Closed Bug 1545378 Opened 5 years ago Closed 5 years ago

Fenix beta and nightly signing keys

Categories

(Cloud Services :: Operations: Autograph, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: mhentges, Unassigned)

References

Details

Attachments

(4 files)

1.33 KB, application/pkix-cert
Details
1.34 KB, application/pkix-cert
Details
1.34 KB, application/pkix-cert
Details
1.34 KB, application/pkix-cert
Details

Hey :)

Currently, we have two signing keys for Fenix:

  • One for nightly, which we're using signingscript_fenix for
  • One for running tests and sanity-checking infrastructure: signingscript_fenix_dep

However, as we prepare to release Fenix, we're planning on having four keys in total:

  • One for release
  • One for beta
  • One for nightly
  • One for dep (performance tests, infra tests, etc)

I'm flexible in our approach for implementing this: it could be one user for all the production tracks (release + beta + nightly), differentiated by the signing type (`autograph_fenix_{release|beta|nightly}), or perhaps each track has its own individual user. Let me know what makes the most sense!

However, we have some pressure - we just solidified the requirements for the Fenix beta earlier today, but it's planned to release by May 1. Do you know if it's feasible to modify autograph and deploy the changes before then?

Blocks: 1545401
Depends on: 1545456

(In reply to Mitchell Hentges [:mhentges] from comment #0)

I'm flexible in our approach for implementing this: it could be one user for all the production tracks (release + beta + nightly), differentiated by the signing type (`autograph_fenix_{release|beta|nightly}), or perhaps each track has its own individual user. Let me know what makes the most sense!

signingscript_fenix currently has access to both keys, I dropped the dep key and added the new rel and beta keys, so it will have access using key ids: fenix_ngt_apk, fenix_beta_apk, fenix_rel_apk and default to ngt

Signingscript didn't have keyid support (it might now), so I've been generating separate creds for each key too. I did that for Fenix too and will send those over.

However, we have some pressure - we just solidified the requirements for the Fenix beta earlier today, but it's planned to release by May 1. Do you know if it's feasible to modify autograph and deploy the changes before then?

Scheduled for next Tuesday (stage) and Wednesday (prod) tracking in https://bugzilla.mozilla.org/show_bug.cgi?id=1545456 and I'll email autograph-users about the deploys tomorrow.

Thanks g-k!

Can we keep the dep key? We still use it for our internal testing :)
Also: for the sake of readability, can we use the full terms for "nightly" and "release"? I feel that having the longer names may simplify understanding what they are (I had to think about "ngt" for a minute :P)

Flags: needinfo?(gguthe)
Attached file fenix_dep_apk.crt
Attached file fenix_ngt_apk.crt
Flags: needinfo?(gguthe)
Attached file fenix_beta_apk.crt
Attached file fenix_rel_apk.crt

Sent over the updated creds.

(In reply to Mitchell Hentges [:mhentges] from comment #2)

Thanks g-k!

Can we keep the dep key? We still use it for our internal testing :)

The dep key still exists and the signingscript_fenix_dep creds still have access to it. I did remove access to the dep key from signingscript_fenix since you wanted to reserve that for prod keys.

Also: for the sake of readability, can we use the full terms for "nightly" and "release"? I feel that having the longer names may simplify understanding what they are (I had to think about "ngt" for a minute :P)

Sure I'll rename them.

renamed ngt -> nightly and rel -> release in config commit f98f2bc946e87e0e16fe58a7fedf447f7574800d

Oh, I see! Thanks :)

For the sake of simplifying, I'm pretty sure that we won't use the base signingscript_fenix user, but will rather just act as the individual users for each signing type.
If it's easier for you to not have the unused credentials, I think we're clear to continue without them :)

OK I deleted signingscript_fenix (commit 1ae3bf7efddccb563864c32aa126f5469beb0a48)

fixed the keyids (s/fenix_ngt/fenix_nightly and s/fenix_rel/fenix_release) in the prod config (stage uses dummy) in commit 47f3a11a36c2aacae5417220be4bb9c8f9203eeb

Changes are live.

:mhentges can you mark as verified or reopen this if you run into problems?

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

Can do, thanks!

Flags: needinfo?(mhentges)

Works great for both Nightly and Beta, thanks!

Status: RESOLVED → VERIFIED
Flags: needinfo?(mhentges)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: