Manually Test Dep Signed Mar Files#

Usually, mar files are created and tested in automation. Occasionally, we need to create special-purpose mar files, typically for channel-switching purposes (e.g. OS de-support).

In those cases it’s preferable to test the mar file before it gets signed for production, so we have to essentially replicate what update-verify does for staging releases: patch the updater to accept a “dep” certificate, run it against the dep-signed mar file and an existing firefox release, and check that it has the expected outcome.

The following example assumes we’re on Linux and want to test a mar file applied to a windows install:

cd $(mktemp -d)
tar xf firefox-114.0.tar.bz2
mkdir update
python3 "${GECKO}/tools/update-verify/release/" \
  "${CERT_DIR}" \
  firefox/updater update/updater \
  release_primary.der dep1.der \
  release_secondary.der dep2.der
chmod +x update/updater

If the source install is a nightly build rather than beta or release, use nightly_aurora_level3_{primary,secondary}.der instead of release_{primary,secondary}.der.

Copy your dep-signed mar to update/update.mar, e.g.:

cp public%2Fbuild%2Fswitch-to-esr115.0-eol-win.mar update/update.mar

Next, run the patched updater against the target binary:

mkdir target
7z x -otarget "Firefox Setup 114.0.exe"
LD_LIBRARY_PATH=$PWD/firefox $PWD/update/updater $PWD/update $PWD/target/core/ $PWD/target/core/ 0
cat update/update.log
if [ $res -ne 0 ]; then echo UPDATE FAILED (updater exited $res) >&2; fi

Finally check that the target directory looks as expected.

The wiki has more info on running the updater manually on the various platforms.