Closed Bug 1324507 Opened 7 years ago Closed 7 years ago

Generate SHA384 MAR keys

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: rail, Assigned: rail)

References

Details

Attachments

(1 file)

keys-export.tar.gz 7 years ago Rail Aliiev [:rail] 6.65 KB, application/gzip		Details

Rail Aliiev [:rail]

Assignee

Description

•

7 years ago

Per https://bugzilla.mozilla.org/show_bug.cgi?id=1105689#c39 we need to generate multiple certs/keys for new MAR signing format.

* SHA384
* Key size of 4096

We probably need 3 different certs/keys, similar to keys in https://hg.mozilla.org/mozilla-central/file/default/toolkit/mozapps/update/updater/:

* dep
* nightly
* release

The keys should be safely generated and stored according to https://mana.mozilla.org/wiki/display/RelEng/Signing

Rail Aliiev [:rail]

Assignee

Updated

•

7 years ago

Assignee: nobody → rail

Rail Aliiev [:rail]

Assignee

Updated

•

7 years ago

Blocks: 1324501

Rail Aliiev [:rail]

Assignee

Comment 1

•

7 years ago

Attached file keys-export.tar.gz — Details

Generated using:

# dep
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der

certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=CI MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der

# nightly
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der

certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Nightly MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der


# release
mkdir -p secrets/mar-sha384
certutil -d secrets/mar-sha384 -N

certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 1" -x
certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der

certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g 4096 -s "CN=Release MAR signing key 2" -x
certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der

Rail Aliiev [:rail]

Assignee

Comment 2

•

7 years ago

Robert, can you verify the attached keys?

Flags: needinfo?(robert.strong.bugs)

Robert Strong (they/them - no direct email)

Comment 3

•

7 years ago

The keys are all SHA384 so that is good. Only one of the keys has the same CN as the current keys which should be fine... see below.

(In reply to Rail Aliiev [:rail] ⌚️ET from comment #1)
> Created attachment 8826276 [details]
> keys-export.tar.gz
> 
> Generated using:
> 
> # dep
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n dep1 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=CI MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n dep1 -r > dep1.der
dep1

> 
> certutil -d secrets/mar-sha384 -S -n dep2 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=CI MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n dep2 -r > dep2.der
dep2

> 
> # nightly
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n nightly1 -w -3 -v 0 -t ",,u" -Z SHA384
> -g 4096 -s "CN=Nightly MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n nightly1 -r > nightly1.der
nightly1

> 
> certutil -d secrets/mar-sha384 -S -n nightly2 -w -3 -v 0 -t ",,u" -Z SHA384
> -g 4096 -s "CN=Nightly MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n nightly2 -r > nightly2.der
nightly2

> 
> 
> # release
> mkdir -p secrets/mar-sha384
> certutil -d secrets/mar-sha384 -N
> 
> certutil -d secrets/mar-sha384 -S -n rel1 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=Release MAR signing key 1" -x
> certutil -L -d secrets/mar-sha384 -n rel1 -r > rel1.der
Release MAR signing key

> 
> certutil -d secrets/mar-sha384 -S -n rel2 -w -3 -v 0 -t ",,u" -Z SHA384 -g
> 4096 -s "CN=Release MAR signing key 2" -x
> certutil -L -d secrets/mar-sha384 -n rel2 -r > rel2.der
Release MAR signing key 2

Will the nicknames collide with the existing cert nicknames in your cert store?

Flags: needinfo?(robert.strong.bugs)

Rail Aliiev [:rail]

Assignee

Comment 4

•

7 years ago

We are going to use a separate cert store for this one, so there will be no collisions. I"m going to resolve this and proceed with the current keys.

Status: NEW → RESOLVED

Closed: 7 years ago

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: General Automation → General

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Generate SHA384 MAR keys

Categories

(Release Engineering :: General, defect)

Tracking

(Not tracked)

People

(Reporter: rail, Assigned: rail)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Attachment

General

Description

File Name

Content Type