Closed
Bug 1378744
Opened 8 years ago
Closed 8 years ago
Nightly Signing Tasks fail
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cbook, Unassigned)
References
()
Details
like https://tools.taskcluster.net/groups/G8j0rTIOQRK4LEDgNjo6vA/tasks/EovnTieZTLKZTW6z5sBT7Q/runs/0/logs/public%2Flogs%2Fchain_of_trust.log
2017-07-06T11:33:04 CRITICAL - signing:build KIIeCBBnR7ukNt2M-PhZEA dependencies don't line up!
{'G8j0rTIOQRK4LEDgNjo6vA'}
2017-07-06T11:33:04 CRITICAL - Chain of Trust verification error!
affects linux,android and osx so far
|
Reporter | |
Comment 1•8 years ago
|
||
catlee, rail : new issue - could you take a look at this ?
Flags: needinfo?(rail)
Flags: needinfo?(catlee)
|
|
||
Comment 2•8 years ago
|
||
This was caused by bug 1372892 landing.
|
||
Comment 3•8 years ago
|
||
Hm, what does "dependencies don't line up" mean?
|
|
||
Updated•8 years ago
|
Flags: needinfo?(aki)
|
||
Comment 4•8 years ago
|
||
Chain of Trust verification compares the task definition of the running/upstream tasks against the decision task's task-graph.json.
One of the checks is the dependencies: https://github.com/mozilla-releng/scriptworker/blob/master/scriptworker/cot/verify.py#L752
Some fixes I can think of:
- we can add the decision taskId to both sets, so it's a blanket exception
- we can add the decision taskId to the dependencies before task-graph.json is created
- it's possible we should be comparing our runtime task definitions against a different artifact than task-graph.json.
- it's possible we should stop task.dependencies comparisons altogether; unless we use inputs from those upstream tasks, they only mark when to run a task. I've been waffling on this one; I'm not sure if the current security model will be unchanged or weakened with this change. Comparing task.dependencies breaks multi-task retriggers; the first task passes due to fuzzy matching, but the subsequent tasks fail due to task.dependencies changing.
Flags: needinfo?(aki)
|
|
||
Comment 5•8 years ago
|
||
https://github.com/mozilla-releng/scriptworker/pull/129 - more or less the first option
|
|
||
Comment 6•8 years ago
|
||
Scriptworker 4.1.3 is rolled out!
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•