Closed Bug 1661025 Opened 4 years ago Closed 4 years ago

Sign/notarize mozregression gui for Mac and Windows

Categories

(Testing :: mozregression, task)

Product:
Testing
Component:
mozregression
Version:
Default
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1661349

People

(Reporter: wlach, Unassigned)

Details

Currently people are getting scary warnings when they try to install the GUI on Mac and Windows (see bug 1647533 and https://mozilla.github.io/mozregression/install.html#mozregression-gui). The GUI is the a simpler entrypoint to mozregression than the command-line version and is frequently used by less-technical folks. You can see a graph of its relative usage here:

https://sql.telemetry.mozilla.org/queries/70610#177730

Ideally we would set up automatic signing for mozregression but that seems hard (https://bugzilla.mozilla.org/show_bug.cgi?id=1366570#c6).

:glob pointed out that it is possible In the interim for relman to sign binaries, would it be possible to do that for the 4.0.12 release? Specifically the Mac and Windows binaries would need to be signed and notarized:

https://github.com/mozilla/mozregression/releases/tag/4.0.12

Needinfo'ing nthomas, who did this in bug 1588707 for mozilla-build.

Flags: needinfo?(nrthomas)

IIRC we don't have support for mac in the adhoc signing system, but Aki is your best point of contact for this, passing the ni on.

Flags: needinfo?(nrthomas) → needinfo?(aki)

It appears you have an .app, which is needed for notarization.
Nick's right, we don't have mac support in adhoc.

Before we proceed here, the best trust model we have is in-tree. Aiui mozregression is a tool for testing things build from the Gecko tree. How plausible is it to move mozregression and its automation to the tree? We have a mac signing pool there; it would be a matter of adding tasks to an existing trust model rather than building our own or adding mac support where we don't currently.

Flags: needinfo?(aki)

(In reply to Aki Sasaki [:aki] (he/him) (UTC-7) from comment #2)

Before we proceed here, the best trust model we have is in-tree. Aiui mozregression is a tool for testing things build from the Gecko tree. How plausible is it to move mozregression and its automation to the tree? We have a mac signing pool there; it would be a matter of adding tasks to an existing trust model rather than building our own or adding mac support where we don't currently.

I have resisted this for a while, but it probably makes sense at this juncture. Putting it in-tree would have a number of other benefits (easier to validate that changes to taskcluster/mozbase don't break mozregression e.g.) and the project is much more in a state now where we can consider it purely "maintenance mode" now that the GUI is more stable and we have proper telemetry implemented in the product.

The main question is who's going to do the work and when: like most of us, I don't have a ton of extra time these days. I'll give it some thought and file a bug soon.

In the short term, would it at least be possible to sign the current windows installer as mentioned in comment 0? That would solve some short-term friction we're seeing.

Flags: needinfo?(aki)

(In reply to William Lachance (:wlach) (use needinfo!) from comment #3)

(In reply to Aki Sasaki [:aki] (he/him) (UTC-7) from comment #2)

Before we proceed here, the best trust model we have is in-tree. Aiui mozregression is a tool for testing things build from the Gecko tree. How plausible is it to move mozregression and its automation to the tree? We have a mac signing pool there; it would be a matter of adding tasks to an existing trust model rather than building our own or adding mac support where we don't currently.

I have resisted this for a while, but it probably makes sense at this juncture. Putting it in-tree would have a number of other benefits (easier to validate that changes to taskcluster/mozbase don't break mozregression e.g.) and the project is much more in a state now where we can consider it purely "maintenance mode" now that the GUI is more stable and we have proper telemetry implemented in the product.

The main question is who's going to do the work and when: like most of us, I don't have a ton of extra time these days. I'll give it some thought and file a bug soon.

Yeah, and releng was cut deep by the layoffs. I imagine we'll need to prioritize based on the need. There are a number of people with gecko taskgraph knowledge, though, so we can expand the request rather than limit by team.

If it helps, we could potentially keep development of mozregression out-of-tree, and vendor / release when ready. We could also bite the bullet and move development in-tree as well to keep the CI processes and release processes closer.

In the short term, would it at least be possible to sign the current windows installer as mentioned in comment 0? That would solve some short-term friction we're seeing.

Sure! Could you follow https://github.com/mozilla-releng/adhoc-signing/blob/master/docs/how-to-request.md (you'll be the first to follow that particular doc, so please let me know if there's anything to fix)? NI me on that bug, and we'll proceed from there.

Flags: needinfo?(aki)

(In reply to Aki Sasaki [:aki] (he/him) (UTC-7) from comment #4)

If it helps, we could potentially keep development of mozregression out-of-tree, and vendor / release when ready. We could also bite the bullet and move development in-tree as well to keep the CI processes and release processes closer.

I think it makes more sense to just move everything to the tree. Will file a bug soon. :)

In the short term, would it at least be possible to sign the current windows installer as mentioned in comment 0? That would solve some short-term friction we're seeing.

Sure! Could you follow https://github.com/mozilla-releng/adhoc-signing/blob/master/docs/how-to-request.md (you'll be the first to follow that particular doc, so please let me know if there's anything to fix)? NI me on that bug, and we'll proceed from there.

Awesome, thank you. Filed bug 1661349 for this, I'll mark this one as a duplicate.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

As per discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1661025#c4 -- it seems like the "right way" to solve this issue is to move mozregression in-tree, where we can reuse the existing signing/trust infrastructure for Firefox.

It occurs to me that we could possibly just make the in-tree version a mirror if we want to continue development on GitHub.

Any update on this? This is a painful bit of friction when trying to get a user to use mozregression?

Flags: needinfo?(wlachance)

(In reply to Jeff Muizelaar [:jrmuizel] from comment #7)

Any update on this? This is a painful bit of friction when trying to get a user to use mozregression?

No updates I'm afraid. :( I agree this would be good to fix but it's a bit of a can of worms. I'd be happy to support anyone who wants to attempt this, but that's probably the best I can do.

Flags: needinfo?(wlachance)
You need to log in before you can comment on or make changes to this bug.