[Task]: Update Autograph config to use SHA-256

[willdurand]

Description

With the deprecation of SHA-1, we can probably switch AMO to SHA-256 for the PKCS#7 digest algorithm: https://github.com/mozilla/addons-server/blob/0656f0f1c525b34947fef8439d2022ce0b472ab5/src/olympia/lib/crypto/signing.py#L125

We're already using PKCS#7+SHA-256 for all privileged/system add-ons so we know it works.

We should do this for new submissions only, no need to re-sign anything. All add-ons are dual-signed at this point anyway.

For QA: please verify that we can sign and install extensions, langpacks, and themes with SHA-256. You can use https://williamdurand.fr/xpidump/ to verify the PKCS#7 digest algorithm. Updating an existing extension to a version signed with SHA-256 should also work flawlessly.

The minimum Firefox version for both desktop and mobile has been bumped to 58. You should not be able to sign an extension (or any add-on type) which is targeting a minimum version lower than 58. We need to test various combinations of manifests to verify this behaviour is solid.

Acceptance Criteria

### Acceptance Criteria
- [x] AMO signs add-ons with SHA-256
- [x] we update the min fireefox version to Fx 58

Checks

• [X] If the issue is ready to work on, I have removed the "needs:info" label.

┆Issue is synchronized with this Jira Task

[ioanarusiczki]

@alexandruschek has done extension and theme uploads and says he didn't encounter problems.

I've tested on dev and stage some uploads:

• A large addon with 2 versions, first version manually approved, second version auto-approved -> can be installed, can be updated. No strict_min_version set in bss.gecko -> strict_min is automatically set to 58.0 in dev hub

https://addons-dev.allizom.org/en-US/firefox/addon/yomikiri_on_dev/ https://addons.allizom.org/en-US/firefox/addon/yomikiri_on-stage/

• from old to new algorithm -> extensions, and theme has been updated https://addons-dev.allizom.org/en-US/firefox/addon/emoji_34mb/versions/ https://addons.allizom.org/en-US/firefox/addon/ublock_origin_test/versions/ https://addons.allizom.org/en-US/firefox/addon/synthwave-84/

• lang pack: could install and update to new version with Nightly for strict_min 129.0a1 and strict_max 129.* https://addons.allizom.org/en-US/firefox/addon/fran%C3%A7ais-french-_new-signature/versions/

• checked with https://williamdurand.fr/xpidump/ on automatic and manual approvals that pkcs7 is signed with SHA-256

  • when strict_min in bss.gecko is lower than 58.0 I get an error at uploads: "Lowest supported "strict_min_version" is 58.0."

• I've still to check for bss.gecko_android too, this I didn't cover today, I'll update again when I'll complete the testing

[ioanarusiczki]

mv3 testing around strict_min_version set with bss.gecko and/or bss.gecko_android

• when strict min is not specified in manifest.json for any platform, strict_min is 109.0a1 and for Android it's 120.0 https://reviewers.addons.allizom.org/en-US/reviewers/review/1028094

• strict_min is set only for Android and it is 57.0: no error at upload, the min is set automatically to 120.0

• bss.gecko.strict_min is 57.0 bss.gecko_android.strict_minis 57.0an error at upload

• bss.gecko.strict_min is 58.0 bss.gecko_android.strict_min is 57.0no error at upload strict_min set to 109.0a1 and strict_min_gecko to 120.0

• bss.gecko.strict_min is 58.0, bss.gecko_android it's specified like this: "gecko_android": {  }no error at upload strict_min set to 109.0a1 and strict_min_gecko to 120.0 

some more mv2 scenarios

• "gecko": { } and "gecko_android": { } sets firefox to 58.0 and Android to 120.0
• "strict_min_version": 129.0a1 for both platforms -> 129.0a1 is set
• "strict_min_version":113.0 for both platforms, Firefox is 113.0 , Android is set to 120.0 (and locked in dev hub)

Other uploads:

• Ublock origin lite https://addons.allizom.org/en-US/firefox/addon/ublock-origin-lite_mv3_sha/, installed and updated
• A recommended addon, new version submitted https://addons.allizom.org/en-US/firefox/addon/search_by_image/, installed
• Recommended theme, installed and updated https://addons.allizom.org/en-US/firefox/addon/cas-new-theme-1/versions/
• crx file listed and unlisted https://addons.allizom.org/en-US/firefox/addon/%EC%9B%83crx_listed/
• a dict https://addons.allizom.org/en-US/firefox/addon/difazier-an-drouizig/ and update from old version to new https://addons.allizom.org/en-US/firefox/addon/release-dictionary/
• a lang pack for Nightly 129.0a1, version is auto-approved and can be installed https://addons.allizom.org/en-US/firefox/addon/st_language-%E6%97%A5%E6%9C%AC%E8%AA%9E-japanese/

[ioanarusiczki]

I think all the above is expected so I'll mark it verified.

Installs and updates have been verified on FF Nightly - 129.0a1 (Win10)