1185610 - automated checks for key expiry dates

Status: RESOLVED WONTFIX

(Release Engineering :: Release Requests, defect, P3)

Description

[bhearsum@mozilla.com (:bhearsum)]

Stemming out of bug 1139929, we need to make sure we never miss a key expiry again. We were lucky that it only impacted a Beta release and some nightlies this time, but we may not be as lucky next time.

Some ideas:
* Nagios checks against one (or all?) signing servers that check key expirations.
* Script that runs periodically on signing server and e-mails report of key expirations.
* Events added to a shared calendar that remind us to renew keys ahead of expiration.
* An added item to the release checklist that instructs us to check release key expiration dates whenever we do a Beta 1.


It might be useful to do more than one of these, particular the calendar or b1 checks in addition to nagios or a script.

Comment 1

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Ben Hearsum [:bhearsum] from comment #0)
> * An added item to the release checklist that instructs us to check release
> key expiration dates whenever we do a Beta 1.

As a start, I added this: https://wiki.mozilla.org/index.php?title=Releases%2FRelEngChecklist&diff=1086355&oldid=1081550

I don't have time to do anything else right now, but some sort of script or Nagios check would be really really good to have at some point.

Comment 2

[Jeff Bryner [:jeff] (use NEEDINFO 😉)]

Ben, there's a chance that the MOC might be able to help here. cc: Linda

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Jeff Bryner [:jeff]  (use NEEDINFO) from comment #2)
> Ben, there's a chance that the MOC might be able to help here. cc: Linda

If you have anything, that would be awesome! Keep in mind that we're talking about code signing certs, though, not SSL.

Comment 4

[Firefox Bug Husbandry Bot]

Bulk change of QA Contact to :jlund, per https://bugzilla.mozilla.org/show_bug.cgi?id=1428483

Comment 5

[Aki Sasaki (not active)]

We've moved to a yearly audit model.