Closed Bug 1346015 Opened 8 years ago Closed 8 years ago

Support DMG input in signingscriptworker

Categories

(Release Engineering :: General, enhancement, P1)

Product:
Release Engineering
Component:
General
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Callek, Assigned: mozilla)

References

Details

Attachments

(4 files, 1 obsolete file)

py3 signtool dmg support
49 bytes, text/x-github-pull-request
catlee
: review+
Details | Review
signingscript dmg support
55 bytes, text/x-github-pull-request
jlorenzo
: review+
Details | Review
bug 1346015 - support dmg signing in signing scriptworkers.
59 bytes, text/x-review-board-request
Callek
: review+
Details
bug 1346015 - allow for signing scriptworker dev instances
59 bytes, text/x-review-board-request
jlorenzo
: review+
Details
Over in https://bugzilla.mozilla.org/show_bug.cgi?id=1324834 we identified the commands we need for OSX unpacking on linux... ' these amount to: dmg extract "${DMG_PATH}" firefox.hfs hfsplus firefox.hfs extractall / "${TARGETPATH}" both binaries are in tooltool https://dxr.mozilla.org/mozilla-central/source/browser/config/tooltool-manifests/macosx64/cross-releng.manifest#42 (aka: https://api.pub.build.mozilla.org/tooltool/sha512/9073c41034784eb8823ec817aed42bbc65c8da63ad3fac572726fa48b36320ee302ca8f51b23576e7fdbeec6ab300610d0c58bbd9c52024577dfdb13d95aa2ec ) `firefox.hfs` can be any tempfile (unsure if extension matters) and removable after this executes. $DMG_PATH and $TARGETPATH are as they sound.
Assignee: nobody → aki
Blocks: 1347579
Depends on: 1324834
Attached patch puppet: dmgv2-to-dmg.diff (obsolete) — Splinter Review
Since we're using a standalone version of signtool, we can get rid of the dmgv2 vs dmg split, which was only put in place to specify different pools of mac signing servers.
https://github.com/escapewindow/signtool/tree/mac for py3 signtool to take a tarball and return a tarball. - update the puppet patch to install the dmg extraction tools onto signing scriptworkers - update signingscript to use the dmg extraction tool, and signtool/upload a tarball, if format is dmg We can probably deploy to prod, since nothing is using signing scriptworkers for dmg. Otherwise we'd need to spin up a dmg signing scriptworker for testing.
https://github.com/escapewindow/build-puppet/tree/macsigning . I think this is ready for testing.
Depends on: 1348163
Priority: -- → P1
:catlee, do you want to review this py3 signtool patch, or do you want me to send it elsewhere? Sending it your way first since you helped me with this in Toronto IIRC, but I'm happy to redirect if wanted.
Attachment #8850239 - Flags: review?(catlee)
- adds an _explode_dmg call in a new _execute_pre_signing_steps - sign_file now returns the source path; this allows us to rewrite the path/to/dmg with a path/to/tarball for async_main to copy to the artifact_dir - moves _execute_subprocess to utils - maintains 100% code coverage
Attachment #8850241 - Flags: review?(jlorenzo)
Attachment #8847791 - Attachment is obsolete: true
Comment on attachment 8850264 [details] bug 1346015 - allow for signing scriptworker dev instances https://reviewboard.mozilla.org/r/122898/#review125302 ::: modules/signing_scriptworker/manifests/init.pp:65 (Diff revision 1) > ]; > } > > scriptworker::instance { > "${signing_scriptworker::settings::root}": > - instance_name => $module_name, > + instance_name => "${module_name}", What's the advantage of quoting single variables in this case? For reference, in the puppet training I attended, the trainer told us to avoid using them whenever that's possible. It saves the interpolation step, which (apparently) can save several seconds when a manifest is compiled on master. That said, I haven't managed to find these explanation in the official documentation: * https://docs.puppet.com/puppet/3.7/lang_variables.html#interpolation ::: modules/signing_scriptworker/templates/dev-passwords.json.erb:3 (Diff revision 1) > +{ > + "project:releng:signing:cert:dep-signing": [ > + ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "mar_sha384", "jar", "emevoucher"]], Are these instances meant to become production at some point? If so, I'd add a comment, maybe in settings.pp. If not, could we add "-dev" on the hostname?
Attachment #8850264 - Flags: review?(jlorenzo) → review+
(In reply to Johan Lorenzo [:jlorenzo] from comment #10) The puppet patch looks good to me, modulo a couple of nits. These can be handled in a follow up.
Comment on attachment 8850243 [details] bug 1346015 - support dmg signing in signing scriptworkers. https://reviewboard.mozilla.org/r/122890/#review125454 I'd be much happier with the binaries placed into the puppetmasters /data https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Data#.._add_a_data_file even if its a zip/compressed format that the instance decompresses. I'm not going to hard block on that though.
Attachment #8850243 - Flags: review?(bugspam.Callek) → review+
Attachment #8850239 - Flags: review?(catlee) → review+
(In reply to Justin Wood (:Callek) from comment #13) > Comment on attachment 8850243 [details] > bug 1346015 - support dmg signing in signing scriptworkers. > > https://reviewboard.mozilla.org/r/122890/#review125454 > > I'd be much happier with the binaries placed into the puppetmasters /data > https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Data#.. > _add_a_data_file even if its a zip/compressed format that the instance > decompresses. > > I'm not going to hard block on that though. That makes sense. What's the best way to tell puppet to overwrite the files if there's something newer? If the answer is "ssh in and blow away the previous file and rerun puppet", then I'd prefer this route until the dmg tools are more settled... they're ~260KB total, not too onerous atm.
(In reply to Johan Lorenzo [:jlorenzo] from comment #10) > Comment on attachment 8850264 [details] > bug 1346015 - allow for signing scriptworker dev instances > > https://reviewboard.mozilla.org/r/122898/#review125302 > > ::: modules/signing_scriptworker/manifests/init.pp:65 > (Diff revision 1) > > ]; > > } > > > > scriptworker::instance { > > "${signing_scriptworker::settings::root}": > > - instance_name => $module_name, > > + instance_name => "${module_name}", > > What's the advantage of quoting single variables in this case? Explicitly stating they're strings? I was just going for consistency. > > For reference, in the puppet training I attended, the trainer told us to > avoid using them whenever that's possible. It saves the interpolation step, > which (apparently) can save several seconds when a manifest is compiled on > master. > > That said, I haven't managed to find these explanation in the official > documentation: > > * https://docs.puppet.com/puppet/3.7/lang_variables.html#interpolation Hm, good to know. Maybe I'll revert these changes. > ::: modules/signing_scriptworker/templates/dev-passwords.json.erb:3 > (Diff revision 1) > > +{ > > + "project:releng:signing:cert:dep-signing": [ > > + ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "mar_sha384", "jar", "emevoucher"]], > > Are these instances meant to become production at some point? If so, I'd add > a comment, maybe in settings.pp. If not, could we add "-dev" on the hostname? No, these are the production signing servers. They each run 3 ports: release, nightly, dep, so renaming them isn't really an option. Moving the dep signing servers onto different instances is an option, but isn't a short-term thing. For the long term fix, we're leaning towards somehow being able to sign locally -- docker-signing-server might be a good option, or tc-secrets, or somehow follow how android creates local signing keys for dev signing. Our current thinking is dep/CI signing keys should essentially be untrusted and shared widely.
Looks like the dmg signing on date is working, and I was able to launch the app from the signed tarball.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: Tools → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: