Closed
Bug 1228428
Opened 9 years ago
Closed 9 years ago
Sign MozillaBuild installer executables
Categories
(Firefox Build System :: MozillaBuild, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: wtc, Assigned: rail)
References
Details
When I run the MozillaBuild 2.1.0 installer, Windows says the publisher
is unknown. The installer executables should be signed.
Until then, I suggest that in the announcements of new releases, we
provide HTTPS download URLs. For example,
https://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-Latest.exe
instead of
http://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-Latest.exe
|
||
Comment 1•9 years ago
|
||
I have no idea what it would take to properly sign the installer. Do you have suggestions on where to start, catlee?
Flags: needinfo?(catlee)
|
||
Comment 2•9 years ago
|
||
It would have to be a manual process by releng at this point, assuming we want to use the same certs that we're using for Firefox. Would you just want the installer signed, or contents as well?
Flags: needinfo?(catlee)
|
Reporter | |
Comment 3•9 years ago
|
||
Chris: I am not sure what it means to sign just the installer vs.
the contents as well. I want the installer signed, but I am not
requesting that we sign the individual .exe files in the package.
Did I understand your question correctly?
|
|
||
Comment 4•9 years ago
|
||
I think signing just the installer itself would suffice. I'd be hesitant to sign others' binaries anyway.
|
|
||
Comment 5•9 years ago
|
||
Rail, do you know what the process would be for doing this? I'm intending to ship the next MozillaBuild release soon and it would be great if we could do this as part of that.
Flags: needinfo?(rail)
|
Assignee | |
Comment 6•9 years ago
|
||
The process would be something like:
1) provide the file URL and the checksums
2) ping someone who can access to the signing servers:
catlee
bhearsum
nthomas
rail
coop
hwine
Flags: needinfo?(rail)
|
|
||
Comment 7•9 years ago
|
||
This was done for the 2.2 release with help from Rail. For now, I guess it'll need to be a manual process (albeit not horribly burdensome since it only takes a few minutes and MozillaBuild releases aren't terribly frequent).
To document this for future reference, a copy of the unsigned installer and its sha-512 hash were provided so Rail could run it through a Taskcluster-based signing job. We initially ran into problems with Windows SmartScreen because the old sha1 certificate was used for signing instead of the newer sha256 one, so we'll want to verify that in the future for later releases.
Assignee: nobody → rail
Blocks: MozillaBuild2.2
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 8•9 years ago
|
||
When I installed the 2.2 release, Windows showed a verified
publisher of Mozilla Corporation. Thank you!
Nit: in the release notes, it would be good to use HTTPS in
the download URL (and also the changelog URL):
https://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-Latest.exe
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•9 years ago
|
||
(In reply to Wan-Teh Chang from comment #8)
> Nit: in the release notes, it would be good to use HTTPS in
> the download URL (and also the changelog URL):
Yeah, that came up in the dev-platform thread already. It was an oversight on my part and won't happen next release.
|
||
Updated•2 years ago
|
Product: mozilla.org → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•