Closed
Bug 1476778
Opened 7 years ago
Closed 6 years ago
[screenshots] sign dev and stage XPI with dev-root for QA
Categories
(Cloud Services :: Security, enhancement)
Cloud Services
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: u581815, Unassigned)
References
()
Details
Attachments
(1 file)
448.00 KB,
application/x-xpinstall
|
Details |
Per the linked github issue, screenshots needs to sign their dev and stage XPIs with the dev-root PKI to fix permissions errors installing the addon for QA.
To make that happen we need to:
1. update the autograph config to give the autograph edge user access to the relevant XPI signer
2. generate an autograph edge token and add a new signer to autograph edge https://mana.mozilla.org/wiki/display/SVCOPS/Autograph+Edge#AutographEdge-Addinganewsigninguser
3. add the new autograph edge token to the screenshots Circle CI config
4. tag and deploy new autograph stage and autograph edge versions
At this point, we should be able to sign the screenshots XPI with a curl command.
5. update screenshots CI to sign its XPIs something like https://github.com/mozilla/notes/blob/5fe40a25363354c2d3938972e722f05e85205563/circle.yml#L73-L95
I'm planning to do 1. to 3. then tag releases and make deploy bugs for :miles for 4. then :_6a68 can handle 5.
Assignee: nobody → gguthe
Status: NEW → ASSIGNED
6. update directions at: https://screenshots.stage.mozaws.net/homepage/install-test-local.html
screenshots XPI version "33.1.1714" signed with the stage config in w/ mode extension to override the screenshots version bundled w/ Fx (i.e. autograph user addon_shipper w/ signer extension_rsa autograph @ commit 714ba24847bfdc0dff0ec879f18969ae05e72099)
For QA,
1. created a new profile in Nightly 63.0a1 (2018-07-19) (64-bit)
2. on about:config right clicked and added the new boolean xpinstall.signatures.dev-root and set it to true
3. from about:addons > gear > "Install Add-on From File ...", selected attachment and was able to add it (not sure if there's a different way to install extensions)
In the browser console I do see:
TypeError: extension is undefined
receiveMessage@resource://gre/modules/ExtensionParent.jsm:351:5
async*_handleMessage/</<@resource://gre/modules/MessageChannel.jsm:922:19
_handleMessage/<@resource://gre/modules/MessageChannel.jsm:921:9
_handleMessage@resource://gre/modules/MessageChannel.jsm:919:7
receiveMessage/<@resource://gre/modules/MessageChannel.jsm:218:9
receiveMessage@resource://gre/modules/MessageChannel.jsm:211:5
MessageListener.receiveMessage*FilteringMessageManager@resource://gre/modules/MessageChannel.jsm:201:5
get@resource://gre/modules/MessageChannel.jsm:436:14
addListener@resource://gre/modules/MessageChannel.jsm:763:7
init@resource://gre/modules/ExtensionParent.jsm:276:5
init@resource://gre/modules/ExtensionParent.jsm:503:7
startup@resource://gre/modules/Extension.jsm:1766:7
async*startup/this.startupPromise<@resource://gre/modules/LegacyExtensionsUtils.jsm:195:7
startup@resource://gre/modules/LegacyExtensionsUtils.jsm:142:27
start@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:178:10
handleStartup@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:171:5
promise callback*startup@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:134:23
callBootstrapMethod@resource://gre/modules/addons/XPIProvider.jsm:1588:20
async*startup@resource://gre/modules/addons/XPIProvider.jsm:1703:27
async*startup@resource://gre/modules/addons/XPIProvider.jsm:2150:13
callProvider@resource://gre/modules/AddonManager.jsm:206:12
_startProvider@resource://gre/modules/AddonManager.jsm:654:5
startup@resource://gre/modules/AddonManager.jsm:813:9
startup@resource://gre/modules/AddonManager.jsm:2811:5
observe@jar:file:///home/gguthe/Downloads/firefox/omni.ja!/components/addonManager.js:66:9
MessageChannel.jsm:924
_handleMessage/</<
resource://gre/modules/MessageChannel.jsm:924:11
and on reinstall a handful of:
1532031816838 addons.update-checker WARN onUpdateCheckComplete failed to parse update manifest: [Exception... "Update manifest is missing a required addons property." nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/addons/AddonUpdateChecker.jsm :: getRequiredProperty :: line 122" data: no] Stack trace: getRequiredProperty()@resource://gre/modules/addons/AddonUpdateChecker.jsm:122 parseJSONManifest()@resource://gre/modules/addons/AddonUpdateChecker.jsm:132 onLoad()@resource://gre/modules/addons/AddonUpdateChecker.jsm:314 UpdateParser/<()@resource://gre/modules/addons/AddonUpdateChecker.jsm:243
Not sure how to check that the dev version installed properly and I'm using it instead of the bundled version.
