replace rsapss signers with genericrsa signers in autograph stage and prod configs
Categories
(Cloud Services :: Operations: Autograph, task)
Tracking
(Not tracked)
People
(Reporter: u581815, Assigned: mozilla)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Added duplicate widevine signers in autograph-hiera-sops commit 39d6a8384056984841816e932b51c380a16c2ca3
I can resolve this bug once we deploy train-5 then RelEng has a chance to cutover and we get a chance to remove the rsapss type signers.
aki: can you test using the generic signers or 302 to the right person to test that? (should be the same names but using keyids with a _generic suffix, I'll confirm later this week)
Assuming that's OK we can drop the rsapss signer configs in train-6 and possibly remove the signer code (though that could wait too).
|
Assignee | |
Comment 5•5 years ago
|
||
Do you know which formats are rsapss? I grepped for rsapss in signingscript and didn't see anything.
|
||
Comment 6•5 years ago
|
||
(In reply to Aki Sasaki [:aki] (he/him) (UTC-7) from comment #5)
Do you know which formats are
rsapss? I grepped forrsapssin signingscript and didn't see anything.
widevine_dep1 and widevine_rel1 are the only two in prod.
You could stop using them today by replacing their respective keyid with widevine_dep1_genericrsa and widevine_rel1_genericrsa.
|
|
Assignee | |
Comment 7•5 years ago
|
||
|
|
Assignee | |
Comment 8•5 years ago
|
||
Looks like using widevine_dep_1_genericrsa worked.
in commit 9f38e4e3028724d05b95fcb2585206056f5f09ff:
- dropped the rsapss signers and them from the authorizations
- dropped the
_genericrsasuffix from the generic signers (which makes them the default signers)
for stage and prod.
Resolving since changes will go out with train-6, we can reopen if that doesn't happen.
|
||
Comment 10•5 years ago
|
||
hwine: r+ for 9f38e4e3028724d05b95fcb2585206056f5f09ff
|
|
Assignee | |
Updated•5 years ago
|
Description
•