Closed Bug 1712328 Opened 5 months ago Closed 3 months ago

add signing support for msix packages

Categories

(Release Engineering :: Release Automation: Signing, task)

Tracking

(firefox92 fixed)

RESOLVED FIXED
Tracking Status
firefox92 --- fixed

People

(Reporter: bhearsum, Assigned: bhearsum)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file, 12 obsolete files)

48 bytes, text/x-phabricator-request
Details | Review

We largely have done this prior to filing the bug, but we'll need perhaps a bit of polish, and to get them landed. Specifically:

  • Some winsign changes (agashlin wrote this already)
  • Some signingscript changes (I wrote something for this)

We also need something that can attach signatures to msix packages. agashlin added support for this to msix-packaging (https://github.com/microsoft/msix-packaging/tree/johnmcpms/signing), and we either need to get this mainlined (requires Microsoft), or replace it with more winsign changes.

If we go with the msix-packaging option, we need to build and deploy a version of that package to our signingscript workers.

I'm going to dump some Gecko patches here. They're more or less untested, and built on top of https://phabricator.services.mozilla.com/D116180.

Attachment #9227409 - Attachment description: 0001-Allow-makeappx-to-be-overridden.patch → [gecko] 0001-Allow-makeappx-to-be-overridden.patch
Attachment #9227410 - Attachment is patch: true
Attachment #9227411 - Attachment is patch: true
Attachment #9227412 - Attachment is patch: true

these additional signingscript patches are needed for testing until we can land and release a new winsign version

Comment on attachment 9223032 [details] [diff] [review]
[winsign] 0001-Implement-MSIX-Appx-signing-with-makemsix.patch

Moved this out to https://github.com/mozilla-releng/winsign/pull/23

Attachment #9223032 - Attachment is obsolete: true

Comment on attachment 9223034 [details] [diff] [review]
[signingscript] 0001-signingscript-support-for-msix.diff

Moving this and the other signingscript patches out to https://github.com/mozilla-releng/scriptworker-scripts/pull/370.

Attachment #9223034 - Attachment is obsolete: true
Attachment #9227414 - Attachment is obsolete: true
Attachment #9227415 - Attachment is obsolete: true
Group: partner-confidential
Blocks: 1712329
Attachment #9227409 - Attachment is obsolete: true
Attachment #9227410 - Attachment is obsolete: true
Attachment #9227411 - Attachment is obsolete: true
Attachment #9227412 - Attachment is obsolete: true

Comment on attachment 9223030 [details] [diff] [review]
[msix-packaging] 0001-Fix-End-Of-Central-Directory-Record.patch

These patches are now part of https://github.com/mozilla/msix-packaging/tree/johnmcpms/signing

Attachment #9223030 - Attachment is obsolete: true
Attachment #9223031 - Attachment is obsolete: true

This has been discussed and written elsewhere, but it should be here too:

We have 3 options on how to implement this:

  1. Microsoft mainline's the necessary msix-packaging patches; we build & deploy that to signingscript
  2. We maintain our own fork of msix-packaging; we build & deploy that to signingscript
  3. We add support for msix to osslsigncode; we update that on signingscript

The current set of patches are assuming option 2. If Microsoft mainlines the patches, we can tweak them to build their repo instead of ours. If we go with option 3 in the end, it'll require slightly bigger signingscript changes, and a rework of the winsign patch.

We've also recently decided that we're not blocking initial shipping of MSIX packages through the Windows Store on signing (the Store takes care of that for us - we can feed it unsigned builds). In order to ship MSIX packages that are useful outside of that context, eg: to support https://bugzilla.mozilla.org/show_bug.cgi?id=1532131, we'll need this.

Attachment #9230263 - Attachment is obsolete: true
Attachment #9231188 - Attachment is obsolete: true

(In reply to bhearsum@mozilla.com (:bhearsum) from comment #17)

  1. We maintain our own fork of msix-packaging; we build & deploy that to signingscript

We ended up doing this in https://github.com/mozilla/msix-packaging/tree/johnmcpms/signing.

The necessary scriptworker changes have been deployed. The only thing left to do here is land the gecko patch as far as I know.

Pushed by nalexander@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5d9ef490612f
Sign MSIX packages in automation. r=bhearsum
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Flags: needinfo?(bhearsum)
Resolution: FIXED → ---
Pushed by nalexander@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/800cd4b66c4a
Sign MSIX packages in automation. r=bhearsum
Status: REOPENED → RESOLVED
Closed: 3 months ago3 months ago
Resolution: --- → FIXED
Flags: needinfo?(bhearsum)
You need to log in before you can comment on or make changes to this bug.