Closed Bug 1817466 Opened 2 years ago Closed 2 years ago

firefox-android: Stop using fennec-related scopes

Categories

(Release Engineering :: General, task)

Tracking

(firefox111 fixed, firefox112 fixed, firefox113 fixed)

RESOLVED FIXED
Tracking Status
firefox111 --- fixed
firefox112 --- fixed
firefox113 --- fixed

People

(Reporter: jlorenzo, Assigned: gbrown)

References

Details

Attachments

(5 files)

In bug 1808607, we quite lately realized we still required some fennec scopes. In bug 1812983, we took care of the Google Play config. Let's handle signing keys and other fennec-related scopes.

:jlorenzo - What did you have in mind here?

The only remaining "fennec" grant is project:mobile:firefox-android:releng:signing:cert:fennec-production-signing : https://hg.mozilla.org/ci/ci-configuration/annotate/21f22b8337ce1c3d0f6fabc708671d8d0fb10702/grants.yml#l1729 . The firefox-android repo refers to that scope via https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/android_taskgraph/transforms/signing_apk.py#L78

firefox-android's push-apk kind also references fennec certificate-alias, https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/ci/push-apk/kind.yml#L38, and channels, https://github.com/mozilla-mobile/firefox-android/blob/main/taskcluster/ci/push-apk/kind.yml#L49 and I see fennec references in the push-apk scriptworker, https://github.com/mozilla-releng/scriptworker-scripts/blob/master/pushapkscript/docker.d/worker.yml#L24.

The current state seems harmless to me: I'm tempted to wontfix this, but open to other ideas.

Flags: needinfo?(jlorenzo)

Thank you for you extensive analysis, :gbrown! I agree, my couple sentences were quite cryptic 😅 The push-apk kind[1] you highlighted shows the issue best, in my opinion:

        certificate-alias:
            by-build-type:
                fenix-nightly: fenix-production
                fenix-beta: fennec-beta
                fenix-release: fennec-production

To me, we should name the fenix-nightly certificate into fenix-nightly instead of fenix-production. A newcomer on the project may righteously believe fenix-production is used to sign fenix-release. I agree it's not a big deal, it's just some cleanup we could do for future readers.

In other words, I'd recommend:

  1. renaming fenix-production into fenix-nightly
  2. renaming the fennec- prefix
  3. stop using the word production since it duplicates release

How does that sound to you, :gbrown?

[1] https://github.com/mozilla-mobile/firefox-android/blob/45752a962d30fe4d6e9846ddc845744a6fc8c966/taskcluster/ci/push-apk/kind.yml#L35-L39

Flags: needinfo?(jlorenzo)
Assignee: nobody → gbrown

(In reply to Johan Lorenzo [:jlorenzo] from comment #2)

How does that sound to you, :gbrown?

That sounds good - should work out nicely.

Review of .pem files in pushapkscript:

  • dep.pem is completely unreferenced; let's delete it
  • mozillavpn.pem, reference_browser_(dep|release).pem, and focus_(dep|release).pem are consistently named and referenced -- let's keep those untouched
  • *_dep.pem are consistently named and referenced in the non-prod environment; let's keep those untouched
        import_cert fenix $CERT_DIR/fenix_dep.pem
        import_cert focus $CERT_DIR/focus_dep.pem
        import_cert reference-browser $CERT_DIR/reference_browser_dep.pem
  • the remaining fennec/fenix cases are confusing and inconsistent:
        import_cert fennec-nightly $CERT_DIR/nightly.pem
        import_cert fennec-beta $CERT_DIR/release.pem
        import_cert fennec-production $CERT_DIR/release.pem
        import_cert fenix-nightly $CERT_DIR/fenix_nightly.pem
        import_cert fenix-beta $CERT_DIR/fenix_beta.pem
        import_cert fenix-production $CERT_DIR/fenix_production.pem

Note that release.pem is used for both fennec-beta and fennec-production: 5 .pem files map to 6 certificate-aliases.

The mapping in worker.yml of fennec/fenix certificate aliases is also inconsistent.
Prod:

            fennec-beta:
              package_names: [ "org.mozilla.firefox_beta" ]
              certificate_alias: 'fennec-beta'
              google:
                default_track: 'alpha'
                service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_BETA" }
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_BETA_PATH" }
            fennec-production:
              package_names: [ "org.mozilla.firefox" ]
              certificate_alias: 'fennec-production'
              google:
                default_track: 'alpha'
                service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_RELEASE" }
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_RELEASE_PATH" }
            production:
              package_names: [ "org.mozilla.fenix" ]
              certificate_alias: 'fenix-production'
              google:
                default_track: 'production'
                service_account: { "$eval": "GOOGLE_PLAY_SERVICE_ACCOUNT_FENIX_NIGHTLY" }
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_NIGHTLY_PATH" }

Non-prod:

            fennec-nightly:
              package_names: [ "org.mozilla.fennec_aurora" ]
              certificate_alias: 'fennec-nightly'
              google:
                default_track: 'beta'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
            fennec-beta:
              package_names: [ "org.mozilla.firefox_beta" ]
              certificate_alias: 'fennec-beta'
              google:
                default_track: 'alpha'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
            fennec-production:
              package_names: [ "org.mozilla.firefox" ]
              certificate_alias: 'fennec-production'
              google:
                default_track: 'alpha'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
            nightly:
              package_names: [ "org.mozilla.fenix.nightly" ]
              certificate_alias: 'fenix-nightly'
              google:
                default_track: 'beta'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
            beta:
              package_names: [ "org.mozilla.fenix.beta" ]
              certificate_alias: "fenix-beta"
              google:
                default_track: 'beta-closed'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }
            production:
              package_names: [ "org.mozilla.fenix" ]
              certificate_alias: 'fenix-production'
              google:
                default_track: 'internal'
                service_account: 'dummy'
                credentials_file: { "$eval": "GOOGLE_CREDENTIALS_FENIX_DEP_PATH" }

Note that certificate aliases fennec-beta, fennec-production, and fenix-production are used in both prod and non-prod environment: 6 certificate aliases map to 9 apps (6 unique app names).
fennec-nightly (non-prod) references package name org.mozilla.fennec_aurora; all others reference firefox/fenix package names.

In the firefox-android repo, the push-apk kind maps:

        certificate-alias:
            by-build-type:
                fenix-nightly: fenix-production
                fenix-beta: fennec-beta
                fenix-release: fennec-production

These values are sent as the certificate_alias of the task payload, but, afaict, pushapk does not use them (it uses the certificate_alias associated with the app in worker.yml). Rename them here as desired?

Are channels also relevant here?

        channel:
            by-build-type:
                fenix-nightly: production
                fenix-release: fennec-production
                fenix-beta: fennec-beta

(In reply to Geoff Brown [:gbrown] from comment #8)

Are channels also relevant here?

It's complicated, but yes.

The pushapkscript config includes override_channel_model; if "single_google_app" (used for reference-browser and mozillavpn), the task's channel is used as the google_track.

override_channel_model can also be "choose_google_app_with_scope", but that appears to be unused.

If override_channel_model is not specified (focus, fenix), the task's channel is used as an apps sub-key in the product config.

We probably want:

                fenix-nightly: production -> fenix-nightly
                fenix-beta: fennec-beta -> fenix-beta
                fenix-release: fennec-production -> fenix-release
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: qe-verify+
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment on attachment 9324461 [details] [review]
[mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1365)

Beta/Release Uplift Approval Request

  • User impact if declined: Uplift needed so new channel names are used on all branches, enabling further cleanup in pushapkscript.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Change limited to push-apk tasks. Nightlies appear to be working fine.
  • String changes made/needed: no
  • Is Android affected?: Yes
Attachment #9324461 - Flags: approval-mozilla-beta?

Comment on attachment 9324460 [details] [review]
[mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1364)

Beta/Release Uplift Approval Request

  • User impact if declined: Uplift needed so new channel names are used on all branches, enabling further cleanup in pushapkscript.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Change limited to push-apk tasks. Nightlies appear to be working fine.
  • String changes made/needed: no
  • Is Android affected?: Yes
Attachment #9324460 - Flags: approval-mozilla-release?
Comment on attachment 9324461 [details] [review] [mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1365) Approved for Mobile 112.0b6
Attachment #9324461 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 9324460 [details] [review] [mozilla-mobile/firefox-android] Bug 1817466 - Use new channel and certificate-alias names in push-apk (backport #1194) (#1364) Approved for Fenix 111.1.1
Attachment #9324460 - Flags: approval-mozilla-release? → approval-mozilla-release+
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: