Closed Bug 1864342 Opened 2 years ago Closed 2 years ago

No new Mac Dailies since 20231108

Categories

(Thunderbird :: Build Config, defect)

Product:
Thunderbird
Component:
Build Config
Platform:
Unspecified
macOS
Type:
defect

Tracking

(thunderbird_esr115 unaffected)

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- unaffected

People

(Reporter: Paenglab, Assigned: rjl)

Details

Attachments

(1 file)

Bug 1864342 - Don't add provisioning profile to macOS build signing jobs. r=#thunderbird-build-system-reviewers
48 bytes, text/x-phabricator-request
Details | Review

No new Mac Dailies since 20231108.

Martin wrote: "The signing job is failing".

This is quite broken... Regression from bug 1856067. That's adding a provisioning profile to get access to the passkey entitlement.

Assignee: nobody → rob

Temporarily remove provisioning profile data from macOS build signing job
payloads.
The provisioning profile is to allow the browser to access the restricted
passkey entitlement.
At this time, some infrastructure work needs to be completed before enabling
profiles for Thunderbird.

I'm not sure where these provisioning profiles are stored. It looks like they are on the iscript scriptworker machines themselves.

Apple's documentation on provisioning profiles is rather daunting. It's not clear to me if Thunderbird will need separate profiles or if the same ones for Firefox can be used. I suspect they are tied to MOZ_MACBUNDLE_ID from Info.plist, so Thunderbird would need its own profiles for "org.mozilla.thunderbird", "org.mozilla.thunderbirdbeta", and "org.mozilla.thunderbird-daily" if that's the case.

https://developer.apple.com/help/account/manage-provisioning-profiles/provisioning-profile-updates looks relevant.

The above patch just drops the provisioning profile config from the payload sent to the scriptworker. This should work fine, and as long as Thunderbird doesn't need to access passkeys then it's fine. I suspect at some point Thunderbird will need to support passkeys though.

NI- Heitor, can you help clear some of this up?

Flags: needinfo?(hneiva)
Status: NEW → ASSIGNED
status-thunderbird_esr115: --- → unaffected
Keywords: checkin-needed-tb

Pushed by ikey@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/c52d35cad874
Don't add provisioning profile to macOS build signing jobs. r=dandarnell

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Confirming what @rjl mentioned: The only reason we need provisioning profiles for Firefox is because it's using restricted entitlements (passkey entitlement in this case). This is a new feature in Firefox.

TB doesn't use any restricted entitlements, so it's safe to sign without a profile.

The provisioning profiles live in the mac signers/workers, and at this moment there's no automation to deploy them.
If TB ever requires a profile to be included in the bundle, please reach out to RelEng so we can issue one and make them available in the workers.

I wrote some docs on it, but haven't landed it yet. Once landed it will show up here

Flags: needinfo?(hneiva)

Thanks. I've brought this up with the planners. Once the big email providers like Outlook.com and Gmail start supporting passkey authentication, Thunderbird will need to support them.

(In reply to Rob Lemley [:rjl] from comment #6)

Thanks. I've brought this up with the planners. Once the big email providers like Outlook.com and Gmail start supporting passkey authentication, Thunderbird will need to support them.

Is there a bug for this? If not, can you file one?

Flags: needinfo?(rob)
Target Milestone: --- → 121 Branch

Bug 1864917.

Flags: needinfo?(rob)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: