There are a number of verification steps we can do in the post-Stage step, right before release; these include: -- Running the quick update verification against the releasetest channels, to ensure bouncer is serving updates correctly. -- Running the same against all locales/platforms to ensure bouncer is serving builds correctly -- Making sure the md5/sha1 sums encompasses all the files in the ftp directory. Any other post-stage ideas? There may also have to be some work done to have this verification step run at a non-pre-determined time after staging.
All of these are technically post-signing, because Stage needs to happen before signing, which needs to happen before shipping. We don't currently have a Sign step, should we? We could probably have a place in the Stage step that pauses and waits for signing to happen, and resumes when the signed builds are available. Anyway, here are two others I think would be useful: 1) automatically verify authenticode signatures and detached GPG keys. The latter is pretty trivial, the former might require Windows (pretty sure there's an API for authenticode). 2) verify that final deliverables match the candidate builds. For Linux and Mac they are just renamed, but Windows builds are signed with the authenticode tool. We could do this by unpacking and "diff -r", but maybe there is an easier way? I believe that authenticode signatures are a header, so maybe we can have a test that 1) ensures that the header is there and 2) that the rest of the file matches the candidate builds Depending on how we solve 2) that might solve the authenticode verification problem for #1.
chktrust can be run on any platform that mono can run on it's written in .NET.
needed for "release automation", hence marking as critical.
Severity: normal → critical
11 years ago
Priority: -- → P3
Assignee: build → nobody
QA Contact: mozpreed → build
Split this into bug 409493 for post-stage steps and bug 409477 for signature verification.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.