We've run into a blocker for automating this process in taskcluster: storing the CoT key in taskcluster secrets violates the independent second factor intent of chain of trust. Per aki: "The CoT key is supposed to be a second factor, separate from Taskcluster scopes. If it's deployable with Taskcluster scopes, it's no longer an independent second factor." There are changes to the chain of trust implementation in the works that would make automating this in the taskcluster platform more feasible in the future. For now, any kind of automation can be used to trigger Jenkins - as long as there is a secure place to store secrets and run jobs that is independent of taskcluster, that should be sufficient.
Bug 1580570 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We've run into a blocker for automating this process in taskcluster: storing the CoT key in taskcluster secrets violates the independent second factor intent of chain of trust. Per aki: "The CoT key is supposed to be a second factor, separate from Taskcluster scopes. If it's deployable with Taskcluster scopes, it's no longer an independent second factor." There are changes to the chain of trust implementation in the works that would make automating this in the taskcluster platform more feasible in the future. For now, any kind of automation can be used to trigger monopacker - as long as there is a secure place to store secrets and run jobs that is independent of taskcluster, that should be sufficient.