug 13379: Allow using NSS to sign and verify MAR signatures 

Allow using NSS on all platforms for checking MAR signatures (instead
  of using OS-native APIs, the default on Mac OS and Windows).
  So that the NSS and NSPR libraries the updater depends on can be
  found at runtime, we add the firefox directory to the shared library
  search path on macOS.
  On Linux, rpath is used to solve that problem, but that approach
  won't work on macOS because the updater executable is copied during
  the update process to a location that can vary.
parent 9c1dd51f

modules/libmar/tool/mar.c

+3 −3
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ static void print_usage() { 
      "signed_input_archive.mar base_64_encoded_signature_file "

      "changed_signed_output.mar\n");

  printf("(i) is the index of the certificate to extract\n");

#  if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS))

#  if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS)

  printf("Verify a MAR file:\n");

  printf("  mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");

  printf(
@@ -149,7 +149,7 @@ int main(int argc, char** argv) { 
  memset((void*)certBuffers, 0, sizeof(certBuffers));

#endif

#if !defined(NO_SIGN_VERIFY) && \

    ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX))

    (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

  memset(DERFilePaths, 0, sizeof(DERFilePaths));

  memset(fileSizes, 0, sizeof(fileSizes));

#endif
@@ -181,7 +181,7 @@ int main(int argc, char** argv) { 
      argc -= 2;

    }

#if !defined(NO_SIGN_VERIFY)

#  if (!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX)

#  if (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

    /* -D DERFilePath, also matches -D[index] DERFilePath

       We allow an index for verifying to be symmetric

       with the import and export command line arguments. */

modules/libmar/tool/moz.build

+9 −3
Original line number Diff line number Diff line
@@ -43,15 +43,21 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging": 
        "verifymar",

    ]



    if CONFIG["TOR_BROWSER_UPDATE"]:

        DEFINES["MAR_NSS"] = True



    if CONFIG["OS_ARCH"] == "WINNT":

        USE_STATIC_LIBS = True



        OS_LIBS += [

            "ws2_32",

        ]

        if not CONFIG["TOR_BROWSER_UPDATE"]:

            OS_LIBS += [

                "crypt32",

                "advapi32",

            ]

    elif CONFIG["OS_ARCH"] == "Darwin":

    elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["TOR_BROWSER_UPDATE"]:

        OS_LIBS += [

            "-framework CoreFoundation",

            "-framework Security",

modules/libmar/verify/moz.build

+7 −7
Original line number Diff line number Diff line
@@ -16,15 +16,12 @@ FORCE_STATIC_LIB = True 
if CONFIG["OS_ARCH"] == "WINNT":

    USE_STATIC_LIBS = True

elif CONFIG["OS_ARCH"] == "Darwin":

    UNIFIED_SOURCES += [

        "MacVerifyCrypto.cpp",

    ]

    OS_LIBS += [

        "-framework Security",

    USE_LIBS += [

        "nspr",

        "nss",

        "signmar",

    ]

else:

    DEFINES["MAR_NSS"] = True

    LOCAL_INCLUDES += ["../sign"]

    USE_LIBS += [

        "nspr",

        "nss",
@@ -38,6 +35,9 @@ else: 
        "-Wl,-rpath=\\$$ORIGIN",

    ]



DEFINES["MAR_NSS"] = True

LOCAL_INCLUDES += ["../sign"]



LOCAL_INCLUDES += [

    "../src",

]

toolkit/modules/AppConstants.jsm

+7 −0
Original line number Diff line number Diff line
@@ -212,6 +212,13 @@ this.AppConstants = Object.freeze({ 
  false,

#endif



  MOZ_VERIFY_MAR_SIGNATURE:

#ifdef MOZ_VERIFY_MAR_SIGNATURE

  true,

#else

  false,

#endif



  MOZ_MAINTENANCE_SERVICE:

#ifdef MOZ_MAINTENANCE_SERVICE

  true,

toolkit/mozapps/update/updater/updater-common.build

+21 −3
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@ 
# License, v. 2.0. If a copy of the MPL was not distributed with this

# file, You can obtain one at http://mozilla.org/MPL/2.0/.



DEFINES["MAR_NSS"] = True



link_with_nss = DEFINES["MAR_NSS"] or (CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"])



srcs = [

    "archivereader.cpp",

    "updater.cpp",
@@ -36,14 +40,18 @@ if CONFIG["OS_ARCH"] == "WINNT": 
        "ws2_32",

        "shell32",

        "shlwapi",

        "crypt32",

        "advapi32",

        "gdi32",

        "user32",

        "userenv",

        "uuid",

    ]



    if not link_with_nss:

        OS_LIBS += [

            "crypt32",

            "advapi32",

        ]



USE_LIBS += [

    "bspatch",

    "mar",
@@ -51,6 +59,13 @@ USE_LIBS += [ 
    "xz-embedded",

]



if link_with_nss:

    USE_LIBS += [

        "nspr",

        "nss",

        "signmar",

    ]



if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":

    have_progressui = 1

    srcs += [
@@ -65,9 +80,12 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "cocoa": 
    ]

    OS_LIBS += [

        "-framework Cocoa",

        "-framework Security",

        "-framework SystemConfiguration",

    ]

    if not link_with_nss:

        OS_LIBS += [

            "-framework Security",

        ]

    UNIFIED_SOURCES += [

        "/toolkit/xre/updaterfileutils_osx.mm",

    ]