* security: enable MAR signature verification for updates
Remove `--enable-unverified-updates` from the common mozconfig. This flag
was disabling all MAR (Mozilla ARchive) signature verification in the
updater binary, meaning update packages were applied without any
cryptographic authenticity check.
With this flag removed, the Mozilla build system will:
- Link NSS and signmar into the updater binary
- Enable SecVerifyTransformCreate-based signature verification on macOS
- Require MAR files to contain valid signatures before applying
REQUIRED FOLLOW-UP (maintainer action):
1. Generate a Zen-specific MAR signing keypair (RSA-PKCS1-SHA384)
See: https://firefox-source-docs.mozilla.org/build/buildsystem/mar.html
2. Place the public key DER file(s) in the source tree at
toolkit/mozapps/update/updater/release_primary.der
3. Sign MAR files during the release build with the private key
4. Set ACCEPTED_MAR_CHANNEL_IDS in update-settings.ini to restrict
which update channels the updater will accept
Ref: GHSA-qpj9-m8jc-mw6q
* no-bug: Added signature steps
* no-bug: Export browser/installer/package-manifest.in
---------
Co-authored-by: Maliq Barnard <maliqbarnard@Maliqs-MacBook-Air.local>
Co-authored-by: Mr. M <mr.m@tuta.com>
