Closed Bug 1476778 Opened 7 years ago Closed 6 years ago

[screenshots] sign dev and stage XPI with dev-root for QA

Categories

(Cloud Services :: Security, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: u581815, Unassigned)

References

()

Details

Attachments

(1 file)

448.00 KB, application/x-xpinstall
Details
Per the linked github issue, screenshots needs to sign their dev and stage XPIs with the dev-root PKI to fix permissions errors installing the addon for QA.
To make that happen we need to: 1. update the autograph config to give the autograph edge user access to the relevant XPI signer 2. generate an autograph edge token and add a new signer to autograph edge https://mana.mozilla.org/wiki/display/SVCOPS/Autograph+Edge#AutographEdge-Addinganewsigninguser 3. add the new autograph edge token to the screenshots Circle CI config 4. tag and deploy new autograph stage and autograph edge versions At this point, we should be able to sign the screenshots XPI with a curl command. 5. update screenshots CI to sign its XPIs something like https://github.com/mozilla/notes/blob/5fe40a25363354c2d3938972e722f05e85205563/circle.yml#L73-L95 I'm planning to do 1. to 3. then tag releases and make deploy bugs for :miles for 4. then :_6a68 can handle 5.
Assignee: nobody → gguthe
Status: NEW → ASSIGNED
screenshots XPI version "33.1.1714" signed with the stage config in w/ mode extension to override the screenshots version bundled w/ Fx (i.e. autograph user addon_shipper w/ signer extension_rsa autograph @ commit 714ba24847bfdc0dff0ec879f18969ae05e72099) For QA, 1. created a new profile in Nightly 63.0a1 (2018-07-19) (64-bit) 2. on about:config right clicked and added the new boolean xpinstall.signatures.dev-root and set it to true 3. from about:addons > gear > "Install Add-on From File ...", selected attachment and was able to add it (not sure if there's a different way to install extensions) In the browser console I do see: TypeError: extension is undefined receiveMessage@resource://gre/modules/ExtensionParent.jsm:351:5 async*_handleMessage/</<@resource://gre/modules/MessageChannel.jsm:922:19 _handleMessage/<@resource://gre/modules/MessageChannel.jsm:921:9 _handleMessage@resource://gre/modules/MessageChannel.jsm:919:7 receiveMessage/<@resource://gre/modules/MessageChannel.jsm:218:9 receiveMessage@resource://gre/modules/MessageChannel.jsm:211:5 MessageListener.receiveMessage*FilteringMessageManager@resource://gre/modules/MessageChannel.jsm:201:5 get@resource://gre/modules/MessageChannel.jsm:436:14 addListener@resource://gre/modules/MessageChannel.jsm:763:7 init@resource://gre/modules/ExtensionParent.jsm:276:5 init@resource://gre/modules/ExtensionParent.jsm:503:7 startup@resource://gre/modules/Extension.jsm:1766:7 async*startup/this.startupPromise<@resource://gre/modules/LegacyExtensionsUtils.jsm:195:7 startup@resource://gre/modules/LegacyExtensionsUtils.jsm:142:27 start@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:178:10 handleStartup@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:171:5 promise callback*startup@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/gguthe/Downloads/firefox/browser/features/screenshots@mozilla.org.xpi!/bootstrap.js:134:23 callBootstrapMethod@resource://gre/modules/addons/XPIProvider.jsm:1588:20 async*startup@resource://gre/modules/addons/XPIProvider.jsm:1703:27 async*startup@resource://gre/modules/addons/XPIProvider.jsm:2150:13 callProvider@resource://gre/modules/AddonManager.jsm:206:12 _startProvider@resource://gre/modules/AddonManager.jsm:654:5 startup@resource://gre/modules/AddonManager.jsm:813:9 startup@resource://gre/modules/AddonManager.jsm:2811:5 observe@jar:file:///home/gguthe/Downloads/firefox/omni.ja!/components/addonManager.js:66:9 MessageChannel.jsm:924 _handleMessage/</< resource://gre/modules/MessageChannel.jsm:924:11 and on reinstall a handful of: 1532031816838 addons.update-checker WARN onUpdateCheckComplete failed to parse update manifest: [Exception... "Update manifest is missing a required addons property." nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/addons/AddonUpdateChecker.jsm :: getRequiredProperty :: line 122" data: no] Stack trace: getRequiredProperty()@resource://gre/modules/addons/AddonUpdateChecker.jsm:122 parseJSONManifest()@resource://gre/modules/addons/AddonUpdateChecker.jsm:132 onLoad()@resource://gre/modules/addons/AddonUpdateChecker.jsm:314 UpdateParser/<()@resource://gre/modules/addons/AddonUpdateChecker.jsm:243
Not sure how to check that the dev version installed properly and I'm using it instead of the bundled version. :_6a68 does https://bugzilla.mozilla.org/attachment.cgi?id=8993494 install properly for you and actually override the bundled screenshots version?
Flags: needinfo?(jhirsch)
Yes, this works properly for me, and with no log line about stripping out the mozillaAddons permission 👍 How to tell it's working: note that uploading a shot opens a tab at the staging server (https://screenshots.stage.mozaws.net), not the production server.
Flags: needinfo?(jhirsch)
I finished 1. to 3. from https://bugzilla.mozilla.org/show_bug.cgi?id=1476778#c1 and confirmed that: * edge stage works as expected with autograph stage after changing configs to point to localhost * the edge signed XPI installs on a new profile and taking a screenshot opens a new tab on https://screenshots.stage.mozaws.net/ So the config changes look good, but $AUTOGRAPH_EDGE_TOKEN in CircleCI won't be useful until we deploy them. For 4., we shouldn't need to tag new releases since only the config files changed, but we do need to deploy autograph and autograph edge to stage. The next full autograph deploy is scheduled for August 6th. For 5., we can skip the verify step since it's going right to QA: https://github.com/mozilla/notes/blob/5fe40a25363354c2d3938972e722f05e85205563/circle.yml#L87-L92 :_6a68 in the meantime feel free to ping me on IRC or NI me here to locally sign XPIs.
:miles I'm holding off on creating a bug for deploying autograph stage. I'm assuming you'd rather wait and deploy autograph on the 6th too, but if you have time to deploy before then let me know.
autograph and autograph edge are deployed. I'm debugging a 502 Bad Gateway I'm seeing for the curl command.
oh it's a change I landed earlier: `"Fields":{"code":500,"msg":"signing failed with error: xpi: error parsing PK7 Digest: xpi: Failed to recognize PK7Digest from Options","rid":"YpvbedAVsqBjv6ve"}`
This is working \o/ I ran: curl -v -F "input=@screenshots.xpi" -o screenshots-stage-edge-signed.xpi -H "Authorization: $token" https://autograph-edge.stage.mozaws.net/sign and confirmed it installs in a new Nightly profile w/ dev-root and saves to screenshots stage.
The token is in the CircleCI config as $AUTOGRAPH_EDGE_TOKEN. :_6a68 let me know if you want help or need review for CircleCI config or doc updates (5. and 6.).
Assignee: gguthe → nobody
Status: ASSIGNED → NEW
related PRs: * https://github.com/mozilla-services/screenshots/pull/4729 * https://github.com/mozilla-services/screenshots/pull/4734 :_6a68 deployed autograph edge with the new token and added updated the CircleCI config, so the XPI should be signed successfully now.
Screenshots CI is consistently failing today due to a connection timeout to autograph-edge.stage.m.n. Is it a known, and hopefully temporary, issue?
(In reply to Barry Chen from comment #15) > Screenshots CI is consistently failing today due to a connection timeout to > autograph-edge.stage.m.n. Is it a known, and hopefully temporary, issue? No thanks for bringing it up. I'll check with ops to see if we did anything recently to break it.
This should be fixed now: $ curl https://autograph-edge.stage.mozaws.net/__version__ {"commit":"1f7733140b01eb70b2ffe58e454d60d5e4d5acbc","version":"1.0.5","source":"https://github.com/mozilla-services/autograph-edge","build":"https://circleci.com/gh/mozilla-services/autograph-edge/143"} Ping me if the screenshots CI jobs continue to fail. For background, last week we aliased the edge subdomain to a private autograph ELB (due to a few ongoing migrations) instead of the public edge ELB, so I rolled that change back.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: