Rotate the publisher key about brave-browser HOT 9 OPEN

No issue with doubling the interval, and also I don't think we should do it every 6 months (just as needed which will probably be once every N years).

from brave-browser.

Ok, I see it's just one time rotation.
I believe it's okay to stop using the current publisher proof key after 6 months (in favor of a new one)

from brave-browser.

BTW, does it really help to improve the security? Because the public key is hardcoded there is no way to quickly update it.

Also Chrome haven't changed the key since 2017: https://source.chromium.org/chromium/chromium/src/+/main:components/crx_file/crx_verifier.cc;l=36?q=crx%20publisher

from brave-browser.

The agreed-upon transition period is 3 months.

It sounds if you have a outdated browser (more than 2 updates periods = 6 months) many Brave features just stop work (Adblock, Ads, Wallet).
Do we really want to do this? Or we're going to sign the components using all the previous keys?

from brave-browser.

Chrome haven't changed the key since 2017

I actually asked them about this. They confirmed and said that it is hard for them to do because it requires re-signing all extensions on the Chrome Web Store. We have it easier in this regard.

BTW, does it really help to improve the security?

It seems to me that regularly rotating keys absolutely does help improve security. The original idea to do it came from @diracdeltas.

Because the public key is hardcoded there is no way to quickly update it.

That's true. My original plan was to sign components with both keys for three months. Then, to release a new browser version that no longer accepts components signed with the old key.

It sounds if you have a outdated browser (more than 2 updates periods = 6 months) many Brave features just stop work (Adblock, Ads, Wallet).

Would they really stop working, or would they just stop receiving updates?

I guess it depends on whether we keep signing components with the old key. If we do, then old browsers will still receive updates. If not, then they won't.

@atuchin-m do you feel that the transition period should be longer?

Do we really want to do this? Or we're going to sign the components using all the previous keys?

@diracdeltas do you think we should keep signing components with all old keys, so outdated browsers can still receive new versions for them?

from brave-browser.

@atuchin-m do you feel that the transition period should be longer?

Not 100% sure, but it feels like 6 months is more safe interval.
Frankly speaking, at some point a new component is often become incompatible with very old browser versions.

Would they really stop working, or would they just stop receiving updates?

I believe they just stop receiving updates.
The bad thing is they could continuously try to update the outdated components. That will result in wasting traffic for both the client and the backend side.
I suggest to check that scenario to avoid any surprises.

Just to clarify, I'm not against the idea, but I want to be sure that we see the whole plan.

from brave-browser.

Just to clarify, I'm not against the idea, but I want to be sure that we see the whole plan.

I very much appreciate your inputs, thank you.

Not 100% sure, but it feels like 6 months is more safe interval.

So you feel that we can stop accepting components signed with the old key after 6 months?

from brave-browser.

So you feel that we can stop accepting components signed with the old key after 6 months?

I mean doubling the interval.
6 months rotation interval means 12 months support interval assuming we always use 2 keys to sign .crx.

from brave-browser.

I'm not sure we're speaking of the same interval here. The way you have phrased it sounds like you expect us to rotate the key every 6 months. That is not the (current) plan. The current plan is only to rotate the key once now.

from brave-browser.