Closed Bug 1724247 Opened 3 years ago Closed 3 years ago

"Error in parsing the app package." with new MSIX packages

Categories

(Firefox :: Installer, defect)

Product:
Firefox
Component:
Installer
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox90 --- unaffected
firefox91 --- unaffected
firefox92 --- fixed

People

(Reporter: nalexander, Assigned: nalexander)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1724247 - Specify full publisher subject in MSIX repackages. r?bhearsum
48 bytes, text/x-phabricator-request
Details | Review
Bug 1724247 - Post: Make test publisher subject more than CN; use `universal_newlines=True`. r?#build
48 bytes, text/x-phabricator-request
Details | Review

Clearly there's a difference between the (many!) MSIX packages we build in try and what happened in automation last night. The Windows App Installer reports "Error in parsing the app package.", strongly suggesting that there's an error in the AppManifest.xml we're producing. I will investigate immediately.

No longer depends on: 1709697
Regressed by: 1709697
Has Regression Range: --- → yes
$  "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x64/makeappx.exe" unpack  /p c:/Users/nalexander/Downloads/target.installer.v1.msix /d testmsix
Microsoft (R) MakeAppx Tool
Copyright (C) 2013 Microsoft.  All rights reserved.

The path (/p) parameter is: "\\?\c:\Users\nalexander\Downloads\target.installer.v1.msix"
The output directory (/d) parameter is: "\\?\c:\Users\nalexander\Mozilla\gecko\testmsix"
Unpacking "\\?\c:\Users\nalexander\Downloads\target.installer.v1.msix" (package name) to "\\?\c:\Users\nalexander\Mozilla\gecko\testmsix" (output directory).
MakeAppx : error: Error info: error 8007000B: The app manifest publisher name (CN=Mozilla Corporation) must match the subject name of the signing certificate (CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US).
MakeAppx : error: Package extraction failed.
MakeAppx : error: 0x8007000b - An attempt was made to load a program with an incorrect format.

So the CN matches, but I guess that's not enough. I'll try to figure out what is enough.

bhearsum: is there any way to sign things with these keys faster than the Nightly cadence?

Flags: needinfo?(bhearsum)

(In reply to Nick Alexander :nalexander [he/him] from comment #1)

$  "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x64/makeappx.exe" unpack  /p c:/Users/nalexander/Downloads/target.installer.v1.msix /d testmsix
Microsoft (R) MakeAppx Tool
Copyright (C) 2013 Microsoft.  All rights reserved.

The path (/p) parameter is: "\\?\c:\Users\nalexander\Downloads\target.installer.v1.msix"
The output directory (/d) parameter is: "\\?\c:\Users\nalexander\Mozilla\gecko\testmsix"
Unpacking "\\?\c:\Users\nalexander\Downloads\target.installer.v1.msix" (package name) to "\\?\c:\Users\nalexander\Mozilla\gecko\testmsix" (output directory).
MakeAppx : error: Error info: error 8007000B: The app manifest publisher name (CN=Mozilla Corporation) must match the subject name of the signing certificate (CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US).
MakeAppx : error: Package extraction failed.
MakeAppx : error: 0x8007000b - An attempt was made to load a program with an incorrect format.

So the CN matches, but I guess that's not enough. I'll try to figure out what is enough.

bhearsum: is there any way to sign things with these keys faster than the Nightly cadence?

The best bet is to force new nightlies entirely (that'll trigger signing). It might be possible just to trigger signing, but it's a less well trodden path, so I'd advise against it unless we think we'll need a lot of them. I can also do some one-off signings outside of mozilla-central (with builds from your laptop, or from taskcluster) to help verify this.

Flags: needinfo?(bhearsum)

Installing the Nightly MSIX packages, signed with Mozilla's Nightly
key, yields an error: "Error in parsing the app package." Unpacking
with makeappx.exe yields:

MakeAppx : error: Error info: error 8007000B: The app manifest publisher name (CN=Mozilla Corporation) must match the subject name of the signing certificate (CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US).

Previously, we allowed just the CN to vary; in this patch we make
the publisher be the entire publisher subject, and we update the
publisher details in the task definitions.

Pushed by nalexander@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b9f8b70249d4 Specify full publisher subject in MSIX repackages. r=bhearsum

This commit does three things:

  1. It makes thes MSIX test publisher subject "CN=..., OU=...". This
    is more like the actual Firefox signing certificates".

  2. It moves to use universal_newlines=True rather than decoding manually.

  3. It fixes an oversight where a particular Powershell invocation
    would fail when a certificate was missing.

Pushed by nalexander@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/40c41048b262 Post: Make test publisher subject more than CN; use `universal_newlines=True`. r=firefox-build-system-reviewers,mhentges

https://hg.mozilla.org/mozilla-central/rev/b9f8b70249d4
https://hg.mozilla.org/mozilla-central/rev/40c41048b262

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox92: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Set release status flags based on info from the regressing bug 1709697

status-firefox90: --- → unaffected
status-firefox91: --- → unaffected
status-firefox-esr78: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: