We switched to content signature checks when validating Balrog generated xml manifests for GMP update and install information. However when we shipped this, we added a pref that allows cert pinning to be re-enabled. We're not sure who flips this pref, but we see through telemetry that cert pinning is still occasionally in use [1].

Before we remove support, we might want to try and discover who flips the 'media.gmp-manager.checkContentSignature' to false. There may be some valid use here we don't want to break. The presumption for this is that some users (distros, enterprise, ?) disable content signature, update the certificate information stored in prefs for the pinning operation, update the manufest url, and as such can then control or maybe install their own gmp plugins. That's just a guess though.

Marking this S2 so I don't loose track of this.

[1] https://sql.telemetry.mozilla.org/queries/85893/source#212671

pref checking code -
https://searchfox.org/mozilla-central/rev/f63ca2952da98e0817bdae0ddf1314281a497106/toolkit/modules/GMPInstallManager.sys.mjs#303

It's worth noting that this style of pinning has caused us issues in the past, as we have almost no control over which intermediate roots our SSL certificates come from. https://bugzilla.mozilla.org/show_bug.cgi?id=1369143 is an example of where we've struggled with this. If there are use cases for disable content signature verification that we want to accommodate, I strongly recommend we find a way to do that without issuer pinning.