Closed Bug 1094551 Opened 9 years ago Closed 9 years ago

Support EME voucher signing on signing server

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Callek, Assigned: Callek)

References

Details

(Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/4054] )

Attachments

(4 files, 1 obsolete file)

rpm upload log
8.72 KB, text/plain
Details
[puppet] v1 - add emevoucher support
12.28 KB, patch
nthomas
: review+
Callek
: checked-in+
Details | Diff | Splinter Review
[tools] v2 - add emevoucher sign support
5.25 KB, patch
nthomas
: review+
Callek
: checked-in+
Details | Diff | Splinter Review
[puppet] followup - support *.bin filenames as well
866 bytes, patch
bhearsum
: review+
Callek
: checked-in+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #1091668 +++

To support EME, we need to generate a voucher file using a script provided to us by Adobe, and then have this voucher signed.

I'm not sure if the script should be incorporated into the build system directly, or if the signing server should take care of the voucher generation and signing.
For my notes, creating a new signing format was done on the hanging-off-bits of Bug 711210, so that's a good frame of reference.
(In reply to Chris AtLee [:catlee] from Bug 1091688 comment #11)
> Got more details of how to generate the signature in the correct format. The
> proper cmdline is:
> 
> openssl smime -sign -in voucher.bin -signer signer.pem -md sha256 -binary
> -nodetach -outform DER -out voucher.sig

To be clear, is this going to require a passphrase, if so how is it passable?  (as in, stdin, or can it be piped, etc)
Flags: needinfo?(catlee)
The signing server sends the passphrase to the signing script on stdin. So you'll most likely need to use '-passin stdin' to the openssl -sign command.
Flags: needinfo?(catlee)
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/4054]
There's good examples for how to do this in https://github.com/mozilla/build-tools/blob/master/lib/python/signing/utils.py already. GPG, JAR, and MAR signing all send passphrases via stdin.
I have only tested signscript.py so far.

Created a .pem first (you can find it on cruncher /home/jwood/signing-test/privkey.pem), the passphrase I used for said testing pem was "emetest"

the voucher.bin in that same directory is a sample of the exact file we'd be signing.

I used http://hg.mozilla.org/build/tools/rev/c8e6a7ba0572 as my model.
Attachment #8520340 - Flags: review?(nthomas)
Comment on attachment 8520340 [details] [diff] [review]
[tools] add emevoucher sign support

Review of attachment 8520340 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/python/signing/utils.py
@@ +158,5 @@
> +    arguments.
> +
> +    See https://bugzilla.mozilla.org/show_bug.cgi?id=711210#c15 for background
> +    on why we want both methods.
> +    """

Copy-and-paste comment needs updating (ie not authenticode, 'both methods' doesn't apply).

::: release/signing/signing.ini.template
@@ +33,4 @@
>  max_filesize_mar = 52428800
>  max_filesize_signcode = 52428800
>  max_filesize_osslsigncode = 52428800
> +max_filesize_emevoucher = 52428800

This should be set much smaller, the voucher isn't very big.
Attachment #8520340 - Flags: review?(nthomas) → feedback+
(In reply to Nick Thomas [:nthomas] from comment #6)
> >  max_filesize_osslsigncode = 52428800
> > +max_filesize_emevoucher = 52428800
> 
> This should be set much smaller, the voucher isn't very big.

I should modify this comment - in this .ini.template we seem to have this value for everything, so that's OK. Lets set something sensible in puppet though, when we create the actual signing.ini.
Attached file rpm upload log 
Per IRC nick wanted a proper test file, so I updated the signing test files rpm:

Used:
https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages#CentOS:_Adding_New_Packages
and
https://wiki.mozilla.org/ReleaseEngineering/How_To/Update_Mock_Build_Repositories

To upload them to puppetagain, mock repos, and s3.

Full Log attached
This is untested so far.
Attachment #8521088 - Flags: review?(nthomas)
Has some slight changes from the previous patch, above what you suggested.

* Proper error handling from openssl return codes
* renamed the keyfile option to be clearer in the ini.
Attachment #8520340 - Attachment is obsolete: true
Attachment #8521095 - Flags: review?(nthomas)
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

>diff --git a/release/signing/signing.ini.template b/release/signing/signing.ini.template
...
> # Where is the gpg directory with our private key
> gpg_homedir = /path/to/.gpg
>+# Where is the eme voucher private key
>+emevoucher_key = /path/to/.gpg

s/\.gpg/cert.pem/ for clarity.
Attachment #8521095 - Flags: review?(nthomas) → review+
Comment on attachment 8521088 [details] [diff] [review]
[puppet] v1 - add emevoucher support

Seems like a fair extension of existing code to me.
Attachment #8521088 - Flags: review?(nthomas) → review+
:catlee, Per IRC nick wanted me to double check that we intend to only use one .pem across all channels and build types (dep, nightly, try, release)

If that is accurate his r+ stands, if its not I need to rework a bit.

While you're here if you want to give the patches a once over that would be swell, but not required.
Flags: needinfo?(catlee)
These bugs are necessary for vouching and sandboxing a third-party CDM.
Blocks: eme-m2
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

http://hg.mozilla.org/build/tools/rev/0ed77da14c0b
http://hg.mozilla.org/build/tools/rev/867406ac572a

And restarted dep signing on signing servers 4, 5, and 6. With the test emevoucher cert.

Added the test emevoucher password to our private repo as well.
Attachment #8521095 - Flags: checked-in+
Hal helped me out by doing a reconfig of schedulers and build masters (including try) to deploy the passwords.py change from puppet.
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

Review of attachment 8521095 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/python/signing/utils.py
@@ +177,5 @@
> +        proc.logfile_read = stdout
> +        proc.expect('Enter pass phrase')
> +        proc.sendline(passphrase)
> +        if proc.wait() != 0:
> +            raise ValueError("openssl didn't return 0")

if you wanted to avoid pexpect, openssl supports a '-passin stdin' option which lets you submit the password on stdin rather than messing with ttys.
Flags: needinfo?(catlee)
Attachment #8523064 - Flags: review?(bhearsum) → review+
re-asking

(In reply to Justin Wood (:Callek) from comment #13)
> :catlee, Per IRC nick wanted me to double check that we intend to only use
> one .pem across all channels and build types (dep, nightly, try, release)
Flags: needinfo?(catlee)
we're going to be using one key for nightly/release, and another for dep/try.

basically the 'nightly' and 'release' servers can share the same key, and we should have a self-signed cert for dep/try.
Flags: needinfo?(catlee)
I deployed the adobe signed key for nightly/release signing servers just now.

I think we are done here. (reopen if something seems amiss)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
No longer blocks: eme-m2
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.