mirror of
https://github.com/zen-browser/desktop.git
synced 2026-04-16 12:32:56 +00:00
270db6d671
* security: enable MAR signature verification for updates Remove `--enable-unverified-updates` from the common mozconfig. This flag was disabling all MAR (Mozilla ARchive) signature verification in the updater binary, meaning update packages were applied without any cryptographic authenticity check. With this flag removed, the Mozilla build system will: - Link NSS and signmar into the updater binary - Enable SecVerifyTransformCreate-based signature verification on macOS - Require MAR files to contain valid signatures before applying REQUIRED FOLLOW-UP (maintainer action): 1. Generate a Zen-specific MAR signing keypair (RSA-PKCS1-SHA384) See: https://firefox-source-docs.mozilla.org/build/buildsystem/mar.html 2. Place the public key DER file(s) in the source tree at toolkit/mozapps/update/updater/release_primary.der 3. Sign MAR files during the release build with the private key 4. Set ACCEPTED_MAR_CHANNEL_IDS in update-settings.ini to restrict which update channels the updater will accept Ref: GHSA-qpj9-m8jc-mw6q * no-bug: Added signature steps * no-bug: Export browser/installer/package-manifest.in --------- Co-authored-by: Maliq Barnard <maliqbarnard@Maliqs-MacBook-Air.local> Co-authored-by: Mr. M <mr.m@tuta.com>