Closed Bug 1378744 Opened 2 years ago Closed 2 years ago

Nightly Signing Tasks fail

Categories

(Release Engineering :: General, defect, critical)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cbook, Unassigned)

References

()

Details

like https://tools.taskcluster.net/groups/G8j0rTIOQRK4LEDgNjo6vA/tasks/EovnTieZTLKZTW6z5sBT7Q/runs/0/logs/public%2Flogs%2Fchain_of_trust.log 

2017-07-06T11:33:04 CRITICAL - signing:build KIIeCBBnR7ukNt2M-PhZEA dependencies don't line up!
{'G8j0rTIOQRK4LEDgNjo6vA'}
2017-07-06T11:33:04 CRITICAL - Chain of Trust verification error!

affects linux,android and osx so far
catlee, rail : new issue - could you take a look at this ?
Flags: needinfo?(rail)
Flags: needinfo?(catlee)
This was caused by bug 1372892 landing.
Blocks: 1372892
Flags: needinfo?(rail)
Flags: needinfo?(catlee)
Hm, what does "dependencies don't line up" mean?
Flags: needinfo?(aki)
Chain of Trust verification compares the task definition of the running/upstream tasks against the decision task's task-graph.json.
One of the checks is the dependencies: https://github.com/mozilla-releng/scriptworker/blob/master/scriptworker/cot/verify.py#L752

Some fixes I can think of:

- we can add the decision taskId to both sets, so it's a blanket exception
- we can add the decision taskId to the dependencies before task-graph.json is created
- it's possible we should be comparing our runtime task definitions against a different artifact than task-graph.json.
- it's possible we should stop task.dependencies comparisons altogether; unless we use inputs from those upstream tasks, they only mark when to run a task. I've been waffling on this one; I'm not sure if the current security model will be unchanged or weakened with this change. Comparing task.dependencies breaks multi-task retriggers; the first task passes due to fuzzy matching, but the subsequent tasks fail due to task.dependencies changing.
Flags: needinfo?(aki)
Scriptworker 4.1.3 is rolled out!
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.