Sign test addon with "cas_cur" cert in support of CA Succession
Categories
(Release Engineering :: Release Requests, task)
Tracking
(Not tracked)
People
(Reporter: hwine, Assigned: jcristau)
References
Details
Attachments
(2 files)
Using the certs from bug 1882192, sign the to-be-provided tomato-clock.zip extension in the to-be-specified flavors.
This bug is created based on information in a slack thread which turned out to be insufficient to perform the signing. The unknowns include:
- where is the file to be signed? Please attach to this bug. (Per this script there is a single input file.)
- What are the flavors of signing needed? Note:
- in the autograph world, flavors are expressed via addon manifests and choice-of-signer
- in the old script the flavors are expressed via command line arguments
(Ideally, a description of the mapping between autograph use cases (production) and the test environment needs (add-on internals) could be provided, so autograph documentation can be updated.)
|
||
Comment 1•2 months ago
|
||
The test case doesn't really care about the contents, as long as it is a signed zip file. Take any of the zip files from https://hg.mozilla.org/mozilla-central/rev/8551b871802d remove the META-INF directory inside the zip file and use that as the input file.
I am not sure about what you mean by "flavor", but I will try to answer what I think that you are asking.
The xpi signer should be used: https://github.com/mozilla-services/autograph/tree/c890e14de5b04dcff9be0d07fdea4ae6bbb58557/signer/xpi
The test from the commit above tries to verify that the cert works with different algorithms. The end of the file names show the relevant algorithms to try. I see those referenced at https://github.com/mozilla-services/autograph/blob/c890e14de5b04dcff9be0d07fdea4ae6bbb58557/signer/xpi/cose.go#L30
|
||
Comment 2•2 months ago
|
||
My understanding is that the script mentioned in Comment 0 (which I also mentioned elsewhere) will generate all the signed ZIP files we need (and potentially more): https://github.com/mozilla-services/autograph/blob/c890e14de5b04dcff9be0d07fdea4ae6bbb58557/tools/autograph-client/build_test_xpis.sh.
As Rob pointed out in Comment 1, the source file doesn't really matter and it looks like we chose "tomato-clock" in the past, which might or might not be related to this add-on on AMO. I think Rob's suggesting to take one of the signed XPIs in tree and repackaging it without the signature files (to essentially rebuild a source file) should be good enough. I am going to attach a source ZIP file to this bug.
I am not really sure what the "flavors" are but we should use cas_cur_webextensions_rsa as signer ID.
|
|
||
Comment 3•2 months ago
|
||
|
Assignee | |
Updated•2 months ago
|
|
||
Comment 4•2 months ago
|
||
|
|
Assignee | |
Comment 5•2 months ago
|
||
Signed:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/A97Q_dzuS-C-DyVo6RmP-w/runs/0/artifacts/public%2Fbuild%2Ftomato-clock-sha1-es256-es384.zip
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/LQK_B8WWSVWvgYEcKMneMQ/runs/0/artifacts/public%2Fbuild%2Ftomato-clock-sha1-es256-ps256.zip
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/PoAaLjiYQ8S0T5bjNDQ5UQ/runs/0/artifacts/public%2Fbuild%2Ftomato-clock-sha1-es256.zip
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/dflVTubLQeeqtYeOG2Maog/runs/0/artifacts/public%2Fbuild%2Ftomato-clock-sha1-ps256.zip
(Links will expire after 28 days, but I guess that's good enough)
Description
•