Closed Bug 1526419 Opened 7 months ago Closed 6 months ago

easy button to test autograph-stage mar signing

Categories

(Release Engineering :: Release Automation: Signing, enhancement)

enhancement
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: aki, Assigned: aki)

References

Details

(Keywords: leave-open)

Attachments

(7 files, 1 obsolete file)

Our current dep, nightly, and release mar configs all hit autograph-prod. This is by design: we don't want the availability or configuration of autograph-stage to cause tree closures.

However, we'd like a way to test autograph config or code changes before they hit autograph-prod. Our current solution involves a lot of manual steps by Ben or me, or waiting until the changes hit prod and rerunning a nightly mar signing task.

Let's add an easy button: a task that exists for add task, but doesn't run without an explicit request. This will hit the depsigning scriptworkers with a special autograph-stage signing format. This task should also verify the signature matches the autograph-stage mar signing key.

  • [X] add the autograph-stage mar pubkey in-tree
  • [ ] add the autograph-stage mar pubkey in mardor, to allow for signature verification (this PR)
  • [X] add the autograph-stage creds to the dep signing passwords file
  • [ ] add the capability to verify mar signatures, via mardor, in signingscript. This could be optional or on by default.
  • [ ] add the scopes for the new nightly task in ci-configuration
  • [ ] add a nightly task [that doesn't run by default] that signs a mar through depsigning scriptworkers->autograph-stage, and verifies it through mardor, and turns green if successful
    • [ ] the plan is for anyone with the right scopes to be able to add task this task against the most recent nightly graph, and check its status.
Keywords: leave-open

Aha! https://bugzilla.mozilla.org/show_bug.cgi?id=1510778#c1 is where I documented how to do testing on signing-linux-dev1. I might dup that bug forward to this one, since this one has an actionable plan.

Duplicate of this bug: 1510778
Attachment #9042593 - Attachment is obsolete: true
Pushed by asasaki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/91ac960f7b59
add autograph_stage.pem mar signing pubkey. r=catlee

It looks like I got that to work in this try push: log

I still need to fix up the signingscript PR (test coverage, fix tests) and write the in-tree task. We also probably need a mardor release.

We'll need to get the keyids in-tree and deal with that in signingscript+mardor for key rotation, but we can leave that for a followup bug :)

We use autograph-prod for our ci, nightly, and release signing. Autograph-stage doesn't have the same guarantees for availability, so pointing, say, dep-signing at autograph-stage would have resulted in occasional tree closures whenever autograph-stage changes configuration or is down.

However, we also want a way to verify autograph-stage is still valid, after the autograph team makes changes. This task is meant to be add-task'ed; a green result means autograph-stage has signed the mar file correctly.

My test try push is here.

The first signing task failed because I was on scriptworker 20.0.0 without the ci-configuration patch in 20.0.1.
The first mar-signing-autograph-stage-linux64-nightly/opt task failed because it looks like the queue or artifact mirror didn't have the artifacts ready to download until the 2nd run.

All we need to do to test autograph-stage is to add the ms-stage(N) task, aka mar-signing-autograph-stage-linux64-nightly/opt . It will go green if autograph-stage's mar signing provides a valid mar signature.

Pushed by asasaki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/811caa480654
add mar-signing-autograph-stage task r=Callek
Attached file relengdocs PR
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.