:_6a68 does https://bugzilla.mozilla.org/attachment.cgi?id=8993494 install properly for you and actually override the bundled screenshots version?
Flags: needinfo?(jhirsch)
confirmed I have permission to do 3. at https://circleci.com/gh/mozilla-services/screenshots/edit#env-vars
Comment 6•7 years ago
|
||
Yes, this works properly for me, and with no log line about stripping out the mozillaAddons permission 👍
How to tell it's working: note that uploading a shot opens a tab at the staging server (https://screenshots.stage.mozaws.net), not the production server.
Flags: needinfo?(jhirsch)
I finished 1. to 3. from https://bugzilla.mozilla.org/show_bug.cgi?id=1476778#c1 and confirmed that:
* edge stage works as expected with autograph stage after changing configs to point to localhost
* the edge signed XPI installs on a new profile and taking a screenshot opens a new tab on https://screenshots.stage.mozaws.net/
So the config changes look good, but $AUTOGRAPH_EDGE_TOKEN in CircleCI won't be useful until we deploy them.
For 4., we shouldn't need to tag new releases since only the config files changed, but we do need to deploy autograph and autograph edge to stage. The next full autograph deploy is scheduled for August 6th.
For 5., we can skip the verify step since it's going right to QA: https://github.com/mozilla/notes/blob/5fe40a25363354c2d3938972e722f05e85205563/circle.yml#L87-L92
:_6a68 in the meantime feel free to ping me on IRC or NI me here to locally sign XPIs.
:miles I'm holding off on creating a bug for deploying autograph stage. I'm assuming you'd rather wait and deploy autograph on the 6th too, but if you have time to deploy before then let me know.
autograph and autograph edge are deployed. I'm debugging a 502 Bad Gateway I'm seeing for the curl command.
Reporter | ||
Comment 10•7 years ago
|
||
oh it's a change I landed earlier: `"Fields":{"code":500,"msg":"signing failed with error: xpi: error parsing PK7 Digest: xpi: Failed to recognize PK7Digest from Options","rid":"YpvbedAVsqBjv6ve"}`
Reporter | ||
Comment 11•7 years ago
|
||
(In reply to Greg Guthe [:g-k] from comment #10)
fix: https://github.com/mozilla-services/autograph-edge/pull/5
Reporter | ||
Comment 12•7 years ago
|
||
This is working \o/
I ran:
curl -v -F "input=@screenshots.xpi" -o screenshots-stage-edge-signed.xpi -H "Authorization: $token" https://autograph-edge.stage.mozaws.net/sign
and confirmed it installs in a new Nightly profile w/ dev-root and saves to screenshots stage.
Reporter | ||
Comment 13•7 years ago
|
||
The token is in the CircleCI config as $AUTOGRAPH_EDGE_TOKEN.
:_6a68 let me know if you want help or need review for CircleCI config or doc updates (5. and 6.).
Assignee: gguthe → nobody
Status: ASSIGNED → NEW
Reporter | ||
Comment 14•7 years ago
|
||
related PRs:
* https://github.com/mozilla-services/screenshots/pull/4729
* https://github.com/mozilla-services/screenshots/pull/4734
:_6a68 deployed autograph edge with the new token and added updated the CircleCI config, so the XPI should be signed successfully now.
Comment 15•6 years ago
|
||
Screenshots CI is consistently failing today due to a connection timeout to autograph-edge.stage.m.n. Is it a known, and hopefully temporary, issue?
Reporter | ||
Comment 16•6 years ago
|
||
(In reply to Barry Chen from comment #15)
> Screenshots CI is consistently failing today due to a connection timeout to
> autograph-edge.stage.m.n. Is it a known, and hopefully temporary, issue?
No thanks for bringing it up. I'll check with ops to see if we did anything recently to break it.
Reporter | ||
Comment 17•6 years ago
|
||
This should be fixed now:
$ curl https://autograph-edge.stage.mozaws.net/__version__
{"commit":"1f7733140b01eb70b2ffe58e454d60d5e4d5acbc","version":"1.0.5","source":"https://github.com/mozilla-services/autograph-edge","build":"https://circleci.com/gh/mozilla-services/autograph-edge/143"}
Ping me if the screenshots CI jobs continue to fail.
For background, last week we aliased the edge subdomain to a private autograph ELB (due to a few ongoing migrations) instead of the public edge ELB, so I rolled that change back.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•