Closed Bug 1186425 Opened 9 years ago Closed 9 years ago

set-up new signing format for sha2 signing cert

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: bhearsum)

References

Details

Attachments

(3 files, 1 obsolete file)

sprinkle sha2signcode around puppet
22.60 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
add sha2signcode to buildbot-configs template
1.78 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
update comment + error message
5.54 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
We need to start testing signing with our new SHA2 certificate. The easiest way to get started will be to add a new signing format that uses osslsigncode w/ the new certificate. Later, we may need to augment this to dual signing with two different certs if we decided to go that route.
Attached patch sha2-tools-1.diff (obsolete) — Splinter Review
As far as the server code goes, we just treat it the same as signcode. signscript needs a bit more knowledge, because it has to find the secrets in a new place. I haven't tested this, but it's pretty straightforward and low risk since it's purely additive....
Attachment #8637238 - Flags: review?(catlee)
Comment on attachment 8637240 [details] [diff] [review] add sha2signcode to buildbot-configs template Review of attachment 8637240 [details] [diff] [review]: ----------------------------------------------------------------- b2gmar should probably die too...pretty sure we're not using it.
Attachment #8637240 - Flags: review?(catlee) → review+
Comment on attachment 8637239 [details] [diff] [review] sprinkle sha2signcode around puppet Review of attachment 8637239 [details] [diff] [review]: ----------------------------------------------------------------- ::: modules/signingserver/templates/signing.ini.erb @@ +55,5 @@ > testfile_b2gmar = <%=@testfile_mar%> > testfile_gpg = <%=@testfile_gpg%> > testfile_signcode = <%=@testfile_signcode%> > testfile_osslsigncode = <%=@testfile_osslsigncode%> > +testfile_sha2signcode = <%=@testfile_osslsigncode%> reusing this on purpose?
Attachment #8637239 - Flags: review?(catlee) → review+
Comment on attachment 8637238 [details] [diff] [review] sha2-tools-1.diff Review of attachment 8637238 [details] [diff] [review]: ----------------------------------------------------------------- ::: release/signing/signscript.py @@ +108,5 @@ > sys.exit(1) > + elif format_ == "sha2signcode": > + safe_unlink(tmpfile) > + if not options.sha2signcode_keydir: > + parser.error("sha2signcode_keydir required when format is osslsigncode") typo here - "when format is sha2signcode" @@ +109,5 @@ > + elif format_ == "sha2signcode": > + safe_unlink(tmpfile) > + if not options.sha2signcode_keydir: > + parser.error("sha2signcode_keydir required when format is osslsigncode") > + if shouldSign(filename): a comment here about why we're reusing the osslsigncode function would be good - why does this work for sha2 sigs?
Attachment #8637238 - Flags: review?(catlee) → review-
(In reply to Chris AtLee [:catlee] from comment #5) > Comment on attachment 8637239 [details] [diff] [review] > sprinkle sha2signcode around puppet > > Review of attachment 8637239 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: modules/signingserver/templates/signing.ini.erb > @@ +55,5 @@ > > testfile_b2gmar = <%=@testfile_mar%> > > testfile_gpg = <%=@testfile_gpg%> > > testfile_signcode = <%=@testfile_signcode%> > > testfile_osslsigncode = <%=@testfile_osslsigncode%> > > +testfile_sha2signcode = <%=@testfile_osslsigncode%> > > reusing this on purpose? Yeah, there's no reason to deploy a different test file when the only difference is a different cert. > @@ +109,5 @@ > > + elif format_ == "sha2signcode": > > + safe_unlink(tmpfile) > > + if not options.sha2signcode_keydir: > > + parser.error("sha2signcode_keydir required when format is osslsigncode") > > + if shouldSign(filename): > > a comment here about why we're reusing the osslsigncode function would be > good - why does this work for sha2 sigs? I'll add something. I think the main point of confusion here is that we have 3 different "formats" for authenticode signing that are really just one format implemented differently. When we can kill the signcode and osslsigncode formats this should become more obvious, and maybe we'll rename sha2signcode to authenticode or something...
Attachment #8637254 - Flags: review?(catlee)
(In reply to Chris AtLee [:catlee] from comment #4) > Comment on attachment 8637240 [details] [diff] [review] > add sha2signcode to buildbot-configs template > > Review of attachment 8637240 [details] [diff] [review]: > ----------------------------------------------------------------- > > b2gmar should probably die too...pretty sure we're not using it. Filed bug 1186449 for this.
Attachment #8637254 - Flags: review?(catlee) → review+
Attachment #8637238 - Attachment is obsolete: true
Attachment #8637254 - Flags: checked-in+
Attachment #8637240 - Flags: checked-in+
Attachment #8637239 - Flags: checked-in+
I had a tiny typo in a puppet template that I had to fix, but otherwise this looks to be landing cleanly. I've restarted the dep servers (after generating a self signed sha2 cert for them), and I'm waiting on a try push that uses sha2signcode before restarting the nightly and release ones: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151
(In reply to Ben Hearsum [:bhearsum] from comment #10) > I had a tiny typo in a puppet template that I had to fix, but otherwise this > looks to be landing cleanly. I've restarted the dep servers (after > generating a self signed sha2 cert for them), and I'm waiting on a try push > that uses sha2signcode before restarting the nightly and release ones: > https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151 This failed with: 11:47:11 INFO - signtool.py: error: no hosts capable of signing formats: sha2signcode This is because the masters haven't been reconfiged since my patch landed. I'll try this again after the next reconfig.
(In reply to Ben Hearsum [:bhearsum] from comment #11) > (In reply to Ben Hearsum [:bhearsum] from comment #10) > > I had a tiny typo in a puppet template that I had to fix, but otherwise this > > looks to be landing cleanly. I've restarted the dep servers (after > > generating a self signed sha2 cert for them), and I'm waiting on a try push > > that uses sha2signcode before restarting the nightly and release ones: > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151 > > This failed with: > 11:47:11 INFO - signtool.py: error: no hosts capable of signing > formats: sha2signcode > > This is because the masters haven't been reconfiged since my patch landed. > I'll try this again after the next reconfig. I ended up restarting the nightly and release servers for sha2 this morning, since the dep ones worked fine overnight. I've got a test build going on Oak that will verify that sha2signcode works on a nightly signing server.
I successfully had builds signed with the try and Nightly certs. The Nightly one has a signature that recent versions of Windows finds valid, so that's all good too. We're done here. We might need a new bug if we decided to sha1+sha2 sigs.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
For posterity: I had to regenerate the self signed sha2 cert because the expiry was messed up. I updated the instructions on https://mana.mozilla.org/wiki/display/RelEng/Signing to make sure that doesn't happen in the future.
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: