Bug 1646989 - Replace --disable-verify-mar with --enable-unverified-u…

…pdates, make it imply DISABLE_UPDATER_AUTHENTICODE_CHECK r=firefox-build-system-reviewers,nalexander The common usecase for disabling MAR verification is to do some sort of local update testing. When doing this, the updater binary will also typically be unsigned. This patch allows both of those changes to be made at build time with the same flag. Differential Revision: https://phabricator.services.mozilla.com/D81279
dothq · Jun 15, 2022 · f6c1746 · f6c1746
1 parent 6f8ed3f
commit f6c1746
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/build/moz.configure/update-programs.configure b/build/moz.configure/update-programs.configure
@@ -20,16 +20,38 @@ option(
 set_config("MOZ_UPDATER", True, when="--enable-updater")
 set_define("MOZ_UPDATER", True, when="--enable-updater")
 
-# Verify MAR signatures
+# Updates that do not verify signatures
 # ==============================================================
 
-option("--disable-verify-mar", help="Disable verifying MAR signatures")
+option(
+    "--enable-unverified-updates",
+    default=False,
+    help="Enable application update without verifying MAR or updater binary signatures",
+)
+
+
+@depends("--enable-unverified-updates", "--enable-compile-environment")
+def disable_unverified_updates(unverified_updates, compile_environment):
+    if unverified_updates:
+        if not compile_environment:
+            die("--enable-unverified-updates requires --enable-compile-environment")
+    return not unverified_updates
+
 
 set_define(
-    "MOZ_VERIFY_MAR_SIGNATURE", depends_if("--enable-verify-mar")(lambda _: True)
+    "MOZ_VERIFY_MAR_SIGNATURE",
+    depends_if(disable_unverified_updates)(lambda _: True),
+)
+set_config(
+    "MOZ_VERIFY_MAR_SIGNATURE",
+    True,
+    depends_if(disable_unverified_updates)(lambda _: True),
 )
+
 set_config(
-    "MOZ_VERIFY_MAR_SIGNATURE", depends_if("--enable-verify-mar")(lambda _: True)
+    "DISABLE_UPDATER_AUTHENTICODE_CHECK",
+    True,
+    depends_if("--enable-unverified-updates")(lambda _: True),
 )
 
 # Maintenance service (Windows only)

diff --git a/toolkit/components/maintenanceservice/moz.build b/toolkit/components/maintenanceservice/moz.build
@@ -17,8 +17,8 @@ USE_LIBS += [
     "updatecommon",
 ]
 
-# For debugging purposes only
-# DEFINES['DISABLE_UPDATER_AUTHENTICODE_CHECK'] = True
+if CONFIG["DISABLE_UPDATER_AUTHENTICODE_CHECK"]:
+    DEFINES["DISABLE_UPDATER_AUTHENTICODE_CHECK"] = True
 
 DEFINES["UNICODE"] = True
 DEFINES["_UNICODE"] = True

diff --git a/toolkit/mozapps/update/tests/moz.build b/toolkit/mozapps/update/tests/moz.build
@@ -58,8 +58,8 @@ DisableStlWrapping()
 if CONFIG["MOZ_MAINTENANCE_SERVICE"]:
     DEFINES["MOZ_MAINTENANCE_SERVICE"] = CONFIG["MOZ_MAINTENANCE_SERVICE"]
 
-# For debugging purposes only
-# DEFINES['DISABLE_UPDATER_AUTHENTICODE_CHECK'] = True
+if CONFIG["DISABLE_UPDATER_AUTHENTICODE_CHECK"]:
+    DEFINES["DISABLE_UPDATER_AUTHENTICODE_CHECK"] = True
 
 if CONFIG["CC_TYPE"] == "clang-cl":
     WIN32_EXE_LDFLAGS += ["-ENTRY:wmainCRTStartup"]