Fenix beta and nightly signing keys
Categories
(Cloud Services :: Operations: Autograph, task)
Tracking
(Not tracked)
People
(Reporter: mhentges, Unassigned)
References
Details
Attachments
(4 files)
Hey :)
Currently, we have two signing keys for Fenix:
- One for nightly, which we're using
signingscript_fenix
for - One for running tests and sanity-checking infrastructure:
signingscript_fenix_dep
However, as we prepare to release Fenix, we're planning on having four keys in total:
- One for release
- One for beta
- One for nightly
- One for dep (performance tests, infra tests, etc)
I'm flexible in our approach for implementing this: it could be one user for all the production tracks (release + beta + nightly), differentiated by the signing type (`autograph_fenix_{release|beta|nightly}), or perhaps each track has its own individual user. Let me know what makes the most sense!
However, we have some pressure - we just solidified the requirements for the Fenix beta earlier today, but it's planned to release by May 1. Do you know if it's feasible to modify autograph and deploy the changes before then?
(In reply to Mitchell Hentges [:mhentges] from comment #0)
I'm flexible in our approach for implementing this: it could be one user for all the production tracks (release + beta + nightly), differentiated by the signing type (`autograph_fenix_{release|beta|nightly}), or perhaps each track has its own individual user. Let me know what makes the most sense!
signingscript_fenix
currently has access to both keys, I dropped the dep key and added the new rel and beta keys, so it will have access using key ids: fenix_ngt_apk
, fenix_beta_apk
, fenix_rel_apk
and default to ngt
Signingscript didn't have keyid support (it might now), so I've been generating separate creds for each key too. I did that for Fenix too and will send those over.
However, we have some pressure - we just solidified the requirements for the Fenix beta earlier today, but it's planned to release by May 1. Do you know if it's feasible to modify autograph and deploy the changes before then?
Scheduled for next Tuesday (stage) and Wednesday (prod) tracking in https://bugzilla.mozilla.org/show_bug.cgi?id=1545456 and I'll email autograph-users about the deploys tomorrow.
Reporter | ||
Comment 2•5 years ago
|
||
Thanks g-k!
Can we keep the dep key? We still use it for our internal testing :)
Also: for the sake of readability, can we use the full terms for "nightly" and "release"? I feel that having the longer names may simplify understanding what they are (I had to think about "ngt" for a minute :P)
Reporter | ||
Updated•5 years ago
|
Sent over the updated creds.
(In reply to Mitchell Hentges [:mhentges] from comment #2)
Thanks g-k!
Can we keep the dep key? We still use it for our internal testing :)
The dep key still exists and the signingscript_fenix_dep
creds still have access to it. I did remove access to the dep key from signingscript_fenix
since you wanted to reserve that for prod keys.
Also: for the sake of readability, can we use the full terms for "nightly" and "release"? I feel that having the longer names may simplify understanding what they are (I had to think about "ngt" for a minute :P)
Sure I'll rename them.
renamed ngt -> nightly and rel -> release in config commit f98f2bc946e87e0e16fe58a7fedf447f7574800d
Reporter | ||
Comment 9•5 years ago
|
||
Oh, I see! Thanks :)
For the sake of simplifying, I'm pretty sure that we won't use the base signingscript_fenix
user, but will rather just act as the individual users for each signing type.
If it's easier for you to not have the unused credentials, I think we're clear to continue without them :)
Comment 10•5 years ago
•
|
||
OK I deleted signingscript_fenix
(commit 1ae3bf7efddccb563864c32aa126f5469beb0a48)
Comment 11•5 years ago
•
|
||
fixed the keyids (s/fenix_ngt/fenix_nightly and s/fenix_rel/fenix_release) in the prod config (stage uses dummy) in commit 47f3a11a36c2aacae5417220be4bb9c8f9203eeb
Comment 12•5 years ago
|
||
Changes are live.
:mhentges can you mark as verified or reopen this if you run into problems?
Reporter | ||
Comment 13•5 years ago
|
||
Can do, thanks!
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 14•5 years ago
|
||
Works great for both Nightly and Beta, thanks!
Description
•