disable chain verification for expired XPI signer

mozilla-services · Aug 26, 2021 · 2405148 · 2405148
1 parent 0018523
commit 2405148
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/tools/autograph-client/build_test_xpis.sh b/tools/autograph-client/build_test_xpis.sh
@@ -26,6 +26,11 @@ else
     COMMON_ARGS="-t $TARGET -f $INPUT_FILE -u $HAWK_USER -p $HAWK_SECRET -cn $CN -k $SIGNER_ID -r $TRUST_ROOTS -vt $VERIFICATION_TIME"
 fi
 
+VERIFY=${VERIFY:-"1"}
+if [ "$VERIFY" = "0" ]; then
+    COMMON_ARGS="$COMMON_ARGS -noverify"
+fi
+
 # only PKCS7 SHA1
 go run client.go $COMMON_ARGS -pk7digest sha1 -o ${OUTPUT_BASENAME}-SHA1.zip
 

diff --git a/tools/autograph-client/integration_test_xpis.sh b/tools/autograph-client/integration_test_xpis.sh
@@ -25,5 +25,5 @@ SIGNER_ID=${SIGNER_ID_PREFIX}extensions-ecdsa-expired-chain \
 	 TRUST_ROOTS=dev-ext-ecdsa-expired-root.pem \
 	 TARGET="$AUTOGRAPH_URL" \
 	 CONFIG=${SIGNER_ID_PREFIX}extensions-ecdsa-expired-chain \
-	 VERIFICATION_TIME="2020-01-01T01:01:01Z" \
+	 VERIFY=0 \
 	 ./build_test_xpis.sh /app/src/autograph/signer/xpi/test/fixtures/ublock_origin-1.33.2-an+fx.xpi