Closed Bug 1094551 Opened 5 years ago Closed 5 years ago
Support EME voucher signing on signing server
8.72 KB, text/plain
12.28 KB, patch
|Details | Diff | Splinter Review|
5.25 KB, patch
|Details | Diff | Splinter Review|
866 bytes, patch
|Details | Diff | Splinter Review|
+++ This bug was initially created as a clone of Bug #1091668 +++ To support EME, we need to generate a voucher file using a script provided to us by Adobe, and then have this voucher signed. I'm not sure if the script should be incorporated into the build system directly, or if the signing server should take care of the voucher generation and signing.
For my notes, creating a new signing format was done on the hanging-off-bits of Bug 711210, so that's a good frame of reference.
(In reply to Chris AtLee [:catlee] from Bug 1091688 comment #11) > Got more details of how to generate the signature in the correct format. The > proper cmdline is: > > openssl smime -sign -in voucher.bin -signer signer.pem -md sha256 -binary > -nodetach -outform DER -out voucher.sig To be clear, is this going to require a passphrase, if so how is it passable? (as in, stdin, or can it be piped, etc)
The signing server sends the passphrase to the signing script on stdin. So you'll most likely need to use '-passin stdin' to the openssl -sign command.
There's good examples for how to do this in https://github.com/mozilla/build-tools/blob/master/lib/python/signing/utils.py already. GPG, JAR, and MAR signing all send passphrases via stdin.
I have only tested signscript.py so far. Created a .pem first (you can find it on cruncher /home/jwood/signing-test/privkey.pem), the passphrase I used for said testing pem was "emetest" the voucher.bin in that same directory is a sample of the exact file we'd be signing. I used http://hg.mozilla.org/build/tools/rev/c8e6a7ba0572 as my model.
Attachment #8520340 - Flags: review?(nthomas)
Comment on attachment 8520340 [details] [diff] [review] [tools] add emevoucher sign support Review of attachment 8520340 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/python/signing/utils.py @@ +158,5 @@ > + arguments. > + > + See https://bugzilla.mozilla.org/show_bug.cgi?id=711210#c15 for background > + on why we want both methods. > + """ Copy-and-paste comment needs updating (ie not authenticode, 'both methods' doesn't apply). ::: release/signing/signing.ini.template @@ +33,4 @@ > max_filesize_mar = 52428800 > max_filesize_signcode = 52428800 > max_filesize_osslsigncode = 52428800 > +max_filesize_emevoucher = 52428800 This should be set much smaller, the voucher isn't very big.
Attachment #8520340 - Flags: review?(nthomas) → feedback+
(In reply to Nick Thomas [:nthomas] from comment #6) > > max_filesize_osslsigncode = 52428800 > > +max_filesize_emevoucher = 52428800 > > This should be set much smaller, the voucher isn't very big. I should modify this comment - in this .ini.template we seem to have this value for everything, so that's OK. Lets set something sensible in puppet though, when we create the actual signing.ini.
Per IRC nick wanted a proper test file, so I updated the signing test files rpm: Used: https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages#CentOS:_Adding_New_Packages and https://wiki.mozilla.org/ReleaseEngineering/How_To/Update_Mock_Build_Repositories To upload them to puppetagain, mock repos, and s3. Full Log attached
This is untested so far.
Attachment #8521088 - Flags: review?(nthomas)
Has some slight changes from the previous patch, above what you suggested. * Proper error handling from openssl return codes * renamed the keyfile option to be clearer in the ini.
Comment on attachment 8521095 [details] [diff] [review] [tools] v2 - add emevoucher sign support >diff --git a/release/signing/signing.ini.template b/release/signing/signing.ini.template ... > # Where is the gpg directory with our private key > gpg_homedir = /path/to/.gpg >+# Where is the eme voucher private key >+emevoucher_key = /path/to/.gpg s/\.gpg/cert.pem/ for clarity.
Attachment #8521095 - Flags: review?(nthomas) → review+
Comment on attachment 8521088 [details] [diff] [review] [puppet] v1 - add emevoucher support Seems like a fair extension of existing code to me.
Attachment #8521088 - Flags: review?(nthomas) → review+
:catlee, Per IRC nick wanted me to double check that we intend to only use one .pem across all channels and build types (dep, nightly, try, release) If that is accurate his r+ stands, if its not I need to rework a bit. While you're here if you want to give the patches a once over that would be swell, but not required.
These bugs are necessary for vouching and sandboxing a third-party CDM.
Comment on attachment 8521088 [details] [diff] [review] [puppet] v1 - add emevoucher support remote: https://hg.mozilla.org/build/puppet/rev/07eab8dd8c3b remote: https://hg.mozilla.org/build/puppet/rev/f17ead38e738
Attachment #8521088 - Flags: checked-in+
Comment on attachment 8521095 [details] [diff] [review] [tools] v2 - add emevoucher sign support http://hg.mozilla.org/build/tools/rev/0ed77da14c0b http://hg.mozilla.org/build/tools/rev/867406ac572a And restarted dep signing on signing servers 4, 5, and 6. With the test emevoucher cert. Added the test emevoucher password to our private repo as well.
Attachment #8521095 - Flags: checked-in+
Hal helped me out by doing a reconfig of schedulers and build masters (including try) to deploy the passwords.py change from puppet.
Comment on attachment 8521095 [details] [diff] [review] [tools] v2 - add emevoucher sign support Review of attachment 8521095 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/python/signing/utils.py @@ +177,5 @@ > + proc.logfile_read = stdout > + proc.expect('Enter pass phrase') > + proc.sendline(passphrase) > + if proc.wait() != 0: > + raise ValueError("openssl didn't return 0") if you wanted to avoid pexpect, openssl supports a '-passin stdin' option which lets you submit the password on stdin rather than messing with ttys.
Attachment #8523064 - Flags: review?(bhearsum) → review+
re-asking (In reply to Justin Wood (:Callek) from comment #13) > :catlee, Per IRC nick wanted me to double check that we intend to only use > one .pem across all channels and build types (dep, nightly, try, release)
Comment on attachment 8523064 [details] [diff] [review] [puppet] followup - support *.bin filenames as well https://hg.mozilla.org/build/puppet/rev/d7b1cb6ac456 https://hg.mozilla.org/build/puppet/rev/4c0cc54409ab
Attachment #8523064 - Flags: checked-in+
we're going to be using one key for nightly/release, and another for dep/try. basically the 'nightly' and 'release' servers can share the same key, and we should have a self-signed cert for dep/try.
I deployed the adobe signed key for nightly/release signing servers just now. I think we are done here. (reopen if something seems amiss)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.