eliott/desktop
1
0
Fork 0
mirror of https://github.com/zen-browser/desktop synced 2026-04-25 17:15:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
* security: enable MAR signature verification for updates

Remove `--enable-unverified-updates` from the common mozconfig. This flag
was disabling all MAR (Mozilla ARchive) signature verification in the
updater binary, meaning update packages were applied without any
cryptographic authenticity check.

With this flag removed, the Mozilla build system will:
- Link NSS and signmar into the updater binary
- Enable SecVerifyTransformCreate-based signature verification on macOS
- Require MAR files to contain valid signatures before applying

REQUIRED FOLLOW-UP (maintainer action):
1. Generate a Zen-specific MAR signing keypair (RSA-PKCS1-SHA384)
   See: https://firefox-source-docs.mozilla.org/build/buildsystem/mar.html
2. Place the public key DER file(s) in the source tree at
   toolkit/mozapps/update/updater/release_primary.der
3. Sign MAR files during the release build with the private key
4. Set ACCEPTED_MAR_CHANNEL_IDS in update-settings.ini to restrict
   which update channels the updater will accept

Ref: GHSA-qpj9-m8jc-mw6q

* no-bug: Added signature steps

* no-bug: Export browser/installer/package-manifest.in

---------

Co-authored-by: Maliq Barnard <maliqbarnard@Maliqs-MacBook-Air.local>
Co-authored-by: Mr. M <mr.m@tuta.com>
This commit is contained in:
JDX50S
2026-04-09 14:28:31 -03:00
committed by GitHub
parent 8b9f449f95
commit 270db6d671
9 changed files with 201 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/build.yml vendored
View File

@@ -505,6 +505,20 @@ jobs:
run: |
git clone https://github.com/zen-browser/windows-binaries.git .github/workflows/object --depth 1
- name: Download signmar-linux-x86_64 from artifacts
uses: actions/download-artifact@v4
with:
name: signmar-linux-x86_64
- name: Sign MAR files
env:
SIGNMAR: ${{ github.workspace }}/signmar-linux-x86_64
ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
run: |
bash scripts/mar_sign.sh -s
- name: Copy update manifests
env:
RELEASE_BRANCH: ${{ inputs.update_branch }}