Support EME voucher signing on signing server

RESOLVED FIXED

Status

--
major
RESOLVED FIXED
4 years ago
6 months ago

People

(Reporter: Callek, Assigned: Callek)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/4054] )

Attachments

(4 attachments, 1 obsolete attachment)

(Assignee)

Description

4 years ago
+++ This bug was initially created as a clone of Bug #1091668 +++

To support EME, we need to generate a voucher file using a script provided to us by Adobe, and then have this voucher signed.

I'm not sure if the script should be incorporated into the build system directly, or if the signing server should take care of the voucher generation and signing.
(Assignee)

Comment 1

4 years ago
For my notes, creating a new signing format was done on the hanging-off-bits of Bug 711210, so that's a good frame of reference.
(Assignee)

Comment 2

4 years ago
(In reply to Chris AtLee [:catlee] from Bug 1091688 comment #11)
> Got more details of how to generate the signature in the correct format. The
> proper cmdline is:
> 
> openssl smime -sign -in voucher.bin -signer signer.pem -md sha256 -binary
> -nodetach -outform DER -out voucher.sig

To be clear, is this going to require a passphrase, if so how is it passable?  (as in, stdin, or can it be piped, etc)
Flags: needinfo?(catlee)
The signing server sends the passphrase to the signing script on stdin. So you'll most likely need to use '-passin stdin' to the openssl -sign command.
Flags: needinfo?(catlee)

Updated

4 years ago
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/4054]
There's good examples for how to do this in https://github.com/mozilla/build-tools/blob/master/lib/python/signing/utils.py already. GPG, JAR, and MAR signing all send passphrases via stdin.
(Assignee)

Comment 5

4 years ago
Created attachment 8520340 [details] [diff] [review]
[tools] add emevoucher sign support

I have only tested signscript.py so far.

Created a .pem first (you can find it on cruncher /home/jwood/signing-test/privkey.pem), the passphrase I used for said testing pem was "emetest"

the voucher.bin in that same directory is a sample of the exact file we'd be signing.

I used http://hg.mozilla.org/build/tools/rev/c8e6a7ba0572 as my model.
Attachment #8520340 - Flags: review?(nthomas)
Comment on attachment 8520340 [details] [diff] [review]
[tools] add emevoucher sign support

Review of attachment 8520340 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/python/signing/utils.py
@@ +158,5 @@
> +    arguments.
> +
> +    See https://bugzilla.mozilla.org/show_bug.cgi?id=711210#c15 for background
> +    on why we want both methods.
> +    """

Copy-and-paste comment needs updating (ie not authenticode, 'both methods' doesn't apply).

::: release/signing/signing.ini.template
@@ +33,4 @@
>  max_filesize_mar = 52428800
>  max_filesize_signcode = 52428800
>  max_filesize_osslsigncode = 52428800
> +max_filesize_emevoucher = 52428800

This should be set much smaller, the voucher isn't very big.
Attachment #8520340 - Flags: review?(nthomas) → feedback+
(In reply to Nick Thomas [:nthomas] from comment #6)
> >  max_filesize_osslsigncode = 52428800
> > +max_filesize_emevoucher = 52428800
> 
> This should be set much smaller, the voucher isn't very big.

I should modify this comment - in this .ini.template we seem to have this value for everything, so that's OK. Lets set something sensible in puppet though, when we create the actual signing.ini.
(Assignee)

Comment 8

4 years ago
Created attachment 8521057 [details]
rpm upload log

Per IRC nick wanted a proper test file, so I updated the signing test files rpm:

Used:
https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages#CentOS:_Adding_New_Packages
and
https://wiki.mozilla.org/ReleaseEngineering/How_To/Update_Mock_Build_Repositories

To upload them to puppetagain, mock repos, and s3.

Full Log attached
(Assignee)

Comment 9

4 years ago
Created attachment 8521088 [details] [diff] [review]
[puppet] v1 - add emevoucher support

This is untested so far.
Attachment #8521088 - Flags: review?(nthomas)
(Assignee)

Comment 10

4 years ago
Created attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

Has some slight changes from the previous patch, above what you suggested.

* Proper error handling from openssl return codes
* renamed the keyfile option to be clearer in the ini.
Attachment #8520340 - Attachment is obsolete: true
Attachment #8521095 - Flags: review?(nthomas)
Depends on: 1053484
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

>diff --git a/release/signing/signing.ini.template b/release/signing/signing.ini.template
...
> # Where is the gpg directory with our private key
> gpg_homedir = /path/to/.gpg
>+# Where is the eme voucher private key
>+emevoucher_key = /path/to/.gpg

s/\.gpg/cert.pem/ for clarity.
Attachment #8521095 - Flags: review?(nthomas) → review+
Comment on attachment 8521088 [details] [diff] [review]
[puppet] v1 - add emevoucher support

Seems like a fair extension of existing code to me.
Attachment #8521088 - Flags: review?(nthomas) → review+
(Assignee)

Comment 13

4 years ago
:catlee, Per IRC nick wanted me to double check that we intend to only use one .pem across all channels and build types (dep, nightly, try, release)

If that is accurate his r+ stands, if its not I need to rework a bit.

While you're here if you want to give the patches a once over that would be swell, but not required.
Flags: needinfo?(catlee)
These bugs are necessary for vouching and sandboxing a third-party CDM.
Blocks: 1098164
(Assignee)

Comment 16

4 years ago
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

http://hg.mozilla.org/build/tools/rev/0ed77da14c0b
http://hg.mozilla.org/build/tools/rev/867406ac572a

And restarted dep signing on signing servers 4, 5, and 6. With the test emevoucher cert.

Added the test emevoucher password to our private repo as well.
Attachment #8521095 - Flags: checked-in+
(Assignee)

Comment 17

4 years ago
Hal helped me out by doing a reconfig of schedulers and build masters (including try) to deploy the passwords.py change from puppet.
(Assignee)

Comment 18

4 years ago
Created attachment 8523064 [details] [diff] [review]
[puppet] followup - support *.bin filenames as well
Attachment #8523064 - Flags: review?(bhearsum)
Comment on attachment 8521095 [details] [diff] [review]
[tools] v2 - add emevoucher sign support

Review of attachment 8521095 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/python/signing/utils.py
@@ +177,5 @@
> +        proc.logfile_read = stdout
> +        proc.expect('Enter pass phrase')
> +        proc.sendline(passphrase)
> +        if proc.wait() != 0:
> +            raise ValueError("openssl didn't return 0")

if you wanted to avoid pexpect, openssl supports a '-passin stdin' option which lets you submit the password on stdin rather than messing with ttys.

Updated

4 years ago
Flags: needinfo?(catlee)
Attachment #8523064 - Flags: review?(bhearsum) → review+
(Assignee)

Comment 20

4 years ago
re-asking

(In reply to Justin Wood (:Callek) from comment #13)
> :catlee, Per IRC nick wanted me to double check that we intend to only use
> one .pem across all channels and build types (dep, nightly, try, release)
Flags: needinfo?(catlee)
we're going to be using one key for nightly/release, and another for dep/try.

basically the 'nightly' and 'release' servers can share the same key, and we should have a self-signed cert for dep/try.
Flags: needinfo?(catlee)
(Assignee)

Comment 23

4 years ago
I deployed the adobe signed key for nightly/release signing servers just now.

I think we are done here. (reopen if something seems amiss)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
No longer blocks: 1098164
Component: General Automation → General
Product: Release Engineering → Release Engineering
You need to log in before you can comment on or make changes to this bug.