Closed Bug 1378744 Opened 5 years ago Closed 4 years ago

Nightly Signing Tasks fail


(Release Engineering :: General, defect)

Not set


(Not tracked)



(Reporter: cbook, Unassigned)





2017-07-06T11:33:04 CRITICAL - signing:build KIIeCBBnR7ukNt2M-PhZEA dependencies don't line up!
2017-07-06T11:33:04 CRITICAL - Chain of Trust verification error!

affects linux,android and osx so far
catlee, rail : new issue - could you take a look at this ?
Flags: needinfo?(rail)
Flags: needinfo?(catlee)
This was caused by bug 1372892 landing.
Blocks: 1372892
Flags: needinfo?(rail)
Flags: needinfo?(catlee)
Hm, what does "dependencies don't line up" mean?
Flags: needinfo?(aki)
Chain of Trust verification compares the task definition of the running/upstream tasks against the decision task's task-graph.json.
One of the checks is the dependencies:

Some fixes I can think of:

- we can add the decision taskId to both sets, so it's a blanket exception
- we can add the decision taskId to the dependencies before task-graph.json is created
- it's possible we should be comparing our runtime task definitions against a different artifact than task-graph.json.
- it's possible we should stop task.dependencies comparisons altogether; unless we use inputs from those upstream tasks, they only mark when to run a task. I've been waffling on this one; I'm not sure if the current security model will be unchanged or weakened with this change. Comparing task.dependencies breaks multi-task retriggers; the first task passes due to fuzzy matching, but the subsequent tasks fail due to task.dependencies changing.
Flags: needinfo?(aki)
Scriptworker 4.1.3 is rolled out!
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.