release/mar_certs/README
author Ben Hearsum <bhearsum@mozilla.com>
Thu, 13 Sep 2018 08:11:36 -0400
changeset 8454 b04a81e9c98c
permissions -rw-r--r--
bug 1490119: support mar cert replacement in update verify. r=nthomas

These certificates are imported from mozilla-central (https://hg.mozilla.org/mozilla-central/file/tip/toolkit/mozapps/update/updater)
and used to support staging update verify jobs. These jobs end up replacing the certificates within the binaries
(through a binary search and replace), and must all be the same length for this to work correctly. If we recreate
these certificates, and the resulting public certificates are not the same length anymore, the commonName may be
changed to line them up again. https://github.com/google/der-ascii is a useful tool for doing this. For example:

To convert the certificate to ascii:
der2ascii -i dep1.der -o dep1.ascii

Then use your favourite editor to change the commonName field. That block will look something like:
    SEQUENCE {
      SET {
        SEQUENCE {
          # commonName
          OBJECT_IDENTIFIER { 2.5.4.3 }
          PrintableString { "CI MAR signing key 1" }
        }
      }
    }

You can pad the PrintableString with spaces to increase the length of the cert (1 space = 1 byte).

Then, convert back to der:
ascii2der -i dep1.ascii -o newdep1.der