Closed Bug 447667 Opened 17 years ago Closed 17 years ago

sign-release.pl, maybe other signing scripts, need to learn how to talk hg

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: bhearsum)

References

Details

(Whiteboard: [hg-automation])

Attachments

(2 files, 2 obsolete files)

pull stubs + tools from the tag, and only the specific files needed
8.90 KB, patch
nthomas
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
u+x on update scripts
1.04 KB, patch
bhearsum
: review+
nthomas
: checked-in+
Details | Diff | Splinter Review
While doing the 3.1a1 release I noticed that sign-release.pl checks out stub files from CVS. For this release I worked around it by tagging them with FIREFOX_3_1a1_BUILD1 in CVS, we need to fix this before the next release. The signing tools need to be able to check this files out from HG, or get them some other way. This probably means doing a full clone of hg.m.o/m-c when we sign. Not a big deal, really. We'll need a way to toggle CVS/hg mode, probably could just set another environment variable, eg, 'export VCS=hg', or w/e.
Urk, sounds like fun. Agreed we should fix this asap.
OS: Mac OS X → All
Priority: -- → P3
Hardware: PC → All
Blocks: 433930
No longer blocks: 433390
Whiteboard: [hg-automation]
Summary: sign-release.pl, maybe other scripts, need to learn how to talk hg → sign-release.pl, maybe other signing scripts, need to learn how to talk hg
Component: Release Engineering → Release Engineering: Future
Status: NEW → ASSIGNED
Component: Release Engineering: Future → Release Engineering
Priority: P3 → P2
Assignee: nobody → nthomas
Attached patch WIP (obsolete) — Splinter Review
This is a WIP patch which has had limited testing on my own machine, needs checking on signing box and/or it's staging VM. Typical use changes to sign-release.pl -M dir -o signed-build1 -d unsigned-build1 -a firefox --release FIREFOX_3_1b2_RELEASE --repo releases/mozilla-1.9.1 Leave off the --repo to use CVS. We should also do http://benjamin.smedbergs.us/blog/2008-08-27/how-to-teach-wget-about-security/ (perhaps Mook's first comment?) so that wget checks the ssl cert when we download the files from hg.m.o
Not going to have time to finish this before the break, calling all kind souls who have space in their heart for a Q4 goal.
Assignee: nthomas → nobody
Status: ASSIGNED → NEW
Assignee: nobody → bhearsum
Priority: P2 → P3
Priority: P3 → P2
Okay, here's instructions for installing the Equifax cert (already done on keymaster02): Download the DER version of the cert, from here: https://www.geotrust.com/resources/root-certificates/index.html (You'll have to add this to the IE 'secure zone' to do so). Run the following command to convert it to a PEM: openssl x609 -inform DER -in Equifax<tab> -out equifax.pem Login as Administrator to do the rest: cp equifax.pem /usr/ssl/certs echo "ca_certificate = /usr/ssl/certs/equifax.pem" >> /etc/wgetrc Now wget works without --no-check-certificate, hooray!
Status: NEW → ASSIGNED
Nick, this is basically your patch + the changes to CheckoutUpdateTools. I removed the --no-check-certificate from the wget parts, since we'll have the certificate installed RSN. Pulling update-packaging from Mercurial kindof sucks because we have to clone the entire repository. I suppose we could