Transition macOS Notarization from altool to rcodesign
Categories
(Release Engineering :: Release Automation: Signing, enhancement)
Tracking
(firefox-esr102 wontfix, firefox111 wontfix, firefox112 wontfix, firefox115 fixed)
People
(Reporter: haik, Assigned: hneiva)
References
Details
Attachments
(9 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
At WWDC22, in What’s new in notarization for Mac apps[1], Apple announced that notarization requests must transition from using the CLI tool altool
to its replacement notarytool
. And they have announced "notarization with all forms of altool will stop working in fall 2023".
In the same presentation, Apple has announced a new REST API for Notarization with webhook support for getting status.
The new tool notarytool
was introduced at WWDC21 in Faster and simpler notarization for Mac apps[2].
Comment 1•2 years ago
|
||
From the video: notarytool submit path/to/zip --wait
; 98% within 15 min, most within 5. Or instead of --wait
, --webhook URL
.
notarytool log $SUBMISSION_ID notary-log.json
which we could upload as an artifact.
There's also https://mozilla-hub.atlassian.net/browse/RELENG-867 ; the move to REST APIs may allow us to directly call the API via aiohttp and not need to be on a mac or iTMSTransporter. We'll need to investigate.
Updated•2 years ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 2•1 year ago
|
||
Created a separate kind for only signing with iscript, and another for notarization.
Once we validate this is good, we need to add it to l10n/emfree/etc and point repackage kind at it.
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/84a4ee59afa0 Add mac notarization on signingscript r=bhearsum
Comment 4•1 year ago
|
||
bugherder |
Assignee | ||
Comment 5•1 year ago
|
||
Missed a scenario for the signing task behavior. Unfortunately it's only really testable in production.
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5260d63a651 Fix new mac notarization tasks r=bhearsum
Comment 7•1 year ago
|
||
bugherder |
Assignee | ||
Comment 8•1 year ago
|
||
The last change broke the signing task. Fix coming up shortly.
Assignee | ||
Comment 10•1 year ago
|
||
Comment 11•1 year ago
|
||
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/54a722e614e6 Fix mac signing transform overrides r=releng-reviewers,gbrown
Comment hidden (Intermittent Failures Robot) |
Comment 13•1 year ago
|
||
bugherder |
Comment 14•1 year ago
|
||
This is now permfailing as exception, the task that is failing now is BMN with the following failure line: signingscript.exceptions.SigningScriptError: Credentials not found for scope: project:releng:signing:cert:nightly-signing
Assignee | ||
Comment 15•1 year ago
|
||
Comment 16•1 year ago
|
||
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f7f8f094bd2d Fix mac notarization scope r=releng-reviewers,gbrown
Assignee | ||
Updated•1 year ago
|
Comment 17•1 year ago
|
||
bugherder |
Assignee | ||
Comment 18•1 year ago
|
||
Comment hidden (Intermittent Failures Robot) |
Updated•1 year ago
|
Updated•1 year ago
|
Comment 20•1 year ago
|
||
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6eb460061cd1 Add eme-free, l10n and partner repack notarization + pkg support r=releng-reviewers,taskgraph-reviewers,bhearsum
Comment 21•1 year ago
|
||
bugherder |
Comment 22•1 year ago
|
||
Heitor, after https://hg.mozilla.org/mozilla-central/rev/6eb460061cd1 reached central these new tasks seem to retry a lot of times until after 5 retries they end as exception like here: https://treeherder.mozilla.org/jobs?repo=mozilla-central&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&searchStr=bmn&revision=1881ebd0d8e56fb3b338ca1eb047c6198b117e9a&group_state=expanded&selectedTaskRun=V4jDmNmmTYqZaJLTg6nJTw.5
Failure log: https://firefox-ci-tc.services.mozilla.com/tasks/V4jDmNmmTYqZaJLTg6nJTw/runs/7/logs/public/logs/live_backing.log
2023-04-15 16:48:26,059 - signingscript.utils - INFO - looking up notarization ticket for 2/2/b82fba3cb3d736fdf86304a614ac0be2b4496424
2023-04-15 16:48:26,205 - signingscript.utils - INFO - writing notarization ticket to /app/workdir/apple_notarize/Firefox Nightly.app/Contents/CodeResources
2023-04-15 16:48:26,207 - signingscript.utils - INFO - exitcode 0
2023-04-15 16:48:26,207 - signingscript.sign - INFO - Creating tarfile /app/workdir/public/build/nl/target.tar.gz...
