FirefoxOS/New security model/Getting Started with Signed Packages: Difference between revisions
Jump to navigation
Jump to search
(→1. Creating a Signed Package Manifest: change location to origin) |
|||
| (11 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
The steps in the process are: | The steps in the process are: | ||
* Create a manifest | * Create a regular gaia app | ||
* Use the developer signing tool to sign your package | * Add additional required attributes to the manifest file | ||
* | * Use the developer signing tool to create and sign your package | ||
* Host the package in where you specify in the manifest file | |||
Since the signed package support (i.e. new security model) is pref'ed out at the moment, you have to | |||
* Configure a number of developer preferences | * Configure a number of developer preferences | ||
* Upload your signing certificate to your test device | * Upload your signing certificate to your test device | ||
before testing this feature. | |||
The configuring steps will be covered in detail below. | |||
<br><br> | <br><br> | ||
== Creating/Modifying a Signed Package == | == Creating/Modifying a Signed Package == | ||
Signed Packages are similar to existing web apps packaged apps - i.e. they consist of HTML, JavaScript, CSS files and other resources, and are packed into a package with a manifest.webapp file. | Signed Packages are similar to existing web apps packaged apps - i.e. they consist of HTML, JavaScript, CSS files and other resources, and are packed into a package with a manifest.webapp file. However, you don't need to create the package on your own. What you need to do is: | ||
<br> | <br> | ||
=== 1. | === 1. Write a Regular Gaia App === | ||
The | The first step to create and host your signed package is to create a normal gaia app. Claim the permissions/system message/web activity as usual in the manifest even though system message and web activity is still not supported at the moment. | ||
=== 2. Add Additional Required Attributes to the Manifest File === | |||
Beside the well-known attributes in the gaia manifest, there are two additional attributes required by signed package and you have to manually add to the manifest: | |||
# '''package-identifer''': A UUID string to uniquely identify this package. The identifier will be considered as a part of the origin. So please be careful to change this value across versions. | |||
# '''moz-package-origin''': The origin where the package is going to be hosted. This prevents the package from being downloaded and hosted by other people. | |||
Note that the packaging/signing tool would automatically add additional attributes to the manifest like "moz-resources". | |||
For example, your manifest file may look like the following: | |||
<pre> | |||
{ | |||
// Regular manifest attributes. | |||
..., | |||
..., | |||
..., | |||
// New attributes introduced by NSec. | |||
"package-identifier": "3bd9a32f-8fd6-404f-bfbe-b883d2e93646", | |||
"moz-package-origin": "http://people.mozilla.org" | |||
} | |||
</pre> | |||
After packaging and signing, it becomes: | |||
<pre> | |||
{ | |||
// Regular manifest attributes. | |||
..., | |||
..., | |||
..., | |||
// New attributes introduced by NSec. | |||
"package-identifier": "3bd9a32f-8fd6-404f-bfbe-b883d2e93646", | |||
"moz-package-origin": "http://people.mozilla.org", | |||
// | |||
// Auto-generated part. | |||
"moz-resources": [...], | |||
} | |||
</pre> | |||
=== | === 3. Create and Sign Your Package === | ||
* Install a | * Install a [https://github.com/johnathan79717/fxos-package-signing-tool signing tool] | ||
* Follow the tool instructions to sign the package | * Follow the tool instructions to sign the package | ||
=== | === 4. Host Your Package === | ||
* Signed Packages are hosted as a file on a web server. The only requirements are: | * Signed Packages are hosted as a file on a web server. The only requirements are: | ||
** The package is served with the MIME type of “application/package” | ** The package is served with the MIME type of “application/package” | ||
** The package is served from the location specified in the manifest (moz-package- | ** The package is served from the location specified in the manifest (moz-package-origin) | ||
Now you can use [URL-of-the-package]!//[resource-path-relative-to-the-package] to access the packaged web content via browser. For example, if you host your package in http://foo.com/app.pak, the path to "index.html" inside the package would be http://foo.com/app.pak!//index.html. | |||
<br> | <br> | ||
| Line 56: | Line 81: | ||
<br> | <br> | ||
=== | === Configure your device === | ||
If you have not already done so, you will need to enable remote debugging via DevTools, and grant additional access. (Enable remote debugging in the developer menu of the device. Use WebIDE to request higher privileges, and then access the preferences section. For information on how to do this, see here.) | If you have not already done so, you will need to enable remote debugging via DevTools, and grant additional access. (Enable remote debugging in the developer menu of the device. Use WebIDE to request higher privileges, and then access the preferences section. For information on how to do this, see here.) | ||
| Line 62: | Line 87: | ||
adb push developercert.der /data/local/developercert.der | adb push developercert.der /data/local/developercert.der | ||
* Configure a number of preferences as follows: | * Configure a number of preferences as follows: | ||
** Enables web packages network | ** Enables web packages support: '''network.http.enable-packaged-apps''' = true | ||
** Enables Signed | ** Enables Signed Package support: '''network.http.signed-packages.enabled''' = true | ||
** Create a signed-packages.developer-root preference using the path you created in the previous step: network.http.signed-packages.developer-root = /data/local/developercert.der | ** Create a '''network.http.signed-packages.developer-root''' preference using the path you created in the previous step: network.http.signed-packages.developer-root = /data/local/developercert.der | ||
* Restart b2g | * Restart b2g or restart the device. | ||
=== Limitations === | === Limitations === | ||
System Messages is not supported yet. Any function related to System Message cannot be used for now. | System Messages is not supported yet. Any function related to System Message cannot be used for now. | ||
Latest revision as of 08:58, 17 November 2015
Getting Started with Signed Packages
Signed Packages are web packages that been signed with a signing key. In production, these are signed by MarketPlace, but for testing purposes, developers can configure their device to accept a test signing key, so they can sign their own packages for one specific device.
The steps in the process are:
- Create a regular gaia app
- Add additional required attributes to the manifest file
- Use the developer signing tool to create and sign your package
- Host the package in where you specify in the manifest file
Since the signed package support (i.e. new security model) is pref'ed out at the moment, you have to
- Configure a number of developer preferences
- Upload your signing certificate to your test device
before testing this feature.
The configuring steps will be covered in detail below.
Creating/Modifying a Signed Package
Signed Packages are similar to existing web apps packaged apps - i.e. they consist of HTML, JavaScript, CSS files and other resources, and are packed into a package with a manifest.webapp file. However, you don't need to create the package on your own. What you need to do is:
1. Write a Regular Gaia App
The first step to create and host your signed package is to create a normal gaia app. Claim the permissions/system message/web activity as usual in the manifest even though system message and web activity is still not supported at the moment.
2. Add Additional Required Attributes to the Manifest File
Beside the well-known attributes in the gaia manifest, there are two additional attributes required by signed package and you have to manually add to the manifest:
- package-identifer: A UUID string to uniquely identify this package. The identifier will be considered as a part of the origin. So please be careful to change this value across versions.
- moz-package-origin: The origin where the package is going to be hosted. This prevents the package from being downloaded and hosted by other people.
Note that the packaging/signing tool would automatically add additional attributes to the manifest like "moz-resources".
For example, your manifest file may look like the following:
{
// Regular manifest attributes.
...,
...,
...,
// New attributes introduced by NSec.
"package-identifier": "3bd9a32f-8fd6-404f-bfbe-b883d2e93646",
"moz-package-origin": "http://people.mozilla.org"
}
After packaging and signing, it becomes:
{
// Regular manifest attributes.
...,
...,
...,
// New attributes introduced by NSec.
"package-identifier": "3bd9a32f-8fd6-404f-bfbe-b883d2e93646",
"moz-package-origin": "http://people.mozilla.org",
//
// Auto-generated part.
"moz-resources": [...],
}
3. Create and Sign Your Package
- Install a signing tool
- Follow the tool instructions to sign the package
4. Host Your Package
- Signed Packages are hosted as a file on a web server. The only requirements are:
- The package is served with the MIME type of “application/package”
- The package is served from the location specified in the manifest (moz-package-origin)
Now you can use [URL-of-the-package]!//[resource-path-relative-to-the-package] to access the packaged web content via browser. For example, if you host your package in http://foo.com/app.pak, the path to "index.html" inside the package would be http://foo.com/app.pak!//index.html.
Preparing a Device to Load Signed Packages
In order to test Signed Packages on a device, you must upload your developer certificate to the device, and configure a number of preferences to both enable Signed Packages, and also to switch to trusting the developer certificate.
Configure your device
If you have not already done so, you will need to enable remote debugging via DevTools, and grant additional access. (Enable remote debugging in the developer menu of the device. Use WebIDE to request higher privileges, and then access the preferences section. For information on how to do this, see here.)
- Upload the develop certificate created during signing to an accessible location:
adb push developercert.der /data/local/developercert.der
- Configure a number of preferences as follows:
- Enables web packages support: network.http.enable-packaged-apps = true
- Enables Signed Package support: network.http.signed-packages.enabled = true
- Create a network.http.signed-packages.developer-root preference using the path you created in the previous step: network.http.signed-packages.developer-root = /data/local/developercert.der
- Restart b2g or restart the device.
Limitations
System Messages is not supported yet. Any function related to System Message cannot be used for now.