Closed Bug 1520249 Opened 6 years ago Closed 6 years ago

Update reference-browser dep key attributes

Categories

(Cloud Services :: Operations: Autograph, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mhentges, Unassigned)

References

(Blocks 1 open bug)

Details

As discussed on IRC, we're going to have dep and rel keys have all but one attribute be the same:

Key Value
OU Release Engineering
O Mozilla Corporation
L Mountain View
ST California
C US

However:

  • For release, CN will be "Release Engineering"
  • For dep, CN will be "Throwaway Key"

Currently, our reference-browser dep key has a few different attribute values than the rel key, and this ticket wants to resolve that :)

fixed in autograph-hiera-sops commit 3fe8609ecb4c8d2938dae0cf8dd13e0ab4b5b2a9

Validated autograph runs config w/ mar hsm and gpg2 signers disabled and signs using the updated key (i.e. apksigner verify prints the Throwaway Key CN). New cert is:

$ cat ~/geckoview_dep_pub.cert
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIEQ1LLjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
HDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2Ug
RW5naW5lZXJpbmcxFjAUBgNVBAMTDVRocm93YXdheSBLZXkwHhcNMTkwMTE1MTk0
MTUwWhcNNDYwNjAyMTk0MTUwWjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoTE01vemls
bGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJpbmcxFjAU
BgNVBAMTDVRocm93YXdheSBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQChMIAu+j5WGMKgFxtxhJvrjsx54Sy3gwjn+YFjn1WcPuQHbxRCZO9ZqWIr
+dvotcIJfJ0iRin7sCaFzCGUdfmEUoOofVwUyyWnnV0hnLSP39wG0wWdLWjsZSOZ
YwVQlNMxG1WUmQjykmtYasq5E4PxZbMY0xBgDu/IXf5Cx5o3WHd/GE3wkmR3zTQQ
nlbjW4M3MaVhTIe3+eS1uueCRBixWDMYyCVbEkWo1EaRHw/gUKElSGxvqnOqzrf0
Ey9lF07+xtLXSwf3CG8TZACwzUOmUf+ONFpGEosTwBxPcDLFxxjqle7NJmD3EH4W
MV3Swh1XSBv2/o2qFtXC/FpcBjevAgMBAAGjITAfMB0GA1UdDgQWBBQCyNV+Vbwf
F4P/1/+nF8TUb6BbCjANBgkqhkiG9w0BAQsFAAOCAQEAQjnuheDT5aabSkECLtqv
tq2NDIhhoyiVBi7SPP5wHrdXEByFThJUeJD2/P5urQCjF3Z+rPSVn2Jxxq7zc+0m
/oBQCh5+8MsGwBxmetfv6w2QIIf/7xpsPAv7vxZo64HOWOs3yprR371e2gDSFvXE
eDSIgEjXm7TPFWVryXrrHdi/ZszWB5dU0Y2bw4wlEDOguankI+ztYrUmOeSIDDIV
eZHPMdpXlRqtHIrw4Z+dNWgmRMtFcSYjihsaQMhMp+3pudkvoxPpUo4vbV+yoy89
OfEqSBiYPOa/+CuIgqbTT2PxdT7dSwqgNBzXqMPEz830dZ+XB7T+lTvVMqirntaw
DQ==
-----END CERTIFICATE-----

With text output:

$ openssl x509 -noout -in ~/geckoview_dep_pub.cert -inform PEM -text | head -10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1129499533 (0x4352cb8d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, L = Mountain View, O = Mozilla Corporation, OU = Release Engineering, CN = Throwaway Key
        Validity
            Not Before: Jan 15 19:41:50 2019 GMT
            Not After : Jun  2 19:41:50 2046 GMT
        Subject: C = US, ST = California, L = Mountain View, O = Mozilla Corporation, OU = Release Engineering, CN = Throwaway Key

Leaving bug open until we can deploy this change.

Blocks: autograph

This change should be out with the redeploy for bug 1524003

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.