non-privileged, non-secret dep signing on taskcluster

NEW
Unassigned

Status

Release Engineering
General Automation
P2
normal
8 months ago
4 months ago

People

(Reporter: aki, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 months ago
We want to turn on signing for dep builds, but these don't need to go through scriptworker or the signing servers.

Ideally we'd have a script or set of scripts that can sign in the various formats (signtool? signingscript? another script?), and some non-privileged non-secret keys for dep signing.

The keys can be auto-generated, or distributed through taskcluster level-1 secrets or a non-secret-keys-as-a-service service, so signing can happen on Try.

We can run signing through this script on docker-worker.

Updated

7 months ago
Blocks: 1351280

Updated

4 months ago
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.