From 739b015dae4fc1eb15be98fa595e9e3f4d2fca6b Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@mozilla.com>
Date: Fri, 3 May 2024 05:10:14 +0000
Subject: [PATCH] Bug 1894689 - update pinned cert issuers in windows
 maintenance service. r=bhearsum,application-update-reviewers,bytesized

Differential Revision: https://phabricator.services.mozilla.com/D209245
---
 browser/installer/windows/nsis/defines.nsi.in                 | 4 ++--
 .../installer/windows/nsis/maintenanceservice_installer.nsi   | 2 +-
 .../bootstrapinstaller/maintenanceservice_installer.nsi       | 2 +-
 toolkit/mozapps/update/docs/MaintenanceServiceTests.rst       | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/browser/installer/windows/nsis/defines.nsi.in b/browser/installer/windows/nsis/defines.nsi.in
index cbcb2e9be0c9..ae17ff4d17d0 100644
--- a/browser/installer/windows/nsis/defines.nsi.in
+++ b/browser/installer/windows/nsis/defines.nsi.in
@@ -54,11 +54,11 @@
 !define IDI_PBICON_PB_EXE_ZERO_BASED "0"
 
 !define CERTIFICATE_NAME            "Mozilla Corporation"
-!define CERTIFICATE_ISSUER          "DigiCert SHA2 Assured ID Code Signing CA"
+!define CERTIFICATE_ISSUER          "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
 ; Changing the name or issuer requires us to have both the old and the new
 ;  in the registry at the same time, temporarily.
 !define CERTIFICATE_NAME_PREVIOUS   "Mozilla Corporation"
-!define CERTIFICATE_ISSUER_PREVIOUS "DigiCert Assured ID Code Signing CA-1"
+!define CERTIFICATE_ISSUER_PREVIOUS "DigiCert SHA2 Assured ID Code Signing CA"
 
 # LSP_CATEGORIES is the permitted LSP categories for the application. Each LSP
 # category value is ANDed together to set multiple permitted categories.
diff --git a/browser/installer/windows/nsis/maintenanceservice_installer.nsi b/browser/installer/windows/nsis/maintenanceservice_installer.nsi
index c285e45bbdad..5d50ee9e6c4b 100644
--- a/browser/installer/windows/nsis/maintenanceservice_installer.nsi
+++ b/browser/installer/windows/nsis/maintenanceservice_installer.nsi
@@ -217,7 +217,7 @@ Section "MaintenanceService"
   ; These keys are used to bypass the installation dir is a valid installation
   ; check from the service so that tests can be run.
   ; WriteRegStr HKLM "${FallbackKey}\0" "name" "Mozilla Corporation"
-  ; WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert SHA2 Assured ID Code Signing CA"
+  ; WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
   ${If} ${RunningX64}
   ${OrIf} ${IsNativeARM64}
     SetRegView lastused
diff --git a/toolkit/components/maintenanceservice/bootstrapinstaller/maintenanceservice_installer.nsi b/toolkit/components/maintenanceservice/bootstrapinstaller/maintenanceservice_installer.nsi
index 685458db0e2d..88e994b3bd29 100644
--- a/toolkit/components/maintenanceservice/bootstrapinstaller/maintenanceservice_installer.nsi
+++ b/toolkit/components/maintenanceservice/bootstrapinstaller/maintenanceservice_installer.nsi
@@ -205,7 +205,7 @@ Section "MaintenanceService"
   ; These keys are used to bypass the installation dir is a valid installation
   ; check from the service so that tests can be run.
   WriteRegStr HKLM "${FallbackKey}\0" "name" "Mozilla Corporation"
-  WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert SHA2 Assured ID Code Signing CA"
+  WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
   WriteRegStr HKLM "${FallbackKey}\1" "name" "Mozilla Fake SPC"
   WriteRegStr HKLM "${FallbackKey}\1" "issuer" "Mozilla Fake CA"
   ${If} ${RunningX64}
diff --git a/toolkit/mozapps/update/docs/MaintenanceServiceTests.rst b/toolkit/mozapps/update/docs/MaintenanceServiceTests.rst
index b954b572f877..65259c94d955 100644
--- a/toolkit/mozapps/update/docs/MaintenanceServiceTests.rst
+++ b/toolkit/mozapps/update/docs/MaintenanceServiceTests.rst
@@ -47,11 +47,11 @@ into the registry.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\3932ecacee736d366d6436db0f55bce4]
 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\3932ecacee736d366d6436db0f55bce4\0]
-   "issuer"="DigiCert SHA2 Assured ID Code Signing CA"
+   "issuer"="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
    "name"="Mozilla Corporation"
 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\3932ecacee736d366d6436db0f55bce4\1]
-   "issuer"="DigiCert Assured ID Code Signing CA-1"
+   "issuer"="DigiCert SHA2 Assured ID Code Signing CA"
    "name"="Mozilla Corporation"
 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\3932ecacee736d366d6436db0f55bce4\2]