This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-91.11.0esr-11.5-1 in repository tor-browser.
commit 3d507046bdfe1d6132a567c1d47e500f3845c51b Author: Dennis Jackson djackson@mozilla.com AuthorDate: Mon Jun 6 13:08:01 2022 +0000
Bug 1771523 - Add telemetry probe for app signature verification outcomes. r=keeler a=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D147530 --- security/apps/AppSignatureVerification.cpp | 16 ++++++++++++++++ toolkit/components/telemetry/Histograms.json | 11 +++++++++++ 2 files changed, 27 insertions(+)
diff --git a/security/apps/AppSignatureVerification.cpp b/security/apps/AppSignatureVerification.cpp index 0674887a2c148..8100d4d38cce8 100644 --- a/security/apps/AppSignatureVerification.cpp +++ b/security/apps/AppSignatureVerification.cpp @@ -1307,6 +1307,22 @@ nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile, } }
+ // Bits 1 and 2 + // 00 = Didn't Process PKCS#7 signatures + // 01 = Processed but no valid cert or signature + // 10 = Processed and valid cert found, but addon didn't match manifest + // 11 = Processed and valid. + // Bits 3 and 4 are the same but for COSE. + uint32_t bucket = 0; + bucket += aPolicy.ProcessCOSE(); + bucket += !coseCertDER.IsEmpty(); + bucket += coseVerified; + bucket <<= 2; + bucket += aPolicy.ProcessPK7(); + bucket += !pkcs7CertDER.IsEmpty(); + bucket += pk7Verified; + Telemetry::Accumulate(Telemetry::ADDON_SIGNATURE_VERIFICATION_STATUS, bucket); + if ((aPolicy.PK7Required() && !pk7Verified) || (aPolicy.COSERequired() && !coseVerified)) { return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE; diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index dbce789c65c4a..f8656555514b9 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -188,6 +188,17 @@ "bug_numbers": [1172689, 1531034], "description": "Recorded when application reputation remote lookup is performed, `true` is recorded if the lookup times out." }, + "ADDON_SIGNATURE_VERIFICATION_STATUS": { + "record_in_processes": ["main", "content"], + "products": ["firefox", "fennec"], + "alert_emails": ["seceng-telemetry@mozilla.com"], + "expires_in_version": "never", + "releaseChannelCollection": "opt-out", + "kind": "enumerated", + "n_values": 32, + "bug_numbers": [1771523], + "description": "Records the result of App Signature Verification. See the comments in OpenSignedAppFile. " + }, "BACKGROUNDFILESAVER_THREAD_COUNT": { "record_in_processes": ["main", "content"], "products": ["firefox", "fennec"],