From 7b4af809956697234546971a4eb2759721361bbf Mon Sep 17 00:00:00 2001 From: Andrew Swan Date: Fri, 9 Mar 2018 11:31:39 -0800 Subject: [PATCH] Bug 1444487 Add preference for langpack signing r=kmag MozReview-Commit-ID: FEPa2wlLBST --HG-- extra : rebase_source : c5e452dd62a3c913a096cfead60d5ee8eaf72489 --- modules/libpref/init/all.js | 1 + .../extensions/internal/AddonSettings.jsm | 4 ++ .../extensions/internal/XPIInstall.jsm | 21 +------ .../extensions/internal/XPIProvider.jsm | 10 ++++ .../data/signing_checks/langpack_signed.xpi | Bin 0 -> 4452 bytes .../data/signing_checks/langpack_unsigned.xpi | Bin 0 -> 413 bytes .../test/xpcshell/test_signed_langpack.js | 56 ++++++++++++++++++ .../extensions/test/xpcshell/xpcshell.ini | 2 + 8 files changed, 76 insertions(+), 18 deletions(-) create mode 100644 toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_signed.xpi create mode 100644 toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_unsigned.xpi create mode 100644 toolkit/mozapps/extensions/test/xpcshell/test_signed_langpack.js diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index b4be2188f459..65f94d04f937 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -5100,6 +5100,7 @@ pref("browser.meta_refresh_when_inactive.disabled", false); pref("xpinstall.whitelist.required", true); // Only Firefox requires add-on signatures pref("xpinstall.signatures.required", false); +pref("extensions.langpacks.signatures.required", false); pref("extensions.minCompatiblePlatformVersion", "2.0"); pref("extensions.webExtensionsMinPlatformVersion", "42.0a1"); pref("extensions.legacy.enabled", true); diff --git a/toolkit/mozapps/extensions/internal/AddonSettings.jsm b/toolkit/mozapps/extensions/internal/AddonSettings.jsm index 5d11d4e7f902..a3a162c4ff15 100644 --- a/toolkit/mozapps/extensions/internal/AddonSettings.jsm +++ b/toolkit/mozapps/extensions/internal/AddonSettings.jsm @@ -10,6 +10,7 @@ ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm"); ChromeUtils.import("resource://gre/modules/AppConstants.jsm"); const PREF_SIGNATURES_REQUIRED = "xpinstall.signatures.required"; +const PREF_LANGPACK_SIGNATURES = "extensions.langpacks.signatures.required"; const PREF_ALLOW_LEGACY = "extensions.legacy.enabled"; var AddonSettings = {}; @@ -34,6 +35,9 @@ if (AppConstants.MOZ_REQUIRE_SIGNING && !Cu.isInAutomation) { PREF_SIGNATURES_REQUIRED, false); } +XPCOMUtils.defineLazyPreferenceGetter(AddonSettings, "LANGPACKS_REQUIRE_SIGNING", + PREF_LANGPACK_SIGNATURES, false); + if (AppConstants.MOZ_ALLOW_LEGACY_EXTENSIONS || Cu.isInAutomation) { XPCOMUtils.defineLazyPreferenceGetter(AddonSettings, "ALLOW_LEGACY_EXTENSIONS", PREF_ALLOW_LEGACY, true); diff --git a/toolkit/mozapps/extensions/internal/XPIInstall.jsm b/toolkit/mozapps/extensions/internal/XPIInstall.jsm index 8eacc0ca6c56..2fc1d7edbe80 100644 --- a/toolkit/mozapps/extensions/internal/XPIInstall.jsm +++ b/toolkit/mozapps/extensions/internal/XPIInstall.jsm @@ -60,13 +60,14 @@ ChromeUtils.defineModuleGetter(this, "XPIInternal", ChromeUtils.defineModuleGetter(this, "XPIProvider", "resource://gre/modules/addons/XPIProvider.jsm"); -/* globals AddonInternal, BOOTSTRAP_REASONS, KEY_APP_SYSTEM_ADDONS, KEY_APP_SYSTEM_DEFAULTS, KEY_APP_TEMPORARY, TEMPORARY_ADDON_SUFFIX, TOOLKIT_ID, XPIDatabase, XPIStates, getExternalType, isTheme, isUsableAddon, isWebExtension, recordAddonTelemetry */ +/* globals AddonInternal, BOOTSTRAP_REASONS, KEY_APP_SYSTEM_ADDONS, KEY_APP_SYSTEM_DEFAULTS, KEY_APP_TEMPORARY, TEMPORARY_ADDON_SUFFIX, SIGNED_TYPES, TOOLKIT_ID, XPIDatabase, XPIStates, getExternalType, isTheme, isUsableAddon, isWebExtension, mustSign, recordAddonTelemetry */ const XPI_INTERNAL_SYMBOLS = [ "AddonInternal", "BOOTSTRAP_REASONS", "KEY_APP_SYSTEM_ADDONS", "KEY_APP_SYSTEM_DEFAULTS", "KEY_APP_TEMPORARY", + "SIGNED_TYPES", "TEMPORARY_ADDON_SUFFIX", "TOOLKIT_ID", "XPIDatabase", @@ -75,6 +76,7 @@ const XPI_INTERNAL_SYMBOLS = [ "isTheme", "isUsableAddon", "isWebExtension", + "mustSign", "recordAddonTelemetry", ]; @@ -156,15 +158,6 @@ const RESTARTLESS_TYPES = new Set([ "webextension-theme", ]); -const SIGNED_TYPES = new Set([ - "apiextension", - "extension", - "experiment", - "webextension", - "webextension-theme", -]); - - // This is a random number array that can be used as "salt" when generating // an automatic ID based on the directory path of an add-on. It will prevent // someone from creating an ID for a permanent add-on that could be replaced @@ -172,14 +165,6 @@ const SIGNED_TYPES = new Set([ const TEMP_INSTALL_ID_GEN_SESSION = new Uint8Array(Float64Array.of(Math.random()).buffer); -// Whether add-on signing is required. -function mustSign(aType) { - if (!SIGNED_TYPES.has(aType)) - return false; - - return