Security/Reviews/Packaged Apps
From MozillaWiki
Please use "Edit with form" above to edit this page.
Item Reviewed
| Packaged Apps: Signing & Revocation | |||||||||||||
| Target |
2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%); Spec document: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService |
||||||||||||
The given value "
| ID | Summary | Priority | Status |
|---|---|---|---|
| 772365 | Implement signing mechanism for packaged apps | P1 | VERIFIED |
| 816282 | SecReview: Implement signing mechanism for packaged apps | P1 | RESOLVED |
2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);
Spec document: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- reuse xpi signing for apps in B2G
- same bits we are using for signing receipts
Signing parts:
- Server Side
- How do we control signing (access to signing machine)?
- How do we deal with multiple signing (signing many apps) Is it manual?
- Marketplace
- Client
Reviewers get/generate a test cert
- tool to install cert into the phone
- tool to sign using that cert
- after review the reviewer-signed app is sent to marketplace
- marketplace verifies reviewer's signature and logs who signed which app
- marketplace re-signs the app and puts it in the store.
Install:
- download zip
- check signature
- if no sig max privilege is "installed"
- if there's a valid signature max priv is "trusted"
- if the signature is invalid the app is not installed
- process manifest requested permissions limited by max priv
- signature never used again until we update that app
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
`
Any security threats already considered in the design and why?
`
Threat Brainstorming
- Receipts signing certs were rotated to avoid people signing receipts for ever. What happens if someone gets access to the certs? Do we have a plan for revocation?
- re-sign all the apps
- push a firmware update to revoke the cert
- Property "SecReview feature goal" (as page type) with input value "* reuse xpi signing for apps in B2G
- same bits we are using for signing receipts
Signing parts:
- Server Side
- How do we control signing (access to signing machine)?
- How do we deal with multiple signing (signing many apps) Is it manual?
- Marketplace
- Client
Reviewers get/generate a test cert
- tool to install cert into the phone
- tool to sign using that cert
- after review the reviewer-signed app is sent to marketplace
- marketplace verifies reviewer's signature and logs who signed which app
- marketplace re-signs the app and puts it in the store.
Install:
- download zip
- check signature
- if no sig max privilege is "installed"
- if there's a valid signature max priv is "trusted"
- if the signature is invalid the app is not installed
- process manifest requested permissions limited by max priv
- signature never used again until we update that app" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* Receipts signing certs were rotated to avoid people signing receipts for ever. What happens if someone gets access to the certs? Do we have a plan for revocation?
- re-sign all the apps
- push a firmware update to revoke the cert" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
* Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?)
|
|
