Closed
Bug 1324507
Opened 7 years ago
Closed 7 years ago
Generate SHA384 MAR keys
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rail, Assigned: rail)
References
Details
Attachments
(1 file)
6.65 KB,
application/gzip
|
Details |
Per https://bugzilla.mozilla.org/show_bug.cgi?id=1105689#c39 we need to generate multiple certs/keys for new MAR signing format. * SHA384 * Key size of 4096 We probably need 3 different certs/keys, similar to keys in https://hg.mozilla.org/mozilla-central/file/default/toolkit/mozapps/update/updater/: * dep * nightly * release The keys should be safely generated and stored according to https://mana.mozilla.org/wiki/display/RelEng/Signing
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → rail
Assignee | ||
Comment 1•7 years ago
|
||
Generated using: # dep mkdir -p secrets/mar-sha384 certutil -d secrets/mar-sha384 -N certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 1" -x certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 2" -x certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der # nightly mkdir -p secrets/mar-sha384 certutil -d secrets/mar-sha384 -N certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 1" -x certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 2" -x certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der # release mkdir -p secrets/mar-sha384 certutil -d secrets/mar-sha384 -N certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 1" -x certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 2" -x certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der
Assignee | ||
Comment 2•7 years ago
|
||
Robert, can you verify the attached keys?
Flags: needinfo?(robert.strong.bugs)
Comment 3•7 years ago
|
||
The keys are all SHA384 so that is good. Only one of the keys has the same CN as the current keys which should be fine... see below. (In reply to Rail Aliiev [:rail] ⌚️ET from comment #1) > Created attachment 8826276 [details] > keys-export.tar.gz > > Generated using: > > # dep > mkdir -p secrets/mar-sha384 > certutil -d secrets/mar-sha384 -N > > certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g > 4096 -s "CN=CI MAR signing key 1" -x > certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der dep1 > > certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g > 4096 -s "CN=CI MAR signing key 2" -x > certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der dep2 > > # nightly > mkdir -p secrets/mar-sha384 > certutil -d secrets/mar-sha384 -N > > certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384 > -g 4096 -s "CN=Nightly MAR signing key 1" -x > certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der nightly1 > > certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384 > -g 4096 -s "CN=Nightly MAR signing key 2" -x > certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der nightly2 > > > # release > mkdir -p secrets/mar-sha384 > certutil -d secrets/mar-sha384 -N > > certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g > 4096 -s "CN=Release MAR signing key 1" -x > certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der Release MAR signing key > > certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g > 4096 -s "CN=Release MAR signing key 2" -x > certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der Release MAR signing key 2 Will the nicknames collide with the existing cert nicknames in your cert store?
Flags: needinfo?(robert.strong.bugs)
Assignee | ||
Comment 4•7 years ago
|
||
We are going to use a separate cert store for this one, so there will be no collisions. I"m going to resolve this and proceed with the current keys.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Component: General Automation → General
You need to log in
before you can comment on or make changes to this bug.
Description
•