Closed Bug 1438084 Opened 4 years ago Closed 1 month ago

Obtain Windows code-signing certificate for SeaMonkey binary and update signing

Categories

(SeaMonkey :: Release Engineering, defect)

defect
Not set
normal

Tracking

(seamonkey2.53+ fixed)

RESOLVED FIXED
seamonkey 2.94
Tracking Status
seamonkey2.53 + fixed

People

(Reporter: ewong, Assigned: frg)

References

(Blocks 2 open bugs)

Details

(Whiteboard: SM2.53.10.2)

Attachments

(5 files, 1 obsolete file)

I am assuming that whatever certificates given to Callek from bug 736154 
probably has expired some time ago, so cloning initial bug to get
another set done/renewed.  

Gerv, would Mozilla be willing to renew the certificates on behalf
of SeaMonkey? 


+++ This bug was initially created as a clone of Bug #736154 +++

SeaMonkey would like to sign their Windows installers and updates, to enable them to support Silent Update. After discussion between Callek, John O'Duinn, Harvey, Mitchell and myself about the best way to do this, the conclusion is as follows:

1) Mozilla should obtain a suitable code signing certificate for SeaMonkey to use
2) SeaMonkey will then be given this certificate to manage the signing on their own infra
3) The certificate should not 'look like' the one RelEng uses to sign Firefox

This bug is to get server ops to obtain such a certificate.

The only question which remains is to work out exactly what should be in each field of the certificate, particularly the O field (which, I believe, is the one displayed in the relevant UI). This needs to be acceptable to the CA from a legal perspective, but also meet criteria 3.

My initial proposal for us to present to the CA for the O field is "Mozilla Foundation, SeaMonkey Project". If they refuse that, it would be good to get some guidance on the parameters they are having to work within.

Gerv
Since joduinn, and mrz don't work at Moco anymore, and gerv isn't accepting NIs, I guess I'll
need to find someone else.  As Catlee is the QA for this bug, N-I him.
Flags: needinfo?(catlee)
Blocks: signSM
Component: General → Release Engineering
Flags: needinfo?(catlee)
Product: Release Engineering → SeaMonkey
QA Contact: catlee
Version: other → unspecified
Blocks: 1443390

We now have a code signing certificate and I was able to create local en-US and l10n de builds. Still some things to sort so nothing for review yet. Might all be outside the source tree.

Assignee: nobody → frgrahl
Status: NEW → ASSIGNED
QA Contact: catlee
Summary: Obtain win32 and osx code-signing certificates for SeaMonkey binary and update signing → Obtain Windows code-signing certificates for SeaMonkey binary and update signing.
Whiteboard: SM2.53.10.2
Summary: Obtain Windows code-signing certificates for SeaMonkey binary and update signing. → Obtain Windows code-signing certificate for SeaMonkey binary and update signing

Signing Windows builds needs some final files from the previous full build steps. So mach build distribution can currently not be used. Untangle it a bit for the en-US build and create a full-package step which also creates the full update mar.. For locale builds "export MOZ_MAKE_COMPLETE_MAR=1" can be used.

[Approval Request Comment]
Regression caused by (bug #): --
User impact if declined: Clunky update mar generation in shell script needed
Testing completed (on m-c, etc.): 2.53.11b1 pre
Risk to taking this patch (and alternatives if risky): build only trivial
String changes made by this patch: --

Attachment #9256067 - Flags: review?(iannbugzilla)
Attachment #9256067 - Flags: feedback?(ewong)
Attachment #9256067 - Flags: approval-comm-release?
Attachment #9256067 - Flags: approval-comm-esr60?

[Approval Request Comment]
Regression caused by (bug #): --
User impact if declined: none but long long long Windows build times.
Testing completed (on m-c, etc.): 2.53.11b1 pre
Risk to taking this patch (and alternatives if risky): Update might not remove old files but we no longer support direct upgrade from versions which still used the removed files. Mostly pre 2.0.
String changes made by this patch: --

Attachment #9256068 - Flags: review?(iannbugzilla)
Attachment #9256068 - Flags: approval-comm-release?
Attachment #9256068 - Flags: approval-comm-esr60?
Attached file sign6419.sh (obsolete) —

Sample shell script I used for building a local test build. Didn't built the symbols with it but no changes doing them. Just an example without error checking. Needs to be cleaned up and adapted for the builder.

Blocks: 1746792

Comment on attachment 9256067 [details] [diff] [review]
1438084-fullpackage-253102.patch

[Triage Comment]
Seems to be okay r/a=me

Attachment #9256067 - Flags: review?(iannbugzilla)
Attachment #9256067 - Flags: review+
Attachment #9256067 - Flags: approval-comm-release?
Attachment #9256067 - Flags: approval-comm-release+
Attachment #9256067 - Flags: approval-comm-esr60?
Attachment #9256067 - Flags: approval-comm-esr60+

Comment on attachment 9256068 [details] [diff] [review]
1438084-cleanremoved-253102.patch

[Triage Comment]
Seems to be okay r/a=me

Attachment #9256068 - Flags: review?(iannbugzilla)
Attachment #9256068 - Flags: review+
Attachment #9256068 - Flags: approval-comm-release?
Attachment #9256068 - Flags: approval-comm-release+
Attachment #9256068 - Flags: approval-comm-esr60?
Attachment #9256068 - Flags: approval-comm-esr60+

Pushed by frgrahl@gmx.net:
https://hg.mozilla.org/comm-central/rev/a95bd461ed3a
Remove really really obsolete entries from removed-files.in. r=IanN

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED

The full-package patch is no longer useful for comm-central so I didn't push it. Update generation was moved to taskcluster only and the stuff we use removed just a few weeks ago a susual without consultation in Bug 1744325. When we eventually com to this comm-central level we need to re-add it in our branches.

The certificate and other parts are either confidential or scripts for the builder only. So consider this bug fixed and if something goes wrong add a follow-up.

Target Milestone: --- → seamonkey 2.94
Attached file sign6419.sh

Turend out helper.exe wasn't signed properly in l10n builds and the en-US.zip so needed to add some kludges and a new make step for l10n update mar creation.

Attachment #9256069 - Attachment is obsolete: true

Copied the mar creation inside MOZ_MAKE_COMPLETE_MAR to a separate step. It is impossible otherwise to sign helper.exe and add it to the update.mar using the normal build files.Could probably call the tools script directly but many variable which are already taken care of in l10n.mk. comm-release step for suite.

Attachment #9256281 - Flags: review?(iannbugzilla)
Attachment #9256281 - Flags: approval-comm-release?
Attachment #9256281 - Flags: approval-comm-esr60?

createmar-l10n command. mozilla-release step for our branch only.

Attachment #9256282 - Flags: review?(iannbugzilla)
Attachment #9256282 - Flags: approval-comm-release?
Attachment #9256282 - Flags: approval-comm-esr60?

Comment on attachment 9256281 [details] [diff] [review]
1438084-createmar-cr-253102.patch

[Triage Comment]
Whole packaging process needs to be looked at but r/a=me for the moment

Attachment #9256281 - Flags: review?(iannbugzilla)
Attachment #9256281 - Flags: review+
Attachment #9256281 - Flags: approval-comm-release?
Attachment #9256281 - Flags: approval-comm-release+
Attachment #9256281 - Flags: approval-comm-esr60?
Attachment #9256281 - Flags: approval-comm-esr60+

Comment on attachment 9256282 [details] [diff] [review]
1438084-createmar-mr-253102.patch

[Triage Comment]
Whole packaging process needs to be looked at but r/a=me for the moment

Attachment #9256282 - Flags: review?(iannbugzilla)
Attachment #9256282 - Flags: review+
Attachment #9256282 - Flags: approval-comm-release?
Attachment #9256282 - Flags: approval-comm-release+
Attachment #9256282 - Flags: approval-comm-esr60?
Attachment #9256282 - Flags: approval-comm-esr60+

Target 2.53.10.2
https://gitlab.com/seamonkey-project/seamonkey-2.53-comm/-/commit/05ae2657b96355c808203f3eb721d959a932c7f4
Remove really really obsolete entries from removed-files.in. r=IanN a=IanN

https://gitlab.com/seamonkey-project/seamonkey-2.53-comm/-/commit/4c664c921dc49ddd68a614f42e1762de280f6775
Add build command for creating en-US package including full update mar. r=IanN a=IanN

https://gitlab.com/seamonkey-project/seamonkey-2.53-mozilla/-/commit/6cd6a18aff60d146a66c1aea71dedbfbd4d8aa3a
Add create full l10n update mar command mozilla-part. r=IanN a=IanN

https://gitlab.com/seamonkey-project/seamonkey-2.53-comm/-/commit/dfb3121959b46dbf78fbaa411777979653156a12
Add create full l10n update mar command suite-part. r=IanN a=IanN

You need to log in before you can comment on or make changes to this bug.