Open Bug 1878757 Opened 2 years ago Updated 1 year ago

add macOS & iOS signing to autograph

Categories

(Cloud Services :: Operations: Autograph, enhancement)

Product:
Cloud Services
Component:
Operations: Autograph
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: jehodges, Unassigned)

References

Details

(Whiteboard: [triage:done] [jbi-aut])

Members of releng would like to not have a private key for signing binaries for Apple's ecosystem stored in TaskCluster. To do that, they'd like autograph to take on those responsibilities.

Currently, they sign iOS and macOS binaries using an open source tool made by a former Mozillian called rcodesign. https://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_rcodesign.html
It supports delegating the crypto bits to HSMs https://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_smartcard.html. In the last RRA (Rapid Risk Assessment), Hal Wine also mentioned getting the macOS private key stored on Autograph instead of on the Taskcluster worker

This would require autograph to expose a new signing format and likely delegate to the rcodesign binary.

(Another possibility is for them to use a vendor solution for this, but this is a ticket in autograph's queue, not a ticket in a "code signing at Mozilla" queue.)

Note: an RRA is underway for this approach. AIUI, moving to rcodesign is a request, and has been proved in dev, but is not yet in production. (prod macOS code signing is still done on the signing servers in the DC, notarization is done in GCP, no iOS signing is done outside of BitRise currently)

Whiteboard: [triage:done] [jbi-aut]
You need to log in before you can comment on or make changes to this bug.