partner repack scripts need to resign builds with OS X signature

RESOLVED FIXED

Status

Release Engineering
Release Automation
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: bhearsum, Assigned: bhearsum)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

3 years ago
For awhile we thought we'd be able to continue excluding partner repacks from the OS X signature. On Friday, we discovered that that is NOT the case - these files will have to move into Contents/Resources until such time that we have a way to do partner repacks without putting the files in the .app (eg, by using an installer). In order to make sure our partner builds run on 10.9.5 and higher, we'll need to sign them after doing the repackaging steps.

Stephen, I know the app changes required are low priority, but we can probably prepare our side of things in the meantime. Did I capture this correctly?
Flags: needinfo?(spohl.mozilla.bugs)
Yes, that seems right. Also, rstrong offered to handle the client side changes. If you have questions about the client side changes, he'll probably have the most up-to-date info.
Flags: needinfo?(spohl.mozilla.bugs)
(Assignee)

Comment 2

3 years ago
Created attachment 8493299 [details] [diff] [review]
do dmg signing for partner repacks

This patch is very simple, but landing it will be more complex. I intend to tag the current tip of the default branch of partner repacks with something like MAC_V1_SIGNING, and then land this patch. I'll change all of the release config templates to use MAC_V1_SIGNING as their partner repacks rev. When 34.0b1 goes to Beta, I'll change the Beta template back to use "default" as the partner repacks rev, because 34.0 requires v2 signatures.

I tested this on partner-repack1 and it appeared to work:
2014-09-22 12:33:12,269 - Executing python /Users/cltbld/bhearsum/partner-repacks/scripts/tools/release/signing/signtool.py -t /Users/cltbld/bhearsum/partner-repacks/scripts/token -n /Users/cltbld/bhearsum/partner-repacks/scripts/nonce -c /Users/cltbld/bhearsum/partner-repacks/scripts/tools/release/signing/host.cert -H dmgv2:mac-v2-signing3.srv.releng.scl3.mozilla.com:9110 -H gpg:signing4.srv.releng.scl3.mozilla.com:9110 --formats gpg --formats dmgv2 "Firefox 33.0b5.dmg"
2014-09-22 12:33:12,269 - in /Users/cltbld/bhearsum/partner-repacks/scripts/repacked_builds/33.0b5/build1/partner-repacks/bing/mac/en-US/working
2014-09-22 12:33:13,533 - 26749c2e2c2714f517181db02c392e5fb602565b: processing Firefox 33.0b5.dmg on https://signing4.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:13,545 - 26749c2e2c2714f517181db02c392e5fb602565b: uploading for signing
2014-09-22 12:33:19,151 - 26749c2e2c2714f517181db02c392e5fb602565b: processing Firefox 33.0b5.dmg on https://signing4.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:19,186 - 26749c2e2c2714f517181db02c392e5fb602565b: OK
2014-09-22 12:33:22,001 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: processing Firefox 33.0b5.dmg.tar.gz on https://mac-v2-signing3.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:22,025 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: uploading for signing
2014-09-22 12:33:30,557 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: processing Firefox 33.0b5.dmg.tar.gz on https://mac-v2-signing3.srv.releng.scl3.mozilla.com:9110
2014-09-22 12:33:39,868 - 914e97b70aa45ac8a51b5db36eb456bdfb049575: OK
2014-09-22 12:33:40,708 - Done repacking mac build Firefox 33.0b5.dmg
2014-09-22 12:33:40,722 - Found /Users/cltbld/bhearsum/partner-repacks/scripts/original_builds/33.0b5/build1/win32/en-US/Firefox Setup 33.0b5.exe o
Assignee: nobody → bhearsum
Status: NEW → ASSIGNED
Attachment #8493299 - Flags: review?(rail)
Attachment #8493299 - Flags: review?(rail) → review+
(Assignee)

Comment 3

3 years ago
Created attachment 8493709 [details] [diff] [review]
use MAC_V1_SIGNING tag for partner repacks

I also took the liberty of removing this repo from places we don't actually use it.
Attachment #8493709 - Flags: review?(rail)
Attachment #8493709 - Flags: review?(rail) → review+
(Assignee)

Updated

3 years ago
Attachment #8493709 - Flags: checked-in+
(Assignee)

Updated

3 years ago
Attachment #8493299 - Flags: checked-in+
(Assignee)

Comment 4

3 years ago
This is fixed. We'll revert the buildbot-configs patch for Beta when we build 34.0b1, in bug 1056839. We'll need to do the same for release, I don't see a bug for that yet though.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Something here landed in production today: https://wiki.mozilla.org/ReleaseEngineering/Maintenance#Reconfigs_.2F_Deployments

Comment 6

3 years ago
> do partner repacks without putting the files in the .app (eg, by using an installer)

Partner repacks should look like and install exactly like the official builds. That's the point of repacks. If we need an installer, then install rate will drop notably.
You need to log in before you can comment on or make changes to this bug.