commit 1d2d420ff1c7231a60ec3ff497bd57815fc1d665 Author: Georg Koppen gk@torproject.org Date: Sun May 5 06:10:28 2019 +0000

Bug 30388: Disable nocertdb pref for armagadd-on 2.0 cert inclusion if needed

For Tor Browser added a fix to temporarily disable `security.nocertdb` so the new cert can be inserted, and revert to original once the cert is inserted.

Patch by pospeselr. --- toolkit/mozapps/extensions/internal/XPIProvider.jsm | 12 ++++++++++++ 1 file changed, 12 insertions(+)

diff --git a/toolkit/mozapps/extensions/internal/XPIProvider.jsm b/toolkit/mozapps/extensions/internal/XPIProvider.jsm index 6cffc02d90ba..3aa0e41b625f 100644 --- a/toolkit/mozapps/extensions/internal/XPIProvider.jsm +++ b/toolkit/mozapps/extensions/internal/XPIProvider.jsm @@ -1824,6 +1824,13 @@ function addMissingIntermediateCertificate() { } logger.debug("hotfix for addon signing cert has not been applied; applying");

+ // temporarily disable nocertb so we can write cert + const PREF_NOCERTDB = "security.nocertdb"; + let userNocertdb = Services.prefs.getBoolPref(PREF_NOCERTDB, true); + if (userNocertdb) { + Services.prefs.setBoolPref(PREF_NOCERTDB, false); + } + try { let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); certDB.addCertFromBase64(MISSING_INTERMEDIATE_CERTIFICATE, ",,"); @@ -1831,6 +1838,11 @@ function addMissingIntermediateCertificate() { } catch (e) { logger.error("failed to add new intermediate certificate:", e); return; + } finally { + // revert nocertdb pref to original value (even if exception thrown) + if (userNocertdb) { + Services.prefs.setBoolPref(PREF_NOCERTDB, true); + } }

Services.prefs.setBoolPref(PREF_SIGNER_HOTFIXED, true);