Closed
Bug 1332131
Opened 8 years ago
Closed 8 years ago
many psm xpcshell test certificates are expiring soon (e.g. in February)
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox51 | --- | fixed |
| firefox52 | --- | fixed |
| firefox53 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
In bug 1256495 we "temporarily" checked the generated psm xpcshell test certificates into the tree. Many of these certificates expire on 4 February 2017, which is coming up soon. We'll probably need to re-generate them and check them in again.
|
||
Comment 1•8 years ago
|
||
Do we have a bug that tracks a permanent (just-in-time) solution?
|
Assignee | |
Comment 2•8 years ago
|
||
Maybe bug 1198077?
| Comment hidden (mozreview-request) |
|
|
||
Comment 4•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8828591 [details]
bug 1332131 - regenerate psm xpcshell test certificates to avoid failures when they expire
https://reviewboard.mozilla.org/r/105918/#review107074
LGTM, although I only checked a few certs to confirm their notAfter is in 2018.
Other than that, I just ensured that the certs that should've changed did change.
Attachment #8828591 -
Flags: review?(cykesiopka.bmo) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
Thanks!
Try looked good: https://treeherder.mozilla.org/#/jobs?repo=try&revision=71e5963f76e94c890a38c9fbf74ac91379e7af06
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d15f6cbb443d
regenerate psm xpcshell test certificates to avoid failures when they expire r=Cykesiopka
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
|
Assignee | |
Comment 8•8 years ago
|
||
Hi Wes, sorry to spring this on you, but this issue affects every supported branch, essentially. If I could get some help uplifting this before February, that would be great. Thank you! (Luckily, it's test-only changes, so we shouldn't have to wait for approval.)
Flags: needinfo?(wkocher)
Should this end up on release (in case of chemspill) and esr45, too?
Flags: needinfo?(wkocher) → needinfo?(dkeeler)
Whiteboard: [psm-assigned] → [psm-assigned][checkin-needed-aurora][checkin-needed-beta]
|
|
Assignee | |
Comment 10•8 years ago
|
||
I imagine so - if the xpcshell test suite is run after 4 February 2017, it will fail without this patch.
Flags: needinfo?(dkeeler)
|
||
Updated•8 years ago
|
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → affected
Whiteboard: [psm-assigned][checkin-needed-aurora][checkin-needed-beta] → [psm-assigned][checkin-needed-beta][checkin-needed-release][checkin-needed-esr45]
|
|
||
Comment 11•8 years ago
|
||
| bugherder uplift | ||
Flags: in-testsuite+
Whiteboard: [psm-assigned][checkin-needed-beta][checkin-needed-release][checkin-needed-esr45] → [psm-assigned][checkin-needed-release][checkin-needed-esr45]
26 of the files touched in the patch pushed to beta don't exist on release, and only the moz.build file exists on esr45 (and it has merge conflicts). Is it okay to push this to release, and can you make a rebased patch for esr45, assuming all of the files were just moved around?
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 13•8 years ago
|
||
Oh, sorry - it looks like any branch older than 48 isn't affected (bug 1256495 landed in 48), so esr45 actually doesn't need this.
For mozilla-release, the mochitest certs are from bug 1186286, the bad_certs are from bug 1313491, the test_ev_certs are from bug 1243923, the test_pinning_dynamic certs are from bug 1306471, and test_x509.js is from bug 1304188. All of these landed in 52, so it's consistent that they're not in release/51. In other words, the patch should be fine to land on release without those 26 files. Thanks!
Flags: needinfo?(dkeeler)
Whiteboard: [psm-assigned][checkin-needed-release][checkin-needed-esr45] → [psm-assigned][checkin-needed-release]
Whiteboard: [psm-assigned][checkin-needed-release] → [psm-assigned]
|
||
Comment 15•8 years ago
|
||
So, the way this stuff works right now also means that if you run a trypush and it's on a parent that predates the cert change, tests fail with incomprehensible error messages and you get confused (whereas if you rebase the patch to a parent that doesn't predate the cert change, tests will pass). Can't the test framework generate its own certs so we avoid this issue in the future?
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 16•8 years ago
|
||
That's the way this worked before bug 1256495, but we got complaints that it took too much build time. The right thing to do would be to teach the build/test infrastructure to generate these files as-needed (so if you're not running these tests it won't affect you), but no one has done that work (see also bug 1198077).
Flags: needinfo?(dkeeler)
You need to log in
before you can comment on or make changes to this bug.
Description
•