Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures. However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task. Let's add an easy button: a task that exists for `add task`, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key. - add the autograph-stage mar pubkey in-tree - add the autograph-stage mar pubkey in mardor, to allow for signature verification (this PR) - add the autograph-stage creds to the dep signing passwords file - add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default. - add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful - the plan is for anyone with the right scopes to be able to `add task` this task against the most recent nightly graph, and check its status.
Bug 1526419 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures. However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task. Let's add an easy button: a task that exists for `add task`, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key. - add the autograph-stage mar pubkey in-tree - add the autograph-stage mar pubkey in mardor, to allow for signature verification ([this PR](https://github.com/mozilla/build-mar/pull/49)) - add the autograph-stage creds to the dep signing passwords file - add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default. - add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful - the plan is for anyone with the right scopes to be able to `add task` this task against the most recent nightly graph, and check its status.
Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures. However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task. Let's add an easy button: a task that exists for `add task`, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key. - [ ] add the autograph-stage mar pubkey in-tree - [ ] add the autograph-stage mar pubkey in mardor, to allow for signature verification ([this PR](https://github.com/mozilla/build-mar/pull/49)) - [ ] add the autograph-stage creds to the dep signing passwords file - [ ] add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default. - [ ] add the scopes for the new nightly task in ci-configuration - [ ] add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful - [ ] the plan is for anyone with the right scopes to be able to `add task` this task against the most recent nightly graph, and check its status.
Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures. However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task. Let's add an easy button: a task that exists for `add task`, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key. - [ ] add the autograph-stage mar pubkey in-tree - [ ] add the autograph-stage mar pubkey in mardor, to allow for signature verification ([this PR](https://github.com/mozilla/build-mar/pull/49)) - [X] add the autograph-stage creds to the dep signing passwords file - [ ] add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default. - [ ] add the scopes for the new nightly task in ci-configuration - [ ] add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful - [ ] the plan is for anyone with the right scopes to be able to `add task` this task against the most recent nightly graph, and check its status.
Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures. However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task. Let's add an easy button: a task that exists for `add task`, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key. - [X] add the autograph-stage mar pubkey in-tree - [ ] add the autograph-stage mar pubkey in mardor, to allow for signature verification ([this PR](https://github.com/mozilla/build-mar/pull/49)) - [X] add the autograph-stage creds to the dep signing passwords file - [ ] add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default. - [ ] add the scopes for the new nightly task in ci-configuration - [ ] add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful - [ ] the plan is for anyone with the right scopes to be able to `add task` this task against the most recent nightly graph, and check its status.