Closed Bug 1341922 Opened 7 years ago Closed 11 months ago

non-privileged, non-secret dep signing on taskcluster

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mozilla, Unassigned)

References

Details

We want to turn on signing for dep builds, but these don't need to go through scriptworker or the signing servers.

Ideally we'd have a script or set of scripts that can sign in the various formats (signtool? signingscript? another script?), and some non-privileged non-secret keys for dep signing.

The keys can be auto-generated, or distributed through taskcluster level-1 secrets or a non-secret-keys-as-a-service service, so signing can happen on Try.

We can run signing through this script on docker-worker.
Priority: -- → P2
- docker container
- secrets service keys
- python module with signing logic, factor out of the signing server; then we can share logic
- tasks parallel to the current scriptworker build-signing in the graph. tests depend on the dep signing task. we can then build-sign during promotion.
  - this gives us both task types, so we can test the build-signing on try if wanted
  - this allows us to dep-sign on push and nightly/release sign on promotion, which defers nightly/release signing, which was a stretch goal we've been talking about for a while.
Component: General Automation → General
Not entirely sure if we still want this, or if we'll just be pointing at autograph dep keys.

(In reply to Aki Sasaki (not active) from comment #2)

Not entirely sure if we still want this, or if we'll just be pointing at
autograph dep keys.

We ended up doing the latter, which has the added benefit of making sure we test scriptworker, autograph, and other code.

Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.