This will require some changes in the build system: MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/signing.mk#11 should be changed from "osslsigncode" to "sha2signcode".
I wonder if we should start signing nightly/aurora/beta with SHA2 before 43.0.
(In reply to Rail Aliiev [:rail], on PTO Nov 21 - Mozlandia from comment #0) > This will require some changes in the build system: > > MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in > https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/ > signing.mk#11 should be changed from "osslsigncode" to "sha2signcode". FTR, "sha2signcode" comes from https://dxr.mozilla.org/build-central/source/puppet/modules/buildmaster/templates/passwords.py.erb#14, one of the signing formats supported by our signing servers.
I think we should start rolling this out to nightly ASAP, and aurora as soon as we're comfortable. My understanding was that should not do this for beta 43 since we need the client changes which disable the maintenance service on WinXP and need to deploy that (to release) before we enabled SHA2 codesigning. But I'm not the expert/haven't thought this through well.
Tracking this for 43, and nominating for 44/45 as well.
Tracked for 44 because it's related to SHA-1 signing deprecation.
Jordan do you know how is this going and is there a way to test it out before the 43 release? Or did we already cover this in testing? Are we planning to roll this out to other channels? Sorry to bug you about it, I'm not sure who else to ask though.
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > Jordan do you know how is this going and is there a way to test it out > before the 43 release? Or did we already cover this in testing? catlee is helping here: https://bugzilla.mozilla.org/show_bug.cgi?id=1079858#c74 I will make sure to stay in touch with sheriffs and get this merged into m-c before EOD then we can quickly uplift this across branches tomorrow. We should test this before RC on monday everywhere.
Untracking from here, this is being tracked in bug 1079858