security/build/b2g-certdata.mk@7e26c7da4463 (annotated)
security/build/b2g-certdata.mk
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
| michael@0 | 1 | # This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | # License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 4 | |
| michael@0 | 5 | # On B2G, we need to remove the trust bits for code signing from all the |
| michael@0 | 6 | # built-in CAs, because we are redefining the code signing bit to mean |
| michael@0 | 7 | # "is trusted to issue certs that are trusted for signing apps," which none |
| michael@0 | 8 | # of the normal built-in CAs are. This is a temporary hack until we can use |
| michael@0 | 9 | # libpkix to verify the certificates. (libpkix gives the flexibility we need |
| michael@0 | 10 | # to verify certificates using different sets of trust anchors per validation.) |
| michael@0 | 11 | # |
| michael@0 | 12 | # Whenever we change the B2G app signing trust anchor, we need to manually |
| michael@0 | 13 | # update certdata-b2g.txt. To do so: |
| michael@0 | 14 | # |
| michael@0 | 15 | # 1. replace ./b2g-app-root-cert.der with the new DER-encoded root cert |
| michael@0 | 16 | # |
| michael@0 | 17 | # 2. In this directory run: |
| michael@0 | 18 | # |
| michael@0 | 19 | # PATH=$NSS/bin:$NSS/lib addbuiltin -n "b2g-app-root-cert" -t ",,Cu" \ |
| michael@0 | 20 | # < b2g-app-root-cert.der > b2g-certdata.txt |
| michael@0 | 21 | # |
| michael@0 | 22 | # Then, commit the changes. We don't do this step as part of the build because |
| michael@0 | 23 | # we do not build addbuiltin as part of a Gecko build. |
| michael@0 | 24 | |
| michael@0 | 25 | # Distrust all existing builtin CAs for code-signing |
| michael@0 | 26 | hacked-certdata.txt : $(srcdir)/../nss/lib/ckfw/builtins/certdata.txt |
| michael@0 | 27 | sed -e "s/^CKA_TRUST_CODE_SIGNING.*CKT_NSS_TRUSTED_DELEGATOR.*/CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST/" \ |
| michael@0 | 28 | $< > $@ |
| michael@0 | 29 | |
| michael@0 | 30 | combined-certdata.txt : hacked-certdata.txt $(srcdir)/b2g-certdata.txt |
| michael@0 | 31 | cat $^ > $@ |
| michael@0 | 32 | |
| michael@0 | 33 | libs-nss/lib libs-nss/lib/ckfw: combined-certdata.txt |
| michael@0 | 34 | |
| michael@0 | 35 | DEFAULT_GMAKE_FLAGS += NSS_CERTDATA_TXT='$(CURDIR)/combined-certdata.txt' |
