Create tasks to sign Mac builds created in TaskCluster

RESOLVED FIXED

Status

P1
normal
RESOLVED FIXED
2 years ago
7 months ago

People

(Reporter: coop, Assigned: kmoir)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Mac builds have distinct signing requirements from both Linux and Windows, so we'll need special workers in TC to deal with that, but also so that we have signing covered by the chain-of-trust.
(Reporter)

Comment 1

2 years ago
(In reply to Chris Cooper [:coop] from comment #0)
> Mac builds have distinct signing requirements from both Linux and Windows,
> so we'll need special workers in TC to deal with that, but also so that we
> have signing covered by the chain-of-trust.

Aki: is this accurate? Have you given any thought to how this might work?
Flags: needinfo?(aki)

Comment 2

2 years ago
a) signing happens on the signing servers.  Our current signing scriptworkers can talk to the mac signing servers, so they may be able to handle it.
b) if `mach repackage` for macs requires a mac to be able to do packaging, then we may have to spin up mac signing scriptworkers.  However, if we're able to either do packaging on the mac signing servers, or package on linux in a way that is shippable, then we can expand the existing linux signing scriptworkers' capabilities to handle that.

Per my convo with Ben,

ifdef MOZ_SIGN_PREPARED_PACKAGE_CMD  ifeq (Darwin, $(OS_ARCH))    MAKE_PACKAGE    = $(or $(call MAKE_SIGN_EME_VOUCHER,$(STAGEPATH)$(MOZ_PKG_DIR)$(_BINPATH)/$(MOZ_CHILD_PROCESS_NAME).app/Contents/MacOS,$(STAGEPATH)$(MOZ_PKG_DIR)$(_RESPATH)),true) \                      && (cd $(STAGEPATH)$(MOZ_PKG_DIR)$(_RESPATH) && $(CREATE_PRECOMPLETE_CMD)) \                      && cd ./$(PKG_DMG_SOURCE) && $(MOZ_SIGN_PREPARED_PACKAGE_CMD) $(MOZ_MACBUNDLE_NAME) \                      && cd $(PACKAGE_BASE_DIR) && $(INNER_MAKE_PACKAGE)

MOZ_MACBUNDLE_NAME is signed, then dmg-ized.  if we tar that up and publish unsigned, we can do the last 2 steps later.

Since I'm under the impression we can dmg-ize without a mac, we may not need mac signing workers.  We'll flesh out the details with mach repackage for mac.
Flags: needinfo?(aki)
(Reporter)

Comment 3

2 years ago
We've been discussing this as part of our migration work week this week. Our constraints were:

* keep the logic for creating packages in-tree
* avoid needing to run configure source checkout on the signing servers in order to sign or package
* break packaging and signing out into distinct steps so they can be retried independently

We've come up with a 3-4 step solution, depending on the platform:

1) Build system generates an unsigned tarball
2) Signing server signs innards: Mac==.app, Windows==.dlls,.exes
3) Package task creates platform-specific package: DMG, zip, exe
4) Sign packaged build (Windows installer only)

This is functionally equivalent to the signing/packaging steps that run inline in the build system right now. 
While we're primarily concerned about Mac in this particular bug, this same sequence is applicable to signing Windows builds.
Summary: Setup Mac SigningWorker → Create tasks to sign Mac builds created in TaskCluster
(Reporter)

Comment 4

2 years ago
#4 will need to happen for MARs too
(Reporter)

Updated

2 years ago
Depends on: 1338275
(Reporter)

Updated

2 years ago
Depends on: 1338271
(Reporter)

Updated

2 years ago
Depends on: 1324834
FYI, we don't currently do it, but apparently as of OS X 10.11.5 you can now sign DMG files as well, so we should plan for that (even if it doesn't happen in the first pass):
http://stackoverflow.com/a/37923530
(Reporter)

Comment 6

2 years ago
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #5)
> FYI, we don't currently do it, but apparently as of OS X 10.11.5 you can now
> sign DMG files as well, so we should plan for that (even if it doesn't
> happen in the first pass):
> http://stackoverflow.com/a/37923530

Does the DMG signature break non-Sierra platforms or is it ignored?