2023-04-15 16:49:19,435 - signingscript.sign - DEBUG - _create_tarfile took 53.23s; RSS:181172 (+0)
2023-04-15 16:49:19,435 - signingscript.sign - DEBUG - apple_notarize took 163.43s; RSS:181172 (+0)
2023-04-15 16:49:19,436 - signingscript.utils - INFO - Copying /app/workdir/public/build/nl/target.tar.gz to /app/artifacts/public/build/nl/target.tar.gz
2023-04-15 16:49:19,577 - signingscript.utils - INFO - mkdir /app/workdir/public/build/nn-NO
2023-04-15 16:49:19,577 - signingscript.utils - INFO - Copying /app/workdir/cot/ZdsQ_F1TTpyVEc5ttDio0w/public/build/nn-NO/target.pkg to /app/workdir/public/build/nn-NO/target.pkg
2023-04-15 16:49:20,315 - signingscript.script - INFO - signing public/build/nn-NO/target.pkg
2023-04-15 16:49:20,315 - signingscript.task - INFO - sign(): Signing 156542460 bytes in /app/workdir/public/build/nn-NO/target.pkg with apple_notarization...
2023-04-15 16:49:20,529 - signingscript.utils - INFO - Running "rcodesign notary-submit --staple --api-key-path /app/configs/apple_api_key.json /app/workdir/apple_notarize/target.pkg"
2023-04-15 16:49:20,534 - signingscript.utils - INFO - COMMAND OUTPUT:
2023-04-15 16:49:21,590 - signingscript.utils - INFO - creating Notary API submission for target.pkg (sha256: f268b57fd1cd1d720e45ad9d2bdadfe5efad1e5de9d9719783066687fec7fbc7)
2023-04-15 16:49:22,182 - signingscript.utils - INFO - created submission ID: bdcad070-0637-4437-b74e-8f7f98a6c502
2023-04-15 16:49:22,183 - signingscript.utils - INFO - resolving AWS S3 configuration from Apple-provided credentials
2023-04-15 16:49:22,185 - signingscript.utils - INFO - uploading asset to s3://notary-submissions-prod/prod/AROARQRX7CZS3PRF6ZA5L:bdcad070-0637-4437-b74e-8f7f98a6c502
2023-04-15 16:49:22,185 - signingscript.utils - INFO - (you may see additional log output from S3 client)
2023-04-15 16:49:24,261 - signingscript.utils - INFO - S3 upload completed successfully
2023-04-15 16:49:24,262 - signingscript.utils - INFO - waiting up to 600s for package upload bdcad070-0637-4437-b74e-8f7f98a6c502 to finish processing
2023-04-15 16:49:24,554 - signingscript.utils - INFO - poll state after 0s: InProgress
2023-04-15 16:49:27,766 - signingscript.utils - INFO - poll state after 3s: InProgress
2023-04-15 16:49:31,054 - signingscript.utils - INFO - poll state after 6s: InProgress
2023-04-15 16:49:34,392 - signingscript.utils - INFO - poll state after 10s: InProgress
2023-04-15 16:49:37,821 - signingscript.utils - INFO - poll state after 13s: InProgress
2023-04-15 16:49:41,065 - signingscript.utils - INFO - poll state after 16s: InProgress
2023-04-15 16:49:44,461 - signingscript.utils - INFO - poll state after 20s: InProgress
2023-04-15 16:49:47,808 - signingscript.utils - INFO - poll state after 23s: InProgress
2023-04-15 16:49:51,161 - signingscript.utils - INFO - poll state after 26s: InProgress
2023-04-15 16:49:54,740 - signingscript.utils - INFO - poll state after 30s: InProgress
2023-04-15 16:49:58,034 - signingscript.utils - INFO - poll state after 33s: InProgress
2023-04-15 16:50:01,333 - signingscript.utils - INFO - poll state after 37s: InProgress
2023-04-15 16:50:04,691 - signingscript.utils - INFO - poll state after 40s: InProgress
2023-04-15 16:50:08,132 - signingscript.utils - INFO - poll state after 43s: InProgress
Automation Error: python exited with signal -15
Could you please have a look over these? Thank you.
