[tor-commits] [tor-browser/tor-browser-38.4.0esr-5.5-1] Bug 1151485 - Disable app update xml certificate checks on Linux now that there is mar signing on Linux. r=bbondy
gk at torproject.org
gk at torproject.org
Fri Nov 13 13:25:35 UTC 2015
commit c429e391927b9f6462274c5a7b51cf66cd253ddf
Author: Robert Strong <robert.bugzilla at gmail.com>
Date: Wed Jul 29 12:39:56 2015 -0700
Bug 1151485 - Disable app update xml certificate checks on Linux now that there is mar signing on Linux. r=bbondy
---
browser/app/profile/firefox.js | 47 ++++------------------------------------
1 file changed, 4 insertions(+), 43 deletions(-)
diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
index 9944a82..a827f52 100644
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -100,51 +100,12 @@ pref("app.update.log", false);
pref("app.update.backgroundMaxErrors", 10);
// The aus update xml certificate checks for application update are disabled on
-// Windows and Mac OS X since the mar signature check are implemented on these
-// platforms and is sufficient to prevent us from applying a mar that is not
-// valid.
-#if defined(XP_WIN) || defined(XP_MACOSX)
+// Windows, Mac OS X, and Linux since the mar signature check are implemented on
+// these platforms and is sufficient to prevent us from applying a mar that is
+// not valid. Bug 1182352 will remove the update xml certificate checks and the
+// following two preferences.
pref("app.update.cert.requireBuiltIn", false);
pref("app.update.cert.checkAttributes", false);
-#else
-// When |app.update.cert.requireBuiltIn| is true or not specified the
-// final certificate and all certificates the connection is redirected to before
-// the final certificate for the url specified in the |app.update.url|
-// preference must be built-in.
-pref("app.update.cert.requireBuiltIn", true);
-
-// When |app.update.cert.checkAttributes| is true or not specified the
-// certificate attributes specified in the |app.update.certs.| preference branch
-// are checked against the certificate for the url specified by the
-// |app.update.url| preference.
-pref("app.update.cert.checkAttributes", true);
-
-// The number of certificate attribute check failures to allow for background
-// update checks before notifying the user of the failure. User initiated update
-// checks always notify the user of the certificate attribute check failure.
-pref("app.update.cert.maxErrors", 5);
-
-// The |app.update.certs.| preference branch contains branches that are
-// sequentially numbered starting at 1 that contain attribute name / value
-// pairs for the certificate used by the server that hosts the update xml file
-// as specified in the |app.update.url| preference. When these preferences are
-// present the following conditions apply for a successful update check:
-// 1. the uri scheme must be https
-// 2. the preference name must exist as an attribute name on the certificate and
-// the value for the name must be the same as the value for the attribute name
-// on the certificate.
-// If these conditions aren't met it will be treated the same as when there is
-// no update available. This validation will not be performed when the
-// |app.update.url.override| user preference has been set for testing updates or
-// when the |app.update.cert.checkAttributes| preference is set to false. Also,
-// the |app.update.url.override| preference should ONLY be used for testing.
-// IMPORTANT! metro.js should also be updated for updates to certs.X.issuerName
-// IMPORTANT! media.gmp-manager.certs.* prefs should also be updated if these
-// are updated.
-
-pref("app.update.certs.1.issuerName", "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US");
-pref("app.update.certs.1.commonName", "*.torproject.org");
-#endif
// Whether or not app updates are enabled
pref("app.update.enabled", true);
More information about the tor-commits
mailing list