Bug 1190966: Ensure that the signature verification scan disables existing add-ons if the pref has been flipped in the meantime. r=rhelmer

toolkit/mozapps/extensions/internal/XPIProvider.jsm

@@ -2513,13 +2513,13 @@ this.XPIProvider = {
             continue;
 
           let signedState = yield verifyBundleSignedState(addon._sourceBundle, addon);
-          if (signedState == addon.signedState)
-            continue;
 
-          addon.signedState = signedState;
-          AddonManagerPrivate.callAddonListeners("onPropertyChanged",
-                                                 createWrapper(addon),
-                                                 ["signedState"]);
+          if (signedState != addon.signedState) {
+            addon.signedState = signedState;
+            AddonManagerPrivate.callAddonListeners("onPropertyChanged",
+                                                   createWrapper(addon),
+                                                   ["signedState"]);
+          }
 
           let disabled = XPIProvider.updateAddonDisabledState(addon);
           if (disabled !== undefined)

toolkit/mozapps/extensions/internal/XPIProviderUtils.js

@@ -342,6 +342,8 @@ function DBAddonInternalPrototype()
 {
   this.applyCompatibilityUpdate =
     function(aUpdate, aSyncCompatibility) {
+      let wasCompatible = this.isCompatible;
+
       this.targetApplications.forEach(function(aTargetApp) {
         aUpdate.targetApplications.forEach(function(aUpdateTarget) {
           if (aTargetApp.id == aUpdateTarget.id && (aSyncCompatibility ||
@@ -357,7 +359,9 @@ function DBAddonInternalPrototype()
         this.multiprocessCompatible = aUpdate.multiprocessCompatible;
         XPIDatabase.saveChanges();
       }
-      XPIProvider.updateAddonDisabledState(this);
+
+      if (wasCompatible != this.isCompatible)
+        XPIProvider.updateAddonDisabledState(this);
     };
 
   this.toJSON =

toolkit/mozapps/extensions/test/xpcshell/test_signed_updatepref.js

@@ -0,0 +1,134 @@
+// Disable update security
+Services.prefs.setBoolPref(PREF_EM_CHECK_UPDATE_SECURITY, false);
+
+const DATA = "data/signing_checks/";
+const ID = "test@tests.mozilla.org";
+
+Components.utils.import("resource://testing-common/httpd.js");
+var gServer = new HttpServer();
+gServer.start();
+
+gServer.registerPathHandler("/update.rdf", function(request, response) {
+  let updateData = {};
+  updateData[ID] = [{
+    version: "2.0",
+    targetApplications: [{
+      id: "xpcshell@tests.mozilla.org",
+      minVersion: "4",
+      maxVersion: "6"
+    }]
+  }];
+
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.write(createUpdateRDF(updateData));
+});
+
+const SERVER = "127.0.0.1:" + gServer.identity.primaryPort;
+Services.prefs.setCharPref("extensions.update.background.url", "http://" + SERVER + "/update.rdf");
+
+function verifySignatures() {
+  return new Promise(resolve => {
+    let observer = (subject, topic, data) => {
+      Services.obs.removeObserver(observer, "xpi-signature-changed");
+      resolve(JSON.parse(data));
+    }
+    Services.obs.addObserver(observer, "xpi-signature-changed", false);
+
+    do_print("Verifying signatures");
+    let XPIscope = Components.utils.import("resource://gre/modules/addons/XPIProvider.jsm");
+    XPIscope.XPIProvider.verifySignatures();
+  });
+}
+
+function run_test() {
+  createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "4", "4");
+
+  // Start and stop the manager to initialise everything in the profile before
+  // actual testing
+  startupManager();
+  shutdownManager();
+
+  run_next_test();
+}
+
+// Updating the pref without changing the app version won't disable add-ons
+// immediately but will after a signing check
+add_task(function*() {
+  startupManager();
+
+  // Install the signed add-on
+  yield promiseInstallAllFiles([do_get_file(DATA + "unsigned_bootstrap_2.xpi")]);
+
+  let addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_false(addon.appDisabled);
+  do_check_true(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  yield promiseShutdownManager();
+
+  Services.prefs.setBoolPref(PREF_XPI_SIGNATURES_REQUIRED, true);
+
+  startupManager();
+
+  addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_false(addon.appDisabled);
+  do_check_true(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  // Update checks shouldn't affect the add-on
+  yield AddonManagerInternal.backgroundUpdateCheck();
+  addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_false(addon.appDisabled);
+  do_check_true(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  let changes = yield verifySignatures();
+
+  do_check_eq(changes.disabled.length, 1);
+  do_check_eq(changes.disabled[0], ID);
+
+  addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_true(addon.appDisabled);
+  do_check_false(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  addon.uninstall();
+
+  yield promiseShutdownManager();
+});
+
+// Updating the pref with changing the app version will disable add-ons
+// immediately
+add_task(function*() {
+  Services.prefs.setBoolPref(PREF_XPI_SIGNATURES_REQUIRED, false);
+  startupManager();
+
+  // Install the signed add-on
+  yield promiseInstallAllFiles([do_get_file(DATA + "unsigned_bootstrap_2.xpi")]);
+
+  let addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_false(addon.appDisabled);
+  do_check_true(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  yield promiseShutdownManager();
+
+  Services.prefs.setBoolPref(PREF_XPI_SIGNATURES_REQUIRED, true);
+  gAppInfo.version = 5.0
+  startupManager(true);
+
+  addon = yield promiseAddonByID(ID);
+  do_check_neq(addon, null);
+  do_check_true(addon.appDisabled);
+  do_check_false(addon.isActive);
+  do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_MISSING);
+
+  addon.uninstall();
+
+  yield promiseShutdownManager();
+});

toolkit/mozapps/extensions/test/xpcshell/xpcshell-shared.ini

@@ -237,6 +237,7 @@ fail-if = buildapp == "mulet" || os == "android"
 [test_pref_properties.js]
 [test_registry.js]
 [test_safemode.js]
+[test_signed_updatepref.js]
 [test_signed_verify.js]
 [test_signed_inject.js]
 [test_signed_install.js]

toolkit/mozapps/extensions/test/xpcshell/xpcshell.ini

@@ -26,5 +26,4 @@ skip-if = appname != "firefox"
 [test_XPIcancel.js]
 [test_XPIStates.js]
 
-
 [include:xpcshell-shared.ini]