Closed
Bug 1126898
Opened 9 years ago
Closed 9 years ago
Add support for separate "preliminary" signing endpoint URL
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
2015-02
People
(Reporter: rtilder, Assigned: magopian)
References
Details
Attachments
(2 files)
Per our discussion on IRC, something akin to Zamboni's handling of reviewer signing for FirefoxOS privileged apps found here: https://github.com/mozilla/zamboni/blob/master/lib/crypto/packaged.py#L101-104
Assignee | ||
Comment 1•9 years ago
|
||
Jason, is it clear for you what is needed? From what I understand, it needs another instance of trunion running with different settings. Once it's in place, could you please update this bug with the endpoint to use? I believe all the necessary information are in bug 1123915 Thanks!
Component: Payments/Refunds → Admin/Editor Tools
Depends on: 1123915
Flags: needinfo?(jthomas)
Product: Marketplace → addons.mozilla.org
Target Milestone: --- → 2015-02
Version: 1.5 → unspecified
Assignee | ||
Comment 2•9 years ago
|
||
Actually, in bug 1126894
Comment 3•9 years ago
|
||
I've added PRELIMINARY_SIGNING_SERVER to olympia's private settings file. https://github.com/mozilla-services/svcops-puppet/commit/12a6f90029ecc8778b4e0c875d9b8018f3a9a39c
Flags: needinfo?(jthomas)
Assignee | ||
Comment 4•9 years ago
|
||
PR: https://github.com/mozilla/olympia/pull/438 Ryan, is there a way, given a signed addon, to see if it's been fully or preliminary signed? What are the steps to make sure the correct endpoint (with the correct settings) has been used?
Flags: needinfo?(rtilder)
Assignee | ||
Comment 5•9 years ago
|
||
Fixed in https://github.com/mozilla/olympia/commit/da3f26487557af5719a5c3916939a820ee867d32
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 6•9 years ago
|
||
Please add STR here or mark it with [qa-] if no QA is needed.
Assignee | ||
Comment 7•9 years ago
|
||
:rtilder, :dveditz, :jason, is there a way, given a signed addon, to manually check if it's been signed with the correct endpoint?
Flags: needinfo?(jthomas)
Flags: needinfo?(dveditz)
Comment 8•9 years ago
|
||
I usually test by extracting the addon xpi and running the following openssl command: openssl pkcs7 -inform der -in META-INF/zigbert.rsa -print_certs -text -noout OU should be equal to 'Preliminary'. Certificate: Data: Version: 3 (0x2) Serial Number: 01:4b:c7:e3:db:4a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Mountain View, O=Addons Test Signing, CN=test.addons.signing.root.ca/emailAddress=opsec+stagerootaddons@mozilla.com Validity Not Before: Feb 26 21:56:13 2015 GMT Not After : Feb 23 21:56:13 2025 GMT Subject: OU=Preliminary, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=someaddonuid Subject Public Key Info: Public Key Algorithm: rsaEncryption
Flags: needinfo?(jthomas)
Assignee | ||
Comment 9•9 years ago
|
||
Ah, excellent, thanks Jason! So the STR are: 1/ submit an addon and choose the prelim review 2/ download the (signed) addon from the listing page 3/ run the above command, and make sure the OU says "Preliminary" 4/ submit another addon and chose the full review 5/ download the (signed) addon from the listing page 6/ run the above command, and make sure the OU says... "Full"? Not sure about the text here, but it shouldn't be "Preliminary"
Flags: needinfo?(rtilder)
Flags: needinfo?(dveditz)
Comment 10•9 years ago
|
||
I have followed the steps above and for both full review and preliminary review the OU is "Preliminary" Attaching the logs files for both full and preliminary reviews.
Comment 11•9 years ago
|
||
Reopening the bug.
Updated•9 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 12•9 years ago
|
||
Thanks Madalin. Jason? Is there a way we can double check that? How can I help?
Flags: needinfo?(jthomas)
Comment 13•9 years ago
|
||
Logs shows addon in comment 10 (id=490498) was sent to preliminary server. Both servers are configured correctly in the settings. ar 5 14:24:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.devhub:INFO FileUpload created: 33a08667fc5c4757beaf317e32206a9e :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/devhub/views.py:607 Mar 5 14:28:28 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:DEBUG clean_name called without an instance: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/forms.py:42 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Version changed from backup: None to None, current: None to None, latest: None to .1 for addon 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:716 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.amo:INFO Cache increment failed for key: ns:d2c-versions:490498. Resetting. :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/amo/utils.py:673 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Incrementing d2c-versions namespace for add-on [490498]: 1425565710:ns:d2c-versions:490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:854 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.versions:INFO New version: <Version: .1> (1526568) from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/versions/models.py:128 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Version changed from backup: None to None, current: None to .1, latest: .1 to .1 for addon 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:716 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Hash changed for file: 246970, addon: 490498, from: to: sha256:99f1ff8652fb1b7b115a94c75f0fa0d7abc3c0e0e8e888e7fdd09c044ec15418 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:469 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:DEBUG New file: <File: 246970> from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:172 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:DEBUG New addon <Addon: 490498: testPass3.5.2015> from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:500 Mar 5 14:29:44 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Moving file to mirror: /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi => /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:338 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Moving file to mirror: /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi => /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:338 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Incrementing d2c-versions namespace for add-on [490498]: 1425565711:ns:d2c-versions:490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:854 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Signing version: 1526568 :./lib/crypto/packaged.py:120 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO File signature contents: Signature-Version: 1.0#012MD5-Digest-Manifest: BlommQe74LyMBZrPXgUyaA==#012SHA1-Digest-Manifest: IQuXOG8WeBEurfcRZjTFlVR4F4Q=#012 :./lib/crypto/packaged.py:58 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Calling signing service: http://prelim-signer.addons.allizom.org/1.0/sign_addon :./lib/crypto/packaged.py:62 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Signing complete for file 246970. :./lib/crypto/packaged.py:110 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.mailer:INFO Making 490498: testPass3.5.2015 public :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/helpers.py:667 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.mailer:INFO Sending email for 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/helpers.py:668 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.users:INFO Awarding 120 points to user 10620563: madalinc for "Full Add-on Review" for addon 490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/models.py:405 The addon.status = 4 for the addon so it should have been sent to the 'final' server. I manually signed the addon with sign_addon management command and it sent it to the correct server: Mar 5 18:50:34 addonsadm.private.phx1.mozilla.com: [<anon>][None] z.crypto:INFO File signature contents: Signature-Version: 1.0#012MD5-Digest-Manifest: BlommQe74LyMBZrPXgUyaA==#012SHA1-Digest-Manifest: IQuXOG8WeBEurfcRZjTFlVR4F4Q=#012 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305174131-8d37083345/olympia/lib/crypto/packaged.py:58 Mar 5 18:50:34 addonsadm.private.phx1.mozilla.com: [<anon>][None] z.crypto:INFO Calling signing service: http://signer.addons.allizom.org/1.0/sign_addon :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305174131-8d37083345/olympia/lib/crypto/packaged.py:62 Certificate: Data: Version: 3 (0x2) Serial Number: 1425581439580 (0x14beb467a5c) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Mountain View, O=Addons Test Signing, CN=test.addons.signing.root.ca/emailAddress=opsec+stagerootaddons@mozilla.com Validity Not Before: Mar 5 18:50:39 2015 GMT Not After : Mar 2 18:50:39 2025 GMT Subject: OU=Testing, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odf9zGfgG6AG0lsTvg@jetpack Subject Public Key Info:
Flags: needinfo?(jthomas)
Comment 14•9 years ago
|
||
Possibly related to mysql replication lag? Although lag should be very minimal especially on the -dev server.
Assignee | ||
Comment 15•9 years ago
|
||
Should be fixed by https://github.com/mozilla/olympia/pull/503/files#diff-1ff978159be740b1b8edc4fcc67c4faaR27, needs to be tested on -dev or stage
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Flags: needinfo?(jthomas)
Resolution: --- → FIXED
Comment 16•9 years ago
|
||
Do we need to QA this again?
Updated•9 years ago
|
Flags: needinfo?(jthomas)
Comment 17•9 years ago
|
||
Tested this again on stage For preliminary review: Validity Not Before: Apr 22 14:00:08 2015 GMT Not After : Apr 19 14:00:08 2025 GMT Subject: OU=Preliminary, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odd9gGdgT8AG1lsTvg@jetpack For full review: Validity Not Before: Apr 22 13:51:40 2015 GMT Not After : Apr 19 13:51:40 2025 GMT Subject: OU=Testing, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odf9gGdgT8AG8lsTvg@jetpack I do not think this is expected. :magopian?
Flags: needinfo?(mathieu)
Assignee | ||
Comment 18•9 years ago
|
||
From what I can tell, this is exactly what's expected: - the preliminary reviewed addon has "preliminary" in the OU - the fully reviewed addon doesn't have "preliminary" in the OU
Flags: needinfo?(mathieu)
Comment 19•9 years ago
|
||
Ok so for fully reviewed add-ons the text should be testing. Thanks for response. Closing bug.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 20•9 years ago
|
||
I think the content is not important, it's just the presence (or absence) of "preliminary" that is. Maybe :dveditz can confirm?
Flags: needinfo?(dveditz)
Comment 21•9 years ago
|
||
We have two separate roots, a testing root and a prod root. I would hope that the prod root doesn't use OU=Testing for the non-preliminary one (and not O=Addons Testing). The text doesn't really matter though as long as it's not a case-insensitive match for "Preliminary", it would just look strange/bad.
Flags: needinfo?(dveditz)
Comment 22•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21) > I would hope that the prod root doesn't use OU=Testing for the non-preliminary one (and not O=Addons Testing). It doesn't, Bug 1130020 comment 13 has an example.
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•