The way we're setting up signing in TC, we should be able to add in this extra signing task fairly easily if we decide to, but it won't be in the first pass.
(Reporter)

Comment 7

2 years ago
Kim is looking into this (and dependencies) while Callek is out.
Assignee: nobody → kmoir
(Assignee)

Comment 8

2 years ago
Created attachment 8841727 [details]
IMG_2898.JPG
(Reporter)

Comment 9

2 years ago
Re-assigning to :Callek. :kmoir will handle the taskgraph bits.
Assignee: kmoir → bugspam.Callek
Status: NEW → ASSIGNED
OS: Unspecified → Linux
Priority: -- → P1
Hardware: Unspecified → x86_64
(Assignee)

Comment 10

2 years ago
Callek: so since we last spoke re the mac migration work last week some bugs have been reassigned. So to clarify you would work on the build side code of this bug and I would work on the tasks?  It's not clear to me.
Flags: needinfo?(bugspam.Callek)
(In reply to Kim Moir [:kmoir] from comment #10)
> Callek: so since we last spoke re the mac migration work last week some bugs
> have been reassigned. So to clarify you would work on the build side code of
> this bug and I would work on the tasks?  It's not clear to me.

That is how I understood it.
Flags: needinfo?(bugspam.Callek)
(Assignee)

Comment 12

2 years ago
From irc this morning
aki-away: do you happen to recall re: DMG signing?
9:31 AM 
<coop> Callek: what does the current system do?
9:31 AM IIRC we wanted to keep DMG packaging off the signing servers themselves because it's so intensive
9:32 AM however, if it's easier to have that all contained on the signing server, we can spin up more signing servers
9:32 AM 
<Callek> the current build system, creates a flat directory, that then gets pushed to the signing server as a tarball, and then the build system creates a DMG from what is output
9:33 AM the unsigned taskcluster build creates as an artifact the unsigned DMG though
9:33 AM I vaguely thought we planned to do the unpacking of the DMG on the signing scriptworker, but then do the repacking on the second stage step, but I'm trying to remember what we decided here :/
9:34 AM 
<coop> by "current build system" you mean buildbot-created Mac build?
9:34 AM 
<Callek> yes
9:34 AM 
<coop> do we ever want to sign and not repackage?
9:34 AM 
<Callek> I can't think of a good reason to sign and not then produce a DMG
9:36 AM 
<coop> agreed, but do we then need the DMG logic in more than one place?
9:37 AM we were trying to avoid needing a configured tree on the signing servers IIRC
9:38 AM ⇐ rail quit (Rail@moz-4spvl5.dsl.bell.ca) Quit: Gone...
9:40 AM 
<Callek> I think we can get away with this, just trying to get an idea on what is passed back and what will need to be exported to pass in
9:41 AM 
<coop> do we actually need a configured tree to package a DMG?
9:41 AM 
<Callek> I think we probably do, at least if we want to use the build system to do it
9:43 AM 
<coop> ok
9:44 AM so, let me see if i understand where we're at...
9:45 AM signing scriptworker unpacks unsigned dmg from build system, passes contents to signing server for signing, and then repackages signed contents as dmg
9:45 AM accurate?
9:46 AM 
<Callek> That's as I *think* our decision was
9:46 AM Basically, we will have tasks "Build (unsigned)" --> "Signingscriptworker" --> "Mach [re]Package (into deliverable)" ... where the deliverable of unsigned is a .dmg, deliverable of signingscriptworker is a tarball, and deliverable of mach repackage is a dmg again.
9:46 AM aiui
10:06 AM 
<coop> Callek: is that enough to go on, or do you need more detail?
10:10 AM 
<Callek> I can go on that a bit, would love confirmation that I'm not overlooking something, from aki when he gets here though :-)
10:11 AM thanks
10:11 AM 
<coop> let's plan to discuss it at the mtg today
10:13 AM 
<Callek> ok
10:16 AM 
<aki-away> dmg in, tar out is my memory
10:18 AM 3 step for mac, 4 for windows, unless we sign the dmg itself, in which case it would be 4 for both
10:19 AM Callek: ^
10:27 AM 
<Callek> thanks!
(Assignee)

Updated

2 years ago
Depends on: 1324052
Kim is working on this taskgraph part (will file a new bug to track the work + integration of this and other related work)
Assignee: bugspam.Callek → kmoir

Updated

2 years ago
Blocks: 1338275
No longer depends on: 1338275

Updated

2 years ago
Blocks: 1347579

Updated

2 years ago
See Also: → bug 1185666
(Assignee)

Comment 14

2 years ago
I'm going to close this.  Bug 1324052 is still open, however, the signing parts have been implemented. I've opened nbug 1352417 (beetmover) and  bug 1352426 (balrog) to address the remaining taskgraph issues.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

7 months ago
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.