FirefoxOS/New security model/Getting Started with Signed Packages: Difference between revisions

Getting Started with Signed Packages

Signed Packages are web packages that been signed with a signing key. In production, these are signed by MarketPlace, but for testing purposes, developers can configure their device to accept a test signing key, so they can sign their own packages for one specific device.

The steps in the process are:

• Create a manifest for your Signed Package
• Use the developer signing tool to sign your package
• Upload the modified package to a server

Before you test for the first time, you must also do the following steps (only the first time):

• Configure a number of developer preferences
• Upload your signing certificate to your test device

These steps are covered in detail below.

Creating/Modifying a Signed Package

Signed Packages are similar to existing web apps packaged apps - i.e. they consist of HTML, JavaScript, CSS files and other resources, and are packed into a package with a manifest.webapp file. Note that Signed Packages use a very different manifest.webapp format to open web apps.

1. Creating a Signed Package Manifest

The manifest must contain the following two fields:

• moz-permissions  : same format as Open Web App permission section
• moz-package-origin: specifies the origin where the package will be hosted

For further details see: https://wiki.mozilla.org/FirefoxOS/New_security_model/Packaging
Example manifest:

{ 
  "moz-permissions": [
    {
      "systemXHR": {
        "description": "Needed to download stuff"
      },
      "devicestorage:pictures": {
        "description": "Need to load pictures"
      }
    }
  ],
  "moz-package-origin": "https://example.com"
}

After signing, several additional fields will be added (package-identifier & moz-resources)

2. Signing Your Package

• Install a signing tool (either https://github.com/johnathan79717/fxos-package-signing-tool or https://github.com/pauljt/fxos-sign-tool).
• Follow the tool instructions to sign the package

3. Upload Your Package

• Signed Packages are hosted as a file on a web server. The only requirements are:
  • The package is served with the MIME type of “application/package”
  • The package is served from the location specified in the manifest (moz-package-location)

Preparing a Device to Load Signed Packages

In order to test Signed Packages on a device, you must upload your developer certificate to the device, and configure a number of preferences to both enable Signed Packages, and also to switch to trusting the developer certificate.

Configuring your device

If you have not already done so, you will need to enable remote debugging via DevTools, and grant additional access. (Enable remote debugging in the developer menu of the device. Use WebIDE to request higher privileges, and then access the preferences section. For information on how to do this, see here.)

• Upload the develop certificate created during signing to an accessible location:

 adb push developercert.der /data/local/developercert.der 

• Configure a number of preferences as follows:
  • Enables web packages network: http.enable-packaged-apps = true
  • Enables Signed Packages: network.http.signed-packages.enabled = true
  • Create a signed-packages.developer-root preference using the path you created in the previous step: network.http.signed-packages.developer-root = /data/local/developercert.der
• Restart b2g (ie either):

 restart your device
 “adb shell stop b2g” then “adb shell start b2g” 

Limitations

System Messages is not supported yet. Any function related to System Message cannot be used for now.