AddonSettings.REQUIRE_SIGNING; -} - const MSG_JAR_FLUSH = "AddonJarFlush"; const MSG_MESSAGE_MANAGER_CACHES_FLUSH = "AddonMessageManagerCachesFlush"; diff --git a/toolkit/mozapps/extensions/internal/XPIProvider.jsm b/toolkit/mozapps/extensions/internal/XPIProvider.jsm index 3b245b53c41f..fa0a6ec6ba11 100644 --- a/toolkit/mozapps/extensions/internal/XPIProvider.jsm +++ b/toolkit/mozapps/extensions/internal/XPIProvider.jsm @@ -80,6 +80,7 @@ const PREF_XPI_FILE_WHITELISTED = "xpinstall.whitelist.fileRequest"; // xpinstall.signatures.required only supported in dev builds const PREF_XPI_SIGNATURES_REQUIRED = "xpinstall.signatures.required"; const PREF_XPI_SIGNATURES_DEV_ROOT = "xpinstall.signatures.dev-root"; +const PREF_LANGPACK_SIGNATURES = "extensions.langpacks.signatures.required"; const PREF_XPI_PERMISSIONS_BRANCH = "xpinstall."; const PREF_INSTALL_REQUIRESECUREORIGIN = "extensions.install.requireSecureOrigin"; const PREF_INSTALL_DISTRO_ADDONS = "extensions.installDistroAddons"; @@ -218,6 +219,7 @@ const SIGNED_TYPES = new Set([ "extension", "experiment", "webextension", + "webextension-langpack", "webextension-theme", ]); @@ -240,6 +242,10 @@ function mustSign(aType) { if (!SIGNED_TYPES.has(aType)) return false; + if (aType == "webextension-langpack") { + return AddonSettings.LANGPACKS_REQUIRE_SIGNING; + } + return AddonSettings.REQUIRE_SIGNING; } @@ -2169,6 +2175,7 @@ var XPIProvider = { Services.prefs.addObserver(PREF_EM_MIN_COMPAT_PLATFORM_VERSION, this); if (!AppConstants.MOZ_REQUIRE_SIGNING || Cu.isInAutomation) Services.prefs.addObserver(PREF_XPI_SIGNATURES_REQUIRED, this); + Services.prefs.addObserver(PREF_LANGPACK_SIGNATURES, this); Services.prefs.addObserver(PREF_ALLOW_LEGACY, this); Services.prefs.addObserver(PREF_ALLOW_NON_MPC, this); Services.obs.addObserver(this, NOTIFICATION_FLUSH_PERMISSIONS); @@ -4029,6 +4036,7 @@ var XPIProvider = { this.updateAddonAppDisabledStates(); break; case PREF_XPI_SIGNATURES_REQUIRED: + case PREF_LANGPACK_SIGNATURES: case PREF_ALLOW_LEGACY: case PREF_ALLOW_NON_MPC: this.updateAddonAppDisabledStates(); @@ -6983,6 +6991,7 @@ var XPIInternal = { KEY_APP_SYSTEM_ADDONS, KEY_APP_SYSTEM_DEFAULTS, KEY_APP_TEMPORARY, + SIGNED_TYPES, TEMPORARY_ADDON_SUFFIX, TOOLKIT_ID, XPIStates, @@ -6990,6 +6999,7 @@ var XPIInternal = { isTheme, isUsableAddon, isWebExtension, + mustSign, recordAddonTelemetry, get