signer: add comment about verifyPKCS7SignatureRoundTrip verification

with an expired chain
mozilla-services · Aug 10, 2021 · 8874667 · 8874667
1 parent f719929
commit 8874667
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/signer/xpi/xpi.go b/signer/xpi/xpi.go
@@ -577,9 +577,13 @@ func (sig *Signature) String() string {
 //
 // 1) the signed XPI includes a PKCS7 signature and signature data
 // 2) the signature serializes and deserializes properly
-// 3) the PKCS7 signatures
+// 3) the PKCS7 EE signature is valid for the signature data
 // 4) the signature cert chain verifies when an optional non-nil truststore is provided
 //
+// Verifying an XPI signed with an expired EE cert will fail with a
+// 'pkcs7: signing time ... is outside of certificate validity' due to
+// https://github.com/mozilla-services/pkcs7/blob/725912489c62504be3ab0de6aec80bf3f4f66f56/verify.go#L148-L153,
+// but Fx will verify the install since it ignores the XPI EE cert.
 func verifyPKCS7SignatureRoundTrip(signedFile signer.SignedFile, truststore *x509.CertPool, verificationTime time.Time) error {
 	sigStrBytes, err := readFileFromZIP(signedFile, pkcs7SigPath)
 	if err != nil {