Closed Bug 1435858 Opened 2 years ago Closed 9 months ago

add a canary test that will fail before all of the psm xpcshell certificate tests fail

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox67 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

In bug 1435644 many psm xpcshell test certificates expired before anyone remembered to regenerate them, closing the trees (note that they're static files due to bug 1256495). It would be nice to have a noticeable reminder in advance of everything failing. My current idea is to add a separate test file that attempts to verify one common certificate (default-ee, for example) at Time.now() + 3 weeks or something. (Then again, it would be nice to not have to uplift large patches again, so maybe something with more lead time?)
How about a periodic task runner which checks all the test certificates in the tree if they expire in e.g. 2 weeks and who generates the new certificates if needed and checks them in, similar to the HPKP/HSTS list updates by ffxbld?
Assignee: nobody → dkeeler
Priority: P2 → P1
Whiteboard: [psm-assigned]

This test should remind us to regenerate the test certificates next year before they actually expire.

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/825dfac611b2
add a canary test that will fail before all of the test certificates expire r=Alex_Gaynor,jcj
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.