XPIDatabase() { return gGlobalScope.XPIDatabase; }, diff --git a/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_signed.xpi b/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_signed.xpi new file mode 100644 index 0000000000000000000000000000000000000000..f60d00348eb41058cc3e49680029083954ba05e9 GIT binary patch literal 4452 zcma)AcQhQ{wjM-ugD9g$?=walq9jTXohV^+q8mi-L`yZ^_Sxr;@6%DoyG0EE00;qJ37s?~W*8o^k^umL z6ac`VQ%xm(d9bRMvJk>8z|qCU3gY2uHTA?_COL2^XPA_OgG})l#EJZXNd&*@H+(9j zJ_oWHemyiJV8`?tRjl7=^J@EHgrHvZ9rmJ+`QMXMJRcJBy!9(P$qL9hIcwXq*jvAp zxn7vQyu8{S-8&BsnZ}}p!WzU$A@u@_{8tf#Ae?@C1Qy@O1kGv*l_!+z#23@ic`3&F z8;zeeN+pjg_`DQA@-+n*6~;y(PvqEf5E5n571p;D{0)rD8s?wGN=n$34}nTDEH6Kd z$1jq=p+YtmE1hTG*L=)55gy^t#Tk7Usn&_tJX`^VV{0nPtFjA%p~C`^ZL@hBKh_no zh3C9dy5WkKebnLnVGE`JrNQwIgFeo1?*7487iKd6{Q;HZ>;PB zeHqTjn0c8%+8NG!={IDFLy?S6iH~SgQ81!_Zupz|49yJmm$D~0y&1vA2?UN*?pEVyi{-fxuDB!u?WRhSp-8`p-subLv{<{Rb?_ zY!&W+c{|SixPk3P8Q2r~Xg?cQ&rhCRgO?%P&^fnEMsK9FBh79>f#W=jh0b zHHoA^s>nNl{shs__z|Z1Mnc#*G$E#c_ zvfe?y(Oq#;=3mA^1VH~|`oZxf?g9T{!kKK06fLT>{l4X}D>PTWuuyV| zCJ28>Z-jhPuX_IA_*^fWi}=h8F+#Zj>)7B~9JQw84^F2J(D23^Dr0-yO_PCP^Vw;2Sv+0A*wa<%k&9YH7P7h(-~GavtJ~qO z4|9WVO%uu>m-Z>sUEdhE)WrpJ#}|o#3_M~&uI#gUL$O4M)WmLO zRJqBP*HQwVkHn%|!e282`!FIRT16K`z}-8pXz=%8*u0uC9eozOE*q}a;?*?bk!N8f z!&|9J?vd@#^(_y@msT#s@mn~e$;fnv?x(hRNIH;iWb{jtkJId0JAOlIt^)G%6>OZht!L^*%qw*q6Ja*o7v@;0ZtjsVMEB&(ZcPsR^?mMW;;H@G{N?dkTdSifMrlz+CkeqBGDoRjF;#(ev( zOc_-g|F&?-uA}6nW_v7IG>oxm7TF=396zeS1XUe%?@+$$1=9GeRX>ncJ?YpR3sHyz zODBDOS@G*Lo$Qe)b+5Mww_vw<(5$m1h$mrTO_obP?knx)1WUla|@N;|bn!{WQq*;LV(4JQv8s!F!cV_#LVk! z7u!=CxLYPTB@=v_6$?tUzl5)+ii)Zi)_Y$L7GWH86c>)ea! zF8|e>9h==MWnS{)O)?j?al*yUFFMdub1UcZ7>14pHi4&<2U4$>a)`Eq+{#g&DMdeBNzT0UP1183UBMH2yZpnlA92=;L#56DHa%pLIll>uy@ z7C=Nd85V(mi$Z7PiEw|uC1|GOE?{WFjUzlA2=%n--ZCjQqo)}y|K9qO-y?Zdy}z{v zMhi`sD7em58pVykK{St*`w6)Jj-dzL*6Xnhrhm<M#(^Sfri z0aU%SEsT)2?uUezimgr=>3oTw>g#yRfd`jxzIQ*a)}up3p-B4{@)I4>#3m*CehYH~ z3qxO_va$uR69c_W0ugP3|A^znT`0?jC`9WcRxa?nRL$Dn4>G2YRuwxX4%M0xl+yhM zE-oKced@m9wHued869%|U6?t}M$~RU(ojbe|0$~Fv!(&@EA)fxJ;*(mJdWK$=SN+V zZP;YL_|Q4W{Wqcok5+4eRVY)Eh4ojl!53ocZmVM3BcX%}mc2!jJ;9YM`Myoon$X0*4_UBc zN7aAsHtiyqMh32FG7)`i*zr^IWN(xB@LsI=sCJmENk#*AHU!ERlxM7cY8WL`T5Hcm z7pT;u?kdNjuE?29OfKSx3PD~$#nHs%Y+eh6B`*zpEfP$}w157@l>_d?;GYl@Oe(L< z-xX~3xHba{h`=*tPmBo#>Rx0fItTg7*F*GNrjg7?;TroqwTE#(oFN4;GxyRHah+MJ zpjA99kJN$g0(0mu_JM|$^BVD6U#7QAx+*2l$$`XQx?TBi?^ZdlugbZ&8=ttMs%nG= zHh9})j!|`5*Yu`lii13G{>O>_2IaCpJF|I^uY`udaTM(LY9>nrzvOhGzBYQ=1Z(7u z?ty(Cm6M|0BW)M+Cf>pFHGC&)TNq^(`{=-h70o<%Iw*~F&`8cAG-VoKZRa{`|4`B4 zLSS|EEi!~Nen>#2vc8FxkJtyTJw>R(e=}&EREp<54l8*fKCVSk$Ene zF4+~^!*F~{LBhVS%Se(Z%3IXj49n(Y6dGx&_$-f|wcB0koAi(&08W04g~V44)XXPi;& z{~&vEZlZ$a>dcR-BC`gttbZZqypNwHUqWDSXs~;-lDJ!KlX@hdy1m=%f85R2^vsXs zoItOY^n~FKa$i1%sJf0%_Zjto^VL*R^HHAg^loijm2FsJMiN6KXfZ@zRdk>YY2nSk z$%*#v=v$b!b!$6*p>E;E93tu*GUPJlF9lxy!I)ninGEsiu1p~OwhLF`w|E-k$xQhi z{*pewLn(B5CE#2@L%aQn0DH!>g#Hxii`Pz-_ptZ{L8zfP!a!Y8wRa=?B^se)rINb6 z#SLDGjl;V~uA48K(DfC}%Nw$Rp6`_CHpJ6r#Ad7R+hanckn;9umYJ(AE*HwZlq+MI)R*SA2PJqmh$Cr-Q}J=7w^1`}iwN5;c=^WbULpK6 z=O9@tiV4G!5|k@yP5HAdSe(Z8t1t54Gp}80^#vnK!gph#4P*1M`%SS?S(ar+X=DO} zuJ^V+#J&oo==82t<%-@?1FOo&Ql(Xm3Xia_=hZof{=}h64bQ0YCtRm8+wjt)~~n$_A_x2+J z;M~IA-1)m0L+HqBeS%W7aqJTeu2T`KXk|6)u!T?{7LYbQ{qRP`=lr3VI0-~d0Nl~e z$If2+#8=@FNd$|$O}x-@azdo{7t)Mql0@iKz|Y!aki$_$Ur+tLLyL`wbl)F(4R7&t z57J=PTDa>dU5X?p<`P|RFB)6&S+2Wla^Aq8VP_i|*pV6b$QczC)7DP&etW9NZu8@I zhbTRB9)=W6S39$>*KIEXe<({@(nYZqixJhU%yq9sm)gjMPB{Z{oC#`&bp`#}&dP-w zlYLiP1d<3y2N>x-^qfu38;kwuF*!>*g|;A%?R%Szh}Gpo|JkoU3iN9?(`Lg>zrNnY zzbnxHZXCi+c4&}197=s_EV!c}un>n-N!3VyEDyJU8#Mcz7L@{POFqZOFi1$G52bJM zWZ4zDMpKqM@i!AqCE&`%Q+G%9)G(PjcRg1;WU)?(je(^W!1DJt-1n>-9%RIIN&`EF zB1sK)xUrLOO$#g;3*r&2v!CkZ9-LObvpMR;Nb?~lx%L?@65KNs+n{TA&#um!iUp;& zS^7<5_1h&qFRKHeFQi;0&&_VWN`H!H8_|}XW&~&h{5#G3{;jL58;b2Wapxxfm(cdK zBN@>cRTty~t4)!qgZW2>M&Cb%PKtgz@D`r(?$^);L&mY1LxUQ4A}Hz!yvLWKv1*#( zOo|%wLkn4+0x_gVcnHLYa9JiY;kPf6o1+bj)6+SXjL$!;XS|I{;R=vcIi-&Zd>hdK zO3$!z;y->5orZW0^-T%=^7i6$ukdOToFeD-5+2nehw(#wz50cL9-`jlLcGKctIN1I zWN>h)@&0e$;D*uPSJ=%&{|9n6F2WxKmVY4pr+@M%?@w~k^T#)S#Q*Ep{I#gRj?y2< zKPwC;ocv#l`sZN%72&V1^k4aZ5FCO3itrC}#M4ek9sl;9OSf(|=%#$wjgJBV{0({> B6Au6Y literal 0 HcmV?d00001 diff --git a/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_unsigned.xpi b/toolkit/mozapps/extensions/test/xpcshell/data/signing_checks/langpack_unsigned.xpi new file mode 100644 index 0000000000000000000000000000000000000000..89de7f4409521ecb1f33fa3975ac3b7f5f8a6f59 GIT binary patch literal 413 zcmWIWW@Zs#U|`^2*jt+E!&kaC=`E1=laYaemqCUhH!&|WEw#8rFRM5|FEoUcfq5z4 z;;3anTw1}+z{v6ys1B?>H^9;Fuz|oH<&W&Ap9^uh`_0)Apjao6d$%|F=*g&U&W&32 z$NS84yQ-ox)5_A){lAwxd2lz&IVMlge>7!cOX)S9S#8{t46ata+W1W(p@?(0wCQx85VleWIJ+Ts@lh^3a?8#*(rNj`Qpl-+1F=@R4+*C>L9vWd{XbcON$nUOm5H_1@*l z4)s^F`5Cj>H=YgDso3*#rQx