mozregression installers and executables for windows and mac are not signed
Categories
(Testing :: mozregression, defect)
Tracking
(Not tracked)
People
(Reporter: 61.1p57, Assigned: zeid)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170518105722 Steps to reproduce: 1. Download mozregression-gui.exe from GitHub 2. Run as admin (per Bug 1192488) Actual results: UAC shows "Verified publisher: Mozilla" Expected results: UAC warns about unknown publisher
(In reply to 61.1p57 from comment #0) > Actual results: > > UAC shows "Verified publisher: Mozilla" > > > Expected results: > > UAC warns about unknown publisher Ah, "actual results" and "expected results" are reversed... apologies
|
||
Comment 2•7 years ago
|
||
Thanks for the report. Our current infrastructure doesn't really make it easy to sign the windows builds (at least as far as I know), so I'm not sure when this will be fixed. No reason not to leave this open though, in case a solution presents itself...
|
||
Comment 3•7 years ago
|
||
(In reply to 61.1p57 from comment #0) > User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) > Gecko/20100101 Firefox/54.0 > Build ID: 20170518105722 > > Steps to reproduce: > > 1. Download mozregression-gui.exe from GitHub > 2. Run as admin (per Bug 1192488) > > > Actual results: > > UAC shows "Verified publisher: Mozilla" > > > Expected results: > > UAC warns about unknown publisher In my case even a window of Windows Defender SmartScreen pops up. If I remember it correctly, I haven't ever changed the settings of it.
|
|
||
Comment 4•4 years ago
|
||
This now applies to the Mac as well.
|
|
||
Comment 5•4 years ago
|
||
Hi Chris, please don't consider this an urgent request, but I'm wondering how possible it would be to produce signed versions of mozregression? It seems like mozregression is getting detected as a virus on Windows and is rather difficult to install on Mac due to this issue.
Currently mozregression is being built with travis/appveyor but moving it over to the taskcluster community instance should be possible.
|
|
||
Comment 6•4 years ago
|
||
(In reply to William Lachance (:wlach) (use needinfo!) from comment #5)
Hi Chris, please don't consider this an urgent request, but I'm wondering how possible it would be to produce signed versions of mozregression? It seems like mozregression is getting detected as a virus on Windows and is rather difficult to install on Mac due to this issue.
Currently mozregression is being built with travis/appveyor but moving it over to the taskcluster community instance should be possible.
Gotten a bunch more reports on this issue.
I did some more research, and it does appear signing is technically possible- for example we do this for taskcluster builds of firefox reality on the community instance: https://github.com/mozilla/community-tc-config/blob/master/config/projects/firefoxreality.yml
So realistically this means something like:
- Set up a mozregression group on taskcluster's community instance (not very difficult: #taskcluster on Matrix can probably help)
- Port mozregression's ci to taskcluster (a day or two's worth of work? not sure how difficult tbh)
- Figure out how to sign pyinstaller-produced binaries on (at least) Mac and Windows (pretty easy, most likely)
- Figure out who at Mozilla can provide them, then add certificates and whatever artifacts necessary to do signing to taskcluster
- Actually sign builds produced from mozilla/mozregression (making sure that pull requests coming from forks are not signed)
So probably not a huge amount of work, but not trivial either-- 4 in particular might require some help/favours from other parts of Mozilla.
|
||
Comment 7•4 years ago
|
||
This is a little different, but similar enough that it's worth connecting some things: geckodriver does something like this over in https://bugzilla.mozilla.org/show_bug.cgi?id=1427849 and related tickets.
If you are making infrequent releases, you can ask RelEng to manually sign the releases.
eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.
|
|
||
Comment 9•4 years ago
|
||
(In reply to :glob 🎈 from comment #8)
If you are making infrequent releases, you can ask RelEng to manually sign the releases.
eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.
Thanks :glob, that sounds like a good interim solution. Filed bug 1661025 about that, let's see where it goes.
|
|
||
Comment 10•4 years ago
|
||
(In reply to William Lachance (:wlach) (use needinfo!) from comment #9)
(In reply to :glob 🎈 from comment #8)
If you are making infrequent releases, you can ask RelEng to manually sign the releases.
eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.
Thanks :glob, that sounds like a good interim solution. Filed bug 1661025 about that, let's see where it goes.
Ok so that worked, at least for Windows. However I realized (too late) that the problem isn't in the installer, it's the actual mozregression executable that gets installed. :aki and I talked about this a bit, and I think the most viable way forward is to move this in-tree and (eventually) reuse Firefox's signing mechanisms. Not sure when we'll have time to do that, but I'll file a bug soon.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 11•4 years ago
|
||
As per discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1661025#c4 -- it seems like the "right way" to solve this issue is to move mozregression in-tree, where we can reuse the existing signing/trust infrastructure for Firefox.
It occurs to me that we could possibly just make the in-tree version a mirror if we want to continue development on GitHub.
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•9 months ago
|
|
|
Assignee | |
Updated•8 months ago
|
|
|
Assignee | |
Comment 12•8 months ago
|
||
Going forward, mozregression-gui.exe and mozregression-gui.dmg will be signed, however, they may not show up immediately on a new release and may take up to 1-2 hours to be available.
Description
•