Bug 1724247 - Specify full publisher subject in MSIX repackages. r=bhearsum

Installing the Nightly MSIX packages, signed with Mozilla's Nightly key, yields an error: "Error in parsing the app package." Unpacking with `makeappx.exe` yields: ``` MakeAppx : error: Error info: error 8007000B: The app manifest publisher name (CN=Mozilla Corporation) must match the subject name of the signing certificate (CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US). ``` Previously, we allowed just the `CN` to vary; in this patch we make the publisher be the entire publisher subject, and we update the publisher details in the task definitions. Differential Revision: https://phabricator.services.mozilla.com/D121896
2024-11-24 21:31:04 +00:00 · 2021-08-05 17:21:50 +00:00 · 2021-08-05 17:21:50 +00:00 · b71169f3ce
commit b71169f3ce
parent 62fe64a298
5 changed files with 10 additions and 10 deletions
--- a/browser/installer/windows/msix/AppxManifest.xml.in
+++ b/browser/installer/windows/msix/AppxManifest.xml.in
@ -4,7 +4,7 @@
 - You can obtain one at http://mozilla.org/MPL/2.0/. -->
 <!-- #filter substitution -->
 <Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:com="http://schemas.microsoft.com/appx/manifest/com/windows10" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:uap2="http://schemas.microsoft.com/appx/manifest/uap/windows10/2" xmlns:uap3="http://schemas.microsoft.com/appx/manifest/uap/windows10/3" xmlns:uap10="http://schemas.microsoft.com/appx/manifest/uap/windows10/10" xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities" IgnorableNamespaces="uap uap2 uap3 uap10 rescap">
-  <Identity Name="@APPX_IDENTITY@" Publisher="CN=@APPX_PUBLISHER@" Version="@APPX_VERSION@" ProcessorArchitecture="@APPX_ARCH@" />
+  <Identity Name="@APPX_IDENTITY@" Publisher="@APPX_PUBLISHER@" Version="@APPX_VERSION@" ProcessorArchitecture="@APPX_ARCH@" />
  <Properties>
    <DisplayName>@MOZ_APP_DISPLAYNAME@</DisplayName>
    <PublisherDisplayName>@MOZ_APP_VENDOR@</PublisherDisplayName>
--- a/python/mozbuild/mozbuild/mach_commands.py
+++ b/python/mozbuild/mozbuild/mach_commands.py
@ -2177,10 +2177,10 @@ class Repackage(MachCommandBase):
        type=str,
        # This default is baked into enough places under `browser/` that we need
        # not extract a constant.
-        default="Mozilla Corporation",
+        default="CN=Mozilla Corporation",
        required=False,
        help="The Publisher string to use in the App Manifest."
-        + " It must match the CN on the certificate used for signing",
+        + " It must match the subject on the certificate used for signing",
    )
    @CommandArgument(
        "--makeappx",
--- a/python/mozbuild/mozbuild/repackaging/msix.py
+++ b/python/mozbuild/mozbuild/repackaging/msix.py
@ -442,8 +442,8 @@ def sign_msix(output, force=False, log=None, verbose=False):
    # These are baked into enough places under `browser/` that we need not
    # extract constants.
    vendor = "Mozilla"
-    publisher = "Mozilla Corporation"
-    friendly_name = "{} MSIX Packaging Test Certificate".format(publisher)
+    publisher = "CN=Mozilla Corporation"
+    friendly_name = "Mozilla Corporation MSIX Packaging Test Certificate"

    # The convention is $MOZBUILD_STATE_PATH/cache/$FEATURE.
    crt_path = mozpath.join(
@ -496,7 +496,7 @@ def sign_msix(output, force=False, log=None, verbose=False):
            thumbprint = (
                powershell(
                    (
-                        'New-SelfSignedCertificate -Type Custom -Subject "CN={}" '
+                        'New-SelfSignedCertificate -Type Custom -Subject "{}" '
                        '-KeyUsage DigitalSignature -FriendlyName "{}"'
                        " -CertStoreLocation Cert:\CurrentUser\My"
                        ' -TextExtension @("2.5.29.37={{text}}1.3.6.1.5.5.7.3.3", '
--- a/taskcluster/ci/repackage-msix/kind.yml
+++ b/taskcluster/ci/repackage-msix/kind.yml
@ -63,5 +63,5 @@ job-template:
                default: nightly
        publisher:
            by-level:
-                "3": "Mozilla Corporation"
-                default: "Mozilla Fake SPC"
+                "3": "CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US"
+                default: "CN=Mozilla Fake SPC"
--- a/taskcluster/ci/repackage-shippable-l10n-msix/kind.yml
+++ b/taskcluster/ci/repackage-shippable-l10n-msix/kind.yml
@ -65,5 +65,5 @@ job-template:
                default: nightly
        publisher:
            by-level:
-                "3": "Mozilla Corporation"
-                default: "Mozilla Fake SPC"
+                "3": "CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US"
+                default: "CN=Mozilla Fake SPC"