1058119 - partner repack scripts need to resign builds with OS X signature

Status: RESOLVED FIXED

(Release Engineering :: Release Automation: Other, defect)

Description

[bhearsum@mozilla.com (:bhearsum)]

For awhile we thought we'd be able to continue excluding partner repacks from the OS X signature. On Friday, we discovered that that is NOT the case - these files will have to move into Contents/Resources until such time that we have a way to do partner repacks without putting the files in the .app (eg, by using an installer). In order to make sure our partner builds run on 10.9.5 and higher, we'll need to sign them after doing the repackaging steps.

Stephen, I know the app changes required are low priority, but we can probably prepare our side of things in the meantime. Did I capture this correctly?

Comment 1

[Stephen A Pohl [:spohl]]

Yes, that seems right. Also, rstrong offered to handle the client side changes. If you have questions about the client side changes, he'll probably have the most up-to-date info.

Comment 2

[bhearsum@mozilla.com (:bhearsum)]

Attachment: do dmg signing for partner repacks

This patch is very simple, but landing it will be more complex. I intend to tag the current tip of the default branch of partner repacks with something like MAC_V1_SIGNING, and then land this patch. I'll change all of the release config templates to use MAC_V1_SIGNING as their partner repacks rev. When 34.0b1 goes to Beta, I'll change the Beta template back to use "default" as the partner repacks rev, because 34.0 requires v2 signatures.

I tested this on partner-repack1 and it appeared to work:
2014-09-22 12:33:12,269 - Executing python /Users/cltbld/bhearsum/partner-repacks/scripts/tools/release/signing/signtool.py -t /Users/cltbld/bhearsum/partner-repacks/scripts/token -n /Users/cltbld/bhearsum/partner-repacks/scripts/nonce -c /Users/cltbld/bhearsum/partner-repacks/scripts/tools/release/signing/host.cert -H dmgv2:mac-v2-signing3.srv.releng.scl3.mozilla.com:9110 -H gpg:signing4.srv.releng.scl3.mozilla.com:9110 --formats gpg --formats dmgv2 "Firefox 33.0b5.dmg"
2014-09-22 12:33:12,269 - in /Users/cltbld/bhearsum/partner-repacks/scripts/repacked_builds/33.0b5/build1/partner-repacks/bing/mac/en-US/working
2014-09-22 12:33:13,533 - 26749c2e2c2714f517181db02c392e5fb602565b: processing Firefox 33.0b5.dmg on https://signing4.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:13,545 - 26749c2e2c2714f517181db02c392e5fb602565b: uploading for signing
2014-09-22 12:33:19,151 - 26749c2e2c2714f517181db02c392e5fb602565b: processing Firefox 33.0b5.dmg on https://signing4.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:19,186 - 26749c2e2c2714f517181db02c392e5fb602565b: OK
2014-09-22 12:33:22,001 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: processing Firefox 33.0b5.dmg.tar.gz on https://mac-v2-signing3.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:22,025 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: uploading for signing
2014-09-22 12:33:30,557 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: processing Firefox 33.0b5.dmg.tar.gz on https://mac-v2-signing3.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:39,868 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: OK
2014-09-22 12:33:40,708 - Done repacking mac build Firefox 33.0b5.dmg
2014-09-22 12:33:40,722 - Found /Users/cltbld/bhearsum/partner-repacks/scripts/original_builds/33.0b5/build1/win32/en-US/Firefox Setup 33.0b5.exe o

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

Attachment: use MAC_V1_SIGNING tag for partner repacks

I also took the liberty of removing this repo from places we don't actually use it.

Comment 4

[bhearsum@mozilla.com (:bhearsum)]

This is fixed. We'll revert the buildbot-configs patch for Beta when we build 34.0b1, in bug 1056839. We'll need to do the same for release, I don't see a bug for that yet though.

Comment 5

[Pete Moore [:pmoore][:pete]]

Something here landed in production today: https://wiki.mozilla.org/ReleaseEngineering/Maintenance#Reconfigs_.2F_Deployments

Comment 6

[Ben Bucksch (:BenB)]

> do partner repacks without putting the files in the .app (eg, by using an installer)

Partner repacks should look like and install exactly like the official builds. That's the point of repacks. If we need an installer, then install rate will drop notably.