Deploy Autograph 3.7.0 train-4
Categories
(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)
Tracking
(Not tracked)
People
(Reporter: jvehent, Assigned: u581815)
References
(Blocks 1 open bug)
Details
Tracker for autograph train-4 to be deployed the week of september 23rd.
Code changes:
- bump golang 1.12 to 1.13
- update signers to use the HSM RNG when available not just when their private key is in the HSM (this should be more secure since it's a better entropy source and performant since it's higher bandwidth)
- add a check to error initializing signers with malformed public keys (too short <50 bytes) usually indicating an HSM fetch failure
- log DB and HSM latencies from heartbeat check
- log output SHA256 sums for /sign/file and /sign/data
full diff: https://github.com/mozilla-services/autograph/compare/3.6.0...3.7.0
image tag: https://hub.docker.com/r/mozilla/autograph/tags/?page=1&name=3.7.0
Config changes:
- add dep and rel signing keys for Firefox for Fire TV APKs
- increase the SAO and other non-AMO XPI signer RSA cache sizes and key generation rate
Deployed to stage.
QA:
stage proxy monitor passes (run-id 9aa45095-0943-4f27-90db-8e64586955e9)
monitor passes (run-id a70f89df-e5ef-4d74-b23c-770597c893ec)
test addons signed and verified on AMO
:bpitts or :miles can you run "./manage.py update_signatures --force" on the normandy stage admin?
:aki can you run the relevant MAR/widevine/mac signing jobs from https://moz-releng-docs.readthedocs.io/en/latest/procedures/Testing_Autograph.html ?
|
||
Comment 4•5 years ago
|
||
The staging mar task went green. Did we need widevine/mac tests? Those aren't set up currently.
(In reply to Aki Sasaki [:aki] (he/him) (UTC-7) from comment #4)
The staging mar task went green.
Sweet, thanks!
Did we need widevine/mac tests? Those aren't set up currently.
Those might be prod only, so I think we're good.
Thanks :bpitts!
Continuing with Kinto QA the kinto refresh lambda completed successfully (run id: 18ccda06-3477-4f99-ab00-22d0f3697cd5)
The stage and stage preview settings sync, but we get a MissingSignatureError: Missing signature (main-preview/normandy-recipes) in stage preview.
:leplatrem :mythmon is the MissingSignatureError: Missing signature (main-preview/normandy-recipes) error in the stage preview collection something we should worry about?
|
||
Comment 9•5 years ago
|
||
No, not really an issue. This collection is not in use (normandy does not use the multi-signoff/preview feature).
It should be gone with https://bugzilla.mozilla.org/show_bug.cgi?id=1575182
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 10•5 years ago
|
||
(In reply to Mathieu Leplatre [:leplatrem] from comment #9)
No, not really an issue. This collection is not in use (normandy does not use the multi-signoff/preview feature).
It should be gone with https://bugzilla.mozilla.org/show_bug.cgi?id=1575182
Awesome! We'll deploy prod later today then.
|
|
Assignee | |
Comment 11•5 years ago
|
||
Prod is deployed.
:bpitts can you run "./manage.py update_signatures --force" on the normandy prod admin?
:aki can you run a MAR signing job from https://moz-releng-docs.readthedocs.io/en/latest/procedures/Testing_Autograph.html and any other signing jobs releng wants to test (widevine, authenticode, omni.ja)? Otherwise those can wait 'til the next Fx signing run.
|
|
Assignee | |
Comment 12•5 years ago
•
|
||
Prod QA:
monitor is passing and I see the new fx fire apk keys
ditto for monitor proxy
AMO signed and verified the test addon
TODO Kinto
|
|
||
Comment 14•5 years ago
|
||
A mar-signing retrigger went green.
The other signing types happen on-push in CI, and appear to be good.
|
|
Assignee | |
Comment 15•5 years ago
|
||
Thanks!
Kinto refresh lambda passed (run-id: bc5edb3e-d676-4727-ac80-7c58f90ca366)
Getting:
MissingSignatureError: Missing signature (main-preview/normandy-recipes)
MissingSignatureError: Missing signature (main-preview/rocket-releases)
with other main-preview/ collections passing for prod preview and all collections in prod passing.
|
|
Assignee | |
Comment 16•5 years ago
|
||
I think we're good here, but we can reopen if those preview collections are an issue.
Description
•