Firefox 43.0 win builds should be signed with sha2

RESOLVED FIXED

Status

Release Engineering
Releases
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: rail, Unassigned)

Tracking

unspecified
Dependency tree / graph

Firefox Tracking Flags

(firefox43+ fixed, firefox44- fixed, firefox45- fixed)

Details

(Reporter)

Description

2 years ago
This will require some changes in the build system:

MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/signing.mk#11 should be changed from "osslsigncode" to "sha2signcode".
(Reporter)

Comment 1

2 years ago
I wonder if we should start signing nightly/aurora/beta with SHA2 before 43.0.
Flags: needinfo?(benjamin)
(Reporter)

Comment 2

2 years ago
(In reply to Rail Aliiev [:rail], on PTO Nov 21 - Mozlandia from comment #0)
> This will require some changes in the build system:
> 
> MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in
> https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/
> signing.mk#11 should be changed from "osslsigncode" to "sha2signcode".

FTR, "sha2signcode" comes from https://dxr.mozilla.org/build-central/source/puppet/modules/buildmaster/templates/passwords.py.erb#14, one of the signing formats supported by our signing servers.
I think we should start rolling this out to nightly ASAP, and aurora as soon as we're comfortable.

My understanding was that should not do this for beta 43 since we need the client changes which disable the maintenance service on WinXP and need to deploy that (to release) before we enabled SHA2 codesigning. But I'm not the expert/haven't thought this through well.
Flags: needinfo?(benjamin)
Tracking this for 43, and nominating for 44/45 as well.
status-firefox43: --- → affected
status-firefox44: --- → affected
status-firefox45: --- → affected
tracking-firefox43: --- → +
tracking-firefox44: --- → ?
tracking-firefox45: --- → +

Comment 5

2 years ago
Tracked for 44 because it's related to SHA-1 signing deprecation.
tracking-firefox44: ? → +
Jordan do you know how is this going and is there a way to test it out before the 43 release? Or did we already cover this in testing?

Are we planning to roll this out to other channels? Sorry to bug you about it, I'm not sure who else to ask though.
Flags: needinfo?(jlund)

Comment 7

2 years ago
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> Jordan do you know how is this going and is there a way to test it out
> before the 43 release? Or did we already cover this in testing?

catlee is helping here: https://bugzilla.mozilla.org/show_bug.cgi?id=1079858#c74

I will make sure to stay in touch with sheriffs and get this merged into m-c before EOD then we can quickly uplift this across branches tomorrow. We should test this before RC on monday everywhere.
Flags: needinfo?(jlund)
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 8

2 years ago
Untracking from here, this is being tracked in bug 1079858
status-firefox43: affected → fixed
status-firefox44: affected → fixed
status-firefox45: affected → fixed
tracking-firefox44: + → -
tracking-firefox45: + → -
You need to log in before you can comment on or make changes to this bug.