Bootstrap support for post-Stage verification

RESOLVED WONTFIX

Status

Release Engineering
General
P3
critical
RESOLVED WONTFIX
12 years ago
5 years ago

People

(Reporter: preed, Assigned: rhelmer)

Tracking

(Depends on: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
There are a number of verification steps we can do in the post-Stage step, right before release; these include:

-- Running the quick update verification against the releasetest channels, to ensure bouncer is serving updates correctly.
-- Running the same against all locales/platforms to ensure bouncer is serving builds correctly
-- Making sure the md5/sha1 sums encompasses all the files in the ftp directory.

Any other post-stage ideas?

There may also have to be some work done to have this verification step run at a non-pre-determined time after staging.
(Assignee)

Comment 1

12 years ago
All of these are technically post-signing, because Stage needs to happen before signing, which needs to happen before shipping. We don't currently have a Sign step, should we? We could probably have a place in the Stage step that pauses and waits for signing to happen, and resumes when the signed builds are available.

Anyway, here are two others I think would be useful:

1) automatically verify authenticode signatures and detached GPG keys. The latter is pretty trivial, the former might require Windows (pretty sure there's an API for authenticode).

2) verify that final deliverables match the candidate builds. For Linux and Mac they are just renamed, but Windows builds are signed with the authenticode tool. We could do this by unpacking and "diff -r", but maybe there is an easier way? I believe that authenticode signatures are a header, so maybe we can have a test that 1) ensures that the header is there and 2) that the rest of the file matches the candidate builds

Depending on how we solve 2) that might solve the authenticode verification problem for #1.
(Assignee)

Updated

11 years ago
Duplicate of this bug: 373116

Comment 3

11 years ago
chktrust can be run on any platform that mono can run on it's written in .NET.
needed for "release automation", hence marking as critical.
Severity: normal → critical
(Reporter)

Updated

11 years ago
Depends on: 378526
Assignee: build → nobody
QA Contact: mozpreed → build
(Assignee)

Updated

11 years ago
Assignee: nobody → rhelmer
(Assignee)

Comment 5

11 years ago
Split this into bug 409493 for post-stage steps and bug 409477 for signature verification.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.