Closed
Bug 404340
Opened 17 years ago
Closed 13 years ago
freebl3.chk & softokn3.chk differ between exe & complete mar for Win32 builds (and nssdbm3.chk when using NSS 3.12.4 or later)
Categories
(Release Engineering :: General, defect, P5)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: nthomas, Assigned: rail)
References
Details
(Whiteboard: [updates])
Attachments
(3 files)
1.62 KB,
patch
|
Details | Diff | Splinter Review | |
708 bytes,
patch
|
Details | Diff | Splinter Review | |
902 bytes,
patch
|
Details | Diff | Splinter Review |
Noticed this while working on bug 403952. Here's some sha1sums on today's Firefox trunk nightlies: SHA1(./win32-exe/nonlocalized/freebl3.chk)= c955656fc73ae71e47c41732014de279271e021e SHA1(./win32-exe/nonlocalized/softokn3.chk)= 2f16a7b224e0d304ff07684b2d00b6c2ba4b04b8 SHA1(./win32-mar/freebl3.chk)= 46413df8198679b273fad0d4794f32258fd3f4bc SHA1(./win32-mar/softokn3.chk)= 507da87629a69817caee781b6a381acd9c1777c1 SHA1(./linux-bz2/firefox/libfreebl3.chk)= 7ea7883746b01029518a9539b520c0b4b5e3d592 SHA1(./linux-bz2/firefox/libsoftokn3.chk)= f647e839679de3505a6e9c40e94a3dac3f1de33d SHA1(./linux-mar/libfreebl3.chk)= 7ea7883746b01029518a9539b520c0b4b5e3d592 SHA1(./linux-mar/libsoftokn3.chk)= f647e839679de3505a6e9c40e94a3dac3f1de33d SHA1(./mac-dmg/Minefield.app/Contents/MacOS/libfreebl3.chk)= f8653116a2682587a5a82e813dcd2fbb935f8d17 SHA1(./mac-dmg/Minefield.app/Contents/MacOS/libsoftokn3.chk)= 82a47a395afc0ea17ce1c8ff3d2d78914eff3eb4 SHA1(./mac-mar/Contents/MacOS/libfreebl3.chk)= f8653116a2682587a5a82e813dcd2fbb935f8d17 SHA1(./mac-mar/Contents/MacOS/libsoftokn3.chk)= 82a47a395afc0ea17ce1c8ff3d2d78914eff3eb4 Probably this is because we call "make installer" about 10 million times on win32. Strangely, doesn't seem to be a problem on the 1.8 branch.
Reporter | ||
Updated•17 years ago
|
Summary: freebl.chk & softokn3.chk differ between exe & complete mar for Trunk/Firefox/Win32 → freebl3.chk & softokn3.chk differ between exe & complete mar for Trunk/Firefox/Win32
Comment 1•17 years ago
|
||
We just saw this in the FF3.0beta2 update verify step.
Blocks: 407077
Priority: -- → P1
Comment 2•17 years ago
|
||
reassigning - is this the correct component?
Component: Build & Release → Build Config
Product: mozilla.org → Firefox
QA Contact: build → build.config
Version: other → Trunk
Comment 3•17 years ago
|
||
from irc with bsmedberg: Previously we only ran shlibsign much earlier in the NSS build process, but now we're running it (correctly, sorta) as part of the package process, after we strip libraries and it's not idempotent, so we get different results when we run "make installer" (used for the installer) and "make package" (used for the zip builds, which end up as the MARs). Also see related work in bug#370693.
Comment 4•17 years ago
|
||
Seems this matters for FIPS crypto as part of Firefox. For additional info, see: http://oss-institute.org/fips-faq.html#a1 and http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html. To verify if FIPS is working: 1) Install FF3 2) then go to Options->Advanced->security devices. In the list on left-hand-side, pick "SoftwareSecurityDevice" and then "change password", to set password. Once that is set, and you are back in the security devices dialog box, click "Enable FIPS". 3) then visit www.paypal.com, and login. 4) Verify that the SSL connection is established. Also, to the left of the URL bar, is a small icon for that site. If you click on that icon, you will see a popdown window, with the passport control graphic, and some text confirming the paypal certificate info.
Comment 5•17 years ago
|
||
I just ran through the test outlined in comment 4 with b2 (using installer.exe) and b1 upgraded to b2 via the betatest channel, using clean profile each time on Windows 2000. I was able to login to PayPal, and got the same "location verified" passport popdown each time, "Verified by: VeriSign, Inc.", "You connection is encrypted" with the lock graphic, etc. One minor note - on step #2 "security devices" is a button under the "encryption" tab, with a clean profile I think it defaults to the "general" tab.
Comment 6•17 years ago
|
||
Can you please test what happens when you delete the *.chk files and try that test on a clean profile? I'm worried that the "enable fips" button would simply do nothing, and you remain in non-fips mode, and of course, the connection to paypal will work, too. Bob, Wan-Teh, could you think of a better UI test to verify the application is correctly running in FIPS mode? (something that can be automated) The only other idea I have is more complicated, because it would require to operate two test SSL server that disallows the FIPS ciphers. One (a) that is restricted to use FIPS ciphers, and another one (b) that is restricted to use non-FIPS ciphers. A test case could connect to both, see an expected success on (a), and an excepted failure on (b).
Comment 7•17 years ago
|
||
Maybe we should add a mode to shlibsign to test the NSS shared libraries in FIPS mode. We can also just use the pk11mode test program (which is not being built in Mozilla builds right now) to do that.
Comment 8•16 years ago
|
||
Any progress here? Not sure who is waiting for whom :) Is this a packaging bug that should be fixed in the build system, so that installer contents are the same as MAR and ZIP, or something else? We've shipped the past 3 betas (at least) this way.
Comment 9•16 years ago
|
||
(In reply to comment #8) > Is this a packaging bug that should be fixed in the build system, so that > installer contents are the same as MAR and ZIP, or something else? We've > shipped the past 3 betas (at least) this way. I don't see a packaging bug. If MAR and ZIP archives have different contents in their .chk files, because shlibsign get run again, that's perfectly fine. On Fedora Linux, we even run the shlibsign as part of the package installation process, so every end user system will have different file contents. The files are meant to help detect accidental modifications of the library files, as I understand it. In other words, if you are sure the library files are not modified after generating the .chk files, you should be fine, even if you run shlibsign multiple times and ship different versions in different packaging formats. Wan-Teh, if this is wrong, please slap me. (In reply to comment #7) > Maybe we should add a mode to shlibsign to test the NSS shared > libraries in FIPS mode. That's a realy good idea, but nothing we can done quickly, until someone steps up to do it. > We can also just use the pk11mode test > program (which is not being built in Mozilla builds right now) > to do that. This idea sounds simpler to do. How would you execute pk11mode and what is the expected output?
Comment 10•16 years ago
|
||
pk11mode without any arguments uses the softoken in FIPS mode. I think you can just check its exit status to determine if the tests pass or not.
Comment 11•16 years ago
|
||
We just hit this again in 3.0beta4.
Comment 12•16 years ago
|
||
It is fine for freebl3.chk & softokn3.chk differ between exe & complete mar. freebl3.chk & softokn3.chk are checksums for freebl3.dll and softokn3.dll. What's special is that there are multiple (in fact, infinitely many) correct checksums for each file. shlibsign is the tool that generate these checksums, and each time you run shlibsign, it outputs one of the correct checksums at random. This is why freebl3.chk & softokn3.chk differ between exe & complete mar.
Reporter | ||
Comment 13•16 years ago
|
||
Thanks for the nice summary. We keep raising because it gives us false errors when we test updates for a new release (ie the chk files from "3.0b3 updated to 3.0b4" are different from those in an unpacked 3.0b4). I think this comes back to being a tinderbox/build packaging problem (boo!); we shouldn't be using the unshipped zip file to make the mar. Bug 313956 is closely related. Alternatively, we could make the signing code replace the chk files in the mar with the ones from the exe.
Component: Build Config → Build & Release
Priority: P1 → P3
Product: Firefox → mozilla.org
QA Contact: build.config → build
Version: Trunk → other
Updated•16 years ago
|
Component: Release Engineering → Release Engineering: Future
QA Contact: build → release
Comment 14•16 years ago
|
||
This continued to hit us in all releases from FF3.0b4 -> FF3.0rc3. :-(
Comment 15•16 years ago
|
||
(In reply to comment #12) > It is fine for freebl3.chk & softokn3.chk differ between exe & complete mar. How about in the partial mar case where app update tries to patch the existing .chk files?
Comment 16•16 years ago
|
||
as in bug 470811
Comment 17•15 years ago
|
||
Should we just ignore the .chk files in the update verification step (i.e. in check_updates.sh)?
Reporter | ||
Comment 18•15 years ago
|
||
NSS 3.12.4 added another check file - nssdbm3.chk - which has the same problem.
Summary: freebl3.chk & softokn3.chk differ between exe & complete mar for Trunk/Firefox/Win32 → freebl3.chk & softokn3.chk differ between exe & complete mar for Win32 builds (and nssdbm3.chk when using NSS 3.12.4 or later)
Comment 19•14 years ago
|
||
Mass move of bugs from Release Engineering:Future -> Release Engineering. See http://coop.deadsquid.com/2010/02/kiss-the-future-goodbye/ for more details.
Component: Release Engineering: Future → Release Engineering
Comment 20•14 years ago
|
||
Would this be solved by fixing bug 313956?
Comment 21•14 years ago
|
||
(In reply to comment #20) > Would this be solved by fixing bug 313956? Yeah, looks like it.
Comment 22•14 years ago
|
||
Though I am less concerned about users using zip builds getting a failed partial that causes them to have to download a complete update bug 313956 would just move this problem over to zip build users.
Comment 23•14 years ago
|
||
(In reply to comment #22) > Though I am less concerned about users using zip builds getting a failed > partial that causes them to have to download a complete update bug 313956 would > just move this problem over to zip build users. If we build the MAR out of the EXE we should seriously consider dropping the ZIP format altogether IMHO.
Comment 24•14 years ago
|
||
The zip is handy for doing packaged unittests and talos runs.
Comment 25•14 years ago
|
||
if we can extract the exe to generate the mar, couldn't we use the same tools to extract the exe for running tests? Alternatively, could we use the mar file using our mar extractor instead of using unzip.exe?
Comment 26•14 years ago
|
||
The installer can be extracted with 7-Zip but the files are separated into non-localized, localized, and optional directories. If it is desirable I can add a command line option to the installer that can take a path to extract the files into single directory. If we were to keep the zip's it would be great if it could be generated from the installer.
Comment 27•14 years ago
|
||
A good number of users want to have the zips for automated deployment or for rapidly testing some version because it's much more handy to just unpack and run than to go through a number of dialogs (which is impossible to do automatically) and - in case of testers - to overwrite registry entries of your main installation. If users of a .zip package are required to use a complete MAR for the first update, I don't think that's a large problem, though.
Comment 28•14 years ago
|
||
If our EXEs had a "extract me to a dir" mode wouldn't that get rid of the only advantage of ZIPs?
Comment 29•14 years ago
|
||
(In reply to comment #27) > A good number of users want to have the zips for automated deployment or for > rapidly testing some version because it's much more handy to just unpack and > run than to go through a number of dialogs (which is impossible to do > automatically) Actually, it is possible to install Firefox (last I tested Thunderbird as well) silently and configure several options as well.
Comment 30•14 years ago
|
||
It probably will generate some public outcry until we have educated people, but as long as there is also an option to not touch anything like registry and start menus, i.e. to _only_ extract the files to some specified target, I guess it might work for those people, even if it's more work for them (right-clicking and selecting "Extract" is so much simpler). And we need to continue to support the option to generate a zip the normal way even if we don't ship it, as it's the default package generation option from toolkit and Mozilla-based apps that don't have an NSIS installer need to have it available. For Firefox, Thunderbird and SeaMonkey, we should be able to do it, but I'll make sure to direct all complaints to those people who make the decision (SeaMonkey users are usually those shouting loudest at such things and I hate repeatedly pointing out reasons to toolkit decisions I might not fully support myself).
Comment 31•14 years ago
|
||
(In reply to comment #30) > For Firefox, Thunderbird and SeaMonkey, we should be able to do it, but I'll > make sure to direct all complaints to those people who make the decision > (SeaMonkey users are usually those shouting loudest at such things and I hate > repeatedly pointing out reasons to toolkit decisions I might not fully support > myself). For the record, I don't think Firefox stopping shipping a ZIP means SeaMonkey or Thunderbird can't ship it anymore. I'm certainly not advocating ripping out all the ZIP code.
Updated•14 years ago
|
Whiteboard: [updates]
Updated•14 years ago
|
Priority: P3 → P5
Reporter | ||
Comment 32•14 years ago
|
||
(In reply to comment #27) > A good number of users want to have the zips for automated deployment or for > rapidly testing some version because it's much more handy to just unpack and > run than to go through a number of dialogs (which is impossible to do > automatically) Scriptable: mkdir -p tmp/combined cd tmp 7z x <package> cp -rp nonlocalized/* combined/ cp -rp localized/* combined/ cp -rp optional/* combined/ and use the files in combined.
Comment 33•14 years ago
|
||
Nick, it would be awesome to have for the first time the exact same files in the zip as installed by the installer!
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → rail
Reporter | ||
Comment 34•14 years ago
|
||
See also bug 313956, bug 489961.
Reporter | ||
Comment 35•14 years ago
|
||
rs, zips are different again. We create the zip, then the installer, then the complete mar. Each time we get different chk files. Many sad faces. Bug 313956 will unpack the exe to create the mar. It's really tempting to change 'make package' on windows to call 'make installer' then zip up DIST/installer-stage/core/, then stop calling make installer. I gave 0 seconds thought to the consequences of that so there are probably issues.
Comment 36•14 years ago
|
||
I briefly had that same temptation a couple weeks ago. I should be able to spend some time making this more sane after I finish my Firefox 4 work in a month or two.
Comment 37•14 years ago
|
||
(In reply to comment #35) > It's really tempting to > change 'make package' on windows to call 'make installer' then zip up > DIST/installer-stage/core/ Well, that would mean that anyone wanting a zip needs to have NSIS installed, which might not be what we want for developers out there, even more those of apps outside the Firefox, Thunderbird, SeaMonkey spectrum where we are maintaining NSIS installers and buildbots well enough. For our buildbot machines, I agree that it would be a good target to have zips, installers, and mars built from a common source without regenerating .chk files or calling packager.mk at all multiple times. Though I might wonder all the same why we can't use the $(DIST)/$(APPNAME) directory for all of them without regenerating it at any point, i.e. also without regenerating the .chk files.
Comment 38•14 years ago
|
||
(In reply to comment #37) > (In reply to comment #35) > > It's really tempting to > > change 'make package' on windows to call 'make installer' then zip up > > DIST/installer-stage/core/ > > Well, that would mean that anyone wanting a zip needs to have NSIS installed, > which might not be what we want for developers out there, even more those of > apps outside the Firefox, Thunderbird, SeaMonkey spectrum where we are > maintaining NSIS installers and buildbots well enough. tbqh, I don't see the problem with that. The NSIS installer is the supported package format for Windows. AFAIK the only reason we've bothered to keep .zip around is because the complete MAR depends on it. Nothing would stop someone else from maintaining zip packaging code in their specific product.
Comment 39•14 years ago
|
||
(In reply to comment #38) > AFAIK the only reason we've bothered to keep .zip > around is because the complete MAR depends on it. AFAIK other main reasons are because 1) we are not alone in the Mozilla universe and not every Mozilla-based app should need to have an NSIS installer fully configured, 2) it shares almost all code with .tar.bz generation anyhow, and 3) because nightly testers *love* installing ZIPs instead of going to more complicated fiddling with the installer (in the case of installing multiple builds and not wanting any registry entries, desktop icons or other - from their perspective - "crap").
Comment 40•14 years ago
|
||
MozillaBuild ships with NSIS, and it's the only supported build setup on Windows nowadays. There's no problem there.
Comment 41•14 years ago
|
||
(In reply to comment #40) > MozillaBuild ships with NSIS, and it's the only supported build setup on > Windows nowadays. There's no problem there. Ah, right, thanks for the comment, didn't think of that. With that in mind, I guess we probably could safely depend on the installer at least as an intermediate format for generating the other two (MAR and ZIP) package formats.
Assignee | ||
Comment 42•13 years ago
|
||
Bug 313956 landed on m-c and fixed this bug. However it would be better to remove *.chk files from "force" list.
Assignee | ||
Comment 43•13 years ago
|
||
Something like this, but for the 5.0 patcher configs.
Attachment #525683 -
Flags: feedback?(nrthomas)
Comment 44•13 years ago
|
||
Comment on attachment 525683 [details] [diff] [review] patcher-configs We should remove the files from the patcher config creator, too: http://mxr.mozilla.org/build-central/source/tools/release/patcher-config-creator.pl#21 This means that the MU configs won't force them, but that's fine, because we only serve completes to MUs.
Assignee | ||
Comment 45•13 years ago
|
||
If I understood correctly, the current implementation of make_incremental_update.sh forces all *.chk files to be clobbered even if they aren't passed via -f parameter. Both patches haven't been tested yet.
Attachment #525684 -
Flags: feedback?(nrthomas)
Assignee | ||
Comment 46•13 years ago
|
||
See also bug 313956 comment 42. There is no diff between exe and complete mar!
Assignee | ||
Comment 47•13 years ago
|
||
(In reply to comment #44) > We should remove the files from the patcher config creator, too: > http://mxr.mozilla.org/build-central/source/tools/release/patcher-config-creator.pl#21 BTW, should I add a special case to ignore getChkFile() results in build/tools/release/signing/{signing.py,sign-release.py} for m-c based builds?
Comment 48•13 years ago
|
||
(In reply to comment #47) > (In reply to comment #44) > > We should remove the files from the patcher config creator, too: > > http://mxr.mozilla.org/build-central/source/tools/release/patcher-config-creator.pl#21 > > BTW, should I add a special case to ignore getChkFile() results in > build/tools/release/signing/{signing.py,sign-release.py} for m-c based builds? Naw, just change it globally. 1.9.1, 1.9.2, and 2.0 don't use this script for minor updates. It only gets used for Major Update and new branch creation.
Comment 49•13 years ago
|
||
(In reply to comment #47) > (In reply to comment #44) > > We should remove the files from the patcher config creator, too: > > http://mxr.mozilla.org/build-central/source/tools/release/patcher-config-creator.pl#21 > > BTW, should I add a special case to ignore getChkFile() results in > build/tools/release/signing/{signing.py,sign-release.py} for m-c based builds? No, that function is called to determine if we should be re-generating a .chk file after signing a .dll. We need to keep doing that.
Assignee | ||
Comment 50•13 years ago
|
||
Attachment #525704 -
Flags: feedback?(nrthomas)
Assignee | ||
Comment 51•13 years ago
|
||
The patches go beyond the original bug. Closing it with bug 649779 as a followup. Fixed by bug 313956.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Attachment #525683 -
Flags: feedback?(nrthomas)
Assignee | ||
Updated•13 years ago
|
Attachment #525684 -
Flags: feedback?(nrthomas)
Assignee | ||
Updated•13 years ago
|
Attachment #525704 -
Flags: feedback?(nrthomas)
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•