Comment hidden (Intermittent Failures Robot) |
Comment 24•1 year ago
|
||
Looks like this is running into the 20min limit for scriptworker tasks (https://github.com/mozilla-releng/scriptworker-scripts/blob/2644bb85584b51f8647c7a749d920f35bd2c25d3/docker.d/pre-stop.sh#L19).
I guess we either need to bump that and terminationGracePeriodSeconds, run more chunks, or submit files to the notary service in parallel to cut down on the delays?
Comment 25•1 year ago
|
||
Assignee | ||
Comment 26•1 year ago
|
||
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Updated•1 year ago
|
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Updated•1 year ago
|
Comment 31•11 months ago
|
||
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4373378c3193 Transition mac notarization to signingscript r=taskgraph-reviewers,bhearsum
Comment 32•11 months ago
|
||
bugherder |
Comment 33•11 months ago
|
||
It looks like this broke decision tasks on the toolchains project branch:
https://treeherder.mozilla.org/logviewer?job_id=416923530&repo=toolchains&lineNumber=1479
Comment 34•11 months ago
|
||
Pushed by nbeleuzu@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/6b82236cab6f Followup. a=glandium
Comment 35•11 months ago
|
||
bugherder |
Comment 36•11 months ago
|
||
The followup was not enough :( https://treeherder.mozilla.org/logviewer?job_id=416933079&repo=toolchains&lineNumber=3285
Comment 37•11 months ago
|
||
It seems safer to select signing by default, and notarization only on
select production projects, otherwise project branches such as toolchains
break because they end up requiring notarization jobs that are filtered
out by not being level 3.
Comment 38•11 months ago
|
||
Now that the main piece has landed it's probably time to close this and handle followups in separate bugs, to make tracking easier.
Updated•11 months ago
|
Comment 39•11 months ago
|
||
Pushed by jcristau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dbf40fe5a4d5 reverse logic for choosing mac-signing vs mac-notarization. r=hneiva
Comment 40•11 months ago
|
||
Pushed by ctuns@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/e09ca28cc527 reverse logic for choosing mac-signing vs mac-notarization. r=hneiva
Comment 41•11 months ago
|
||
bugherder |
Comment 42•11 months ago
|
||
bugherder |
Assignee | ||
Comment 43•11 months ago
|
||
Comment 44•11 months ago
|
||
Pushed by hneiva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/01dffee0963a Transition mac geckodriver notarization to signingscript r=releng-reviewers,taskgraph-reviewers,bhearsum
Comment 45•11 months ago
|
||
bugherder |
Comment 47•10 months ago
|
||
Per the email Apple recently sent out, "Apple notary service will no longer accept uploads from altool as of November 1, 2023" so I think we're good for ESR102 as it'll be past EOL before then. Please confirm and set the status to wontfix if you agree, Heitor!
Assignee | ||
Comment 48•10 months ago
|
||
@RyanVM, agree that we likely won't need to uplift anything to esr102.
FWIW esr115 already has the new code and should be good.
For esr102 it's a "wontfix".
Updated•10 months ago
|
Description
•