create a DR OS X signing server

RESOLVED FIXED

Status

Infrastructure & Operations
RelOps
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: arr, Assigned: dividehex)

Tracking

Details

(Reporter)

Description

3 years ago
We need to create an OS X 10.10 signing server for DR.
(Reporter)

Updated

3 years ago
Blocks: 1141631
(Reporter)

Comment 1

3 years ago
coop/jordan, can you specify an r4 machine to take out of service and use for this?
Flags: needinfo?(jlund)
Flags: needinfo?(coop)

Updated

3 years ago
Depends on: 1145367

Comment 2

3 years ago
t-snow-r4-0164
Flags: needinfo?(coop)

Updated

3 years ago
Flags: needinfo?(jlund)
(Assignee)

Comment 3

3 years ago
nagios checks removed

svn commit -m 'Bug 1141626 & Bug 1141628: remove nagios checks for DR minis'
Sending        releng/scl3.pp
Transmitting file data .
Committed revision 102585.
(Assignee)

Comment 4

3 years ago
This host was renamed in inventory to mac-v2-signing5.test.releng.scl3.mozilla.com for reimaging purposes
I successfully reimaged this to yosemite 10.10.  Just need to get the signing parts onboard

https://inventory.mozilla.org/en-US/systems/show/3949/
I think we should be using 10.9.5 for this, that's what the other v2 signing servers are.
I managed to sign something on this machine. I couldn't start up the signing server like we normally do because StartupItemContext is gone on 10.10, but that shouldn't matter for a DR machine that's not part of automation.

Here's a tarball of the app that I signed: http://people.mozilla.org/~bhearsum/FirefoxNightly-testsign-10.10.tar.gz

Since we've never done signing on 10.10 we should make sure that it validates correctly as signed on all supported platforms (10.6 through 10.10, I believe). Steven, any chance you can help with that, or know who can?
Flags: needinfo?(smichaud)
> Steven, any chance you can help with that, or know who can?

I can do it.

And I may be the only Mozilla person who can ... which is really bad, since I'm going to be retiring later this year.  But while I'm still here :-)
Flags: needinfo?(smichaud)
> http://people.mozilla.org/~bhearsum/FirefoxNightly-testsign-10.10.tar.gz

I checked this, and it looks fine to me.  But we really should be testing with FirefoxNightly.app dragged out from a DMG.

Furthermore, this file and any DMG needs to be downloaded using a browser (like Firefox) onto every machine where you're going to test it.  Otherwise neither it nor the copy of FirefoxNightly.app extracted from it will have a com.apple.quarantine attribute -- which both need to have for the "run by double-clicking" test to work properly.

First I used a browser to download this file to every machine where I was going to test.  Then I made sure each version of OS X in which I tested had "allow apps downloaded from" set to "Mac App Store and identified developers" (the default).  (This setting isn't available on OS X 10.6.8, so I didn't use it there.)  Then, in each version of OS X where I tested I extracted a new copy of FirefoxNightly.app.  Then I did the following tests, which all passed:

1) Double-click on FirefoxNightly.app
2) Run spctl -a -v on FirefoxNightly.app (not available on OS X 10.6.8)
3) Run codesign -vvvv on FirefoxNightly.app

I never saw the "verifying" progress bar in step 1 (as I normally would, and as I always do when double-clicking for the first time on a FirefoxNightly.app newly dragged out from a DMG).  So my tests weren't entirely representative.  But I think my tests show that the app in your tarball is properly signed.

I tested on OS X 10.6.8, 10.8.5, 10.9.5 and 10.10.2.
Jake, you're clear to ship this machine out now as far as I'm concerned.
(Assignee)

Comment 10

3 years ago
(In reply to Ben Hearsum [:bhearsum] from comment #9)
> Jake, you're clear to ship this machine out now as far as I'm concerned.

Thanks Ben!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.