set-up new signing format for sha2 signing cert

RESOLVED FIXED

Status

Release Engineering
General Automation
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: bhearsum, Assigned: bhearsum)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments, 1 obsolete attachment)

(Assignee)

Description

2 years ago
We need to start testing signing with our new SHA2 certificate. The easiest way to get started will be to add a new signing format that uses osslsigncode w/ the new certificate. Later, we may need to augment this to dual signing with two different certs if we decided to go that route.
(Assignee)

Comment 1

2 years ago
Created attachment 8637238 [details] [diff] [review]
sha2-tools-1.diff

As far as the server code goes, we just treat it the same as signcode. signscript needs a bit more knowledge, because it has to find the secrets in a new place.

I haven't tested this, but it's pretty straightforward and low risk since it's purely additive....
Attachment #8637238 - Flags: review?(catlee)
(Assignee)

Comment 2

2 years ago
Created attachment 8637239 [details] [diff] [review]
sprinkle sha2signcode around puppet
Attachment #8637239 - Flags: review?(catlee)
(Assignee)

Comment 3

2 years ago
Created attachment 8637240 [details] [diff] [review]
add sha2signcode to buildbot-configs template
Attachment #8637240 - Flags: review?(catlee)
Comment on attachment 8637240 [details] [diff] [review]
add sha2signcode to buildbot-configs template

Review of attachment 8637240 [details] [diff] [review]:
-----------------------------------------------------------------

b2gmar should probably die too...pretty sure we're not using it.
Attachment #8637240 - Flags: review?(catlee) → review+
Comment on attachment 8637239 [details] [diff] [review]
sprinkle sha2signcode around puppet

Review of attachment 8637239 [details] [diff] [review]:
-----------------------------------------------------------------

::: modules/signingserver/templates/signing.ini.erb
@@ +55,5 @@
>  testfile_b2gmar = <%=@testfile_mar%>
>  testfile_gpg = <%=@testfile_gpg%>
>  testfile_signcode = <%=@testfile_signcode%>
>  testfile_osslsigncode = <%=@testfile_osslsigncode%>
> +testfile_sha2signcode = <%=@testfile_osslsigncode%>

reusing this on purpose?
Attachment #8637239 - Flags: review?(catlee) → review+
Comment on attachment 8637238 [details] [diff] [review]
sha2-tools-1.diff

Review of attachment 8637238 [details] [diff] [review]:
-----------------------------------------------------------------

::: release/signing/signscript.py
@@ +108,5 @@
>              sys.exit(1)
> +    elif format_ == "sha2signcode":
> +        safe_unlink(tmpfile)
> +        if not options.sha2signcode_keydir:
> +            parser.error("sha2signcode_keydir required when format is osslsigncode")

typo here - "when format is sha2signcode"

@@ +109,5 @@
> +    elif format_ == "sha2signcode":
> +        safe_unlink(tmpfile)
> +        if not options.sha2signcode_keydir:
> +            parser.error("sha2signcode_keydir required when format is osslsigncode")
> +        if shouldSign(filename):

a comment here about why we're reusing the osslsigncode function would be good - why does this work for sha2 sigs?
Attachment #8637238 - Flags: review?(catlee) → review-
(Assignee)

Comment 7

2 years ago
(In reply to Chris AtLee [:catlee] from comment #5)
> Comment on attachment 8637239 [details] [diff] [review]
> sprinkle sha2signcode around puppet
> 
> Review of attachment 8637239 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: modules/signingserver/templates/signing.ini.erb
> @@ +55,5 @@
> >  testfile_b2gmar = <%=@testfile_mar%>
> >  testfile_gpg = <%=@testfile_gpg%>
> >  testfile_signcode = <%=@testfile_signcode%>
> >  testfile_osslsigncode = <%=@testfile_osslsigncode%>
> > +testfile_sha2signcode = <%=@testfile_osslsigncode%>
> 
> reusing this on purpose?

Yeah, there's no reason to deploy a different test file when the only difference is a different cert.

> @@ +109,5 @@
> > +    elif format_ == "sha2signcode":
> > +        safe_unlink(tmpfile)
> > +        if not options.sha2signcode_keydir:
> > +            parser.error("sha2signcode_keydir required when format is osslsigncode")
> > +        if shouldSign(filename):
> 
> a comment here about why we're reusing the osslsigncode function would be
> good - why does this work for sha2 sigs?

I'll add something. I think the main point of confusion here is that we have 3 different "formats" for authenticode signing that are really just one format implemented differently. When we can kill the signcode and osslsigncode formats this should become more obvious, and maybe we'll rename sha2signcode to authenticode or something...
(Assignee)

Comment 8

2 years ago
Created attachment 8637254 [details] [diff] [review]
update comment + error message
Attachment #8637254 - Flags: review?(catlee)
(Assignee)

Comment 9

2 years ago
(In reply to Chris AtLee [:catlee] from comment #4)
> Comment on attachment 8637240 [details] [diff] [review]
> add sha2signcode to buildbot-configs template
> 
> Review of attachment 8637240 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> b2gmar should probably die too...pretty sure we're not using it.

Filed bug 1186449 for this.

Updated

2 years ago
Attachment #8637254 - Flags: review?(catlee) → review+
(Assignee)

Updated

2 years ago
Attachment #8637238 - Attachment is obsolete: true
(Assignee)

Updated

2 years ago
Attachment #8637254 - Flags: checked-in+
(Assignee)

Updated

2 years ago
Attachment #8637240 - Flags: checked-in+
(Assignee)

Updated

2 years ago
Attachment #8637239 - Flags: checked-in+
(Assignee)

Comment 10

2 years ago
I had a tiny typo in a puppet template that I had to fix, but otherwise this looks to be landing cleanly. I've restarted the dep servers (after generating a self signed sha2 cert for them), and I'm waiting on a try push that uses sha2signcode before restarting the nightly and release ones: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151
(Assignee)

Comment 11

2 years ago
(In reply to Ben Hearsum [:bhearsum] from comment #10)
> I had a tiny typo in a puppet template that I had to fix, but otherwise this
> looks to be landing cleanly. I've restarted the dep servers (after
> generating a self signed sha2 cert for them), and I'm waiting on a try push
> that uses sha2signcode before restarting the nightly and release ones:
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151

This failed with:
11:47:11     INFO -  signtool.py: error: no hosts capable of signing formats: sha2signcode

This is because the masters haven't been reconfiged since my patch landed. I'll try this again after the next reconfig.
In production: https://hg.mozilla.org/build/buildbot-configs/rev/cb409abbe898
(Assignee)

Comment 13

2 years ago
(In reply to Ben Hearsum [:bhearsum] from comment #11)
> (In reply to Ben Hearsum [:bhearsum] from comment #10)
> > I had a tiny typo in a puppet template that I had to fix, but otherwise this
> > looks to be landing cleanly. I've restarted the dep servers (after
> > generating a self signed sha2 cert for them), and I'm waiting on a try push
> > that uses sha2signcode before restarting the nightly and release ones:
> > https://treeherder.mozilla.org/#/jobs?repo=try&revision=a8f92df03151
> 
> This failed with:
> 11:47:11     INFO -  signtool.py: error: no hosts capable of signing
> formats: sha2signcode
> 
> This is because the masters haven't been reconfiged since my patch landed.
> I'll try this again after the next reconfig.

I ended up restarting the nightly and release servers for sha2 this morning, since the dep ones worked fine overnight. I've got a test build going on Oak that will verify that sha2signcode works on a nightly signing server.
(Assignee)

Comment 14

2 years ago
I successfully had builds signed with the try and Nightly certs. The Nightly one has a signature that recent versions of Windows finds valid, so that's all good too.

We're done here. We might need a new bug if we decided to sha1+sha2 sigs.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Assignee)

Comment 15

2 years ago
For posterity: I had to regenerate the self signed sha2 cert because the expiry was messed up. I updated the instructions on https://mana.mozilla.org/wiki/display/RelEng/Signing to make sure that doesn't happen in the future.
You need to log in before you can comment on or make changes to this bug.