Closed
Bug 1520249
Opened 6 years ago
Closed 6 years ago
Update reference-browser dep key attributes
Categories
(Cloud Services :: Operations: Autograph, enhancement)
Cloud Services
Operations: Autograph
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mhentges, Unassigned)
References
(Blocks 1 open bug)
Details
As discussed on IRC, we're going to have dep and rel keys have all but one attribute be the same:
Key | Value |
---|---|
OU | Release Engineering |
O | Mozilla Corporation |
L | Mountain View |
ST | California |
C | US |
However:
- For release,
CN
will be "Release Engineering" - For dep,
CN
will be "Throwaway Key"
Currently, our reference-browser
dep key has a few different attribute values than the rel key, and this ticket wants to resolve that :)
fixed in autograph-hiera-sops commit 3fe8609ecb4c8d2938dae0cf8dd13e0ab4b5b2a9
Validated autograph runs config w/ mar hsm and gpg2 signers disabled and signs using the updated key (i.e. apksigner verify prints the Throwaway Key CN). New cert is:
$ cat ~/geckoview_dep_pub.cert
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIEQ1LLjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
HDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2Ug
RW5naW5lZXJpbmcxFjAUBgNVBAMTDVRocm93YXdheSBLZXkwHhcNMTkwMTE1MTk0
MTUwWhcNNDYwNjAyMTk0MTUwWjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoTE01vemls
bGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJpbmcxFjAU
BgNVBAMTDVRocm93YXdheSBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQChMIAu+j5WGMKgFxtxhJvrjsx54Sy3gwjn+YFjn1WcPuQHbxRCZO9ZqWIr
+dvotcIJfJ0iRin7sCaFzCGUdfmEUoOofVwUyyWnnV0hnLSP39wG0wWdLWjsZSOZ
YwVQlNMxG1WUmQjykmtYasq5E4PxZbMY0xBgDu/IXf5Cx5o3WHd/GE3wkmR3zTQQ
nlbjW4M3MaVhTIe3+eS1uueCRBixWDMYyCVbEkWo1EaRHw/gUKElSGxvqnOqzrf0
Ey9lF07+xtLXSwf3CG8TZACwzUOmUf+ONFpGEosTwBxPcDLFxxjqle7NJmD3EH4W
MV3Swh1XSBv2/o2qFtXC/FpcBjevAgMBAAGjITAfMB0GA1UdDgQWBBQCyNV+Vbwf
F4P/1/+nF8TUb6BbCjANBgkqhkiG9w0BAQsFAAOCAQEAQjnuheDT5aabSkECLtqv
tq2NDIhhoyiVBi7SPP5wHrdXEByFThJUeJD2/P5urQCjF3Z+rPSVn2Jxxq7zc+0m
/oBQCh5+8MsGwBxmetfv6w2QIIf/7xpsPAv7vxZo64HOWOs3yprR371e2gDSFvXE
eDSIgEjXm7TPFWVryXrrHdi/ZszWB5dU0Y2bw4wlEDOguankI+ztYrUmOeSIDDIV
eZHPMdpXlRqtHIrw4Z+dNWgmRMtFcSYjihsaQMhMp+3pudkvoxPpUo4vbV+yoy89
OfEqSBiYPOa/+CuIgqbTT2PxdT7dSwqgNBzXqMPEz830dZ+XB7T+lTvVMqirntaw
DQ==
-----END CERTIFICATE-----
With text output:
$ openssl x509 -noout -in ~/geckoview_dep_pub.cert -inform PEM -text | head -10
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1129499533 (0x4352cb8d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Mountain View, O = Mozilla Corporation, OU = Release Engineering, CN = Throwaway Key
Validity
Not Before: Jan 15 19:41:50 2019 GMT
Not After : Jun 2 19:41:50 2046 GMT
Subject: C = US, ST = California, L = Mountain View, O = Mozilla Corporation, OU = Release Engineering, CN = Throwaway Key
Leaving bug open until we can deploy this change.
This change should be out with the redeploy for bug 1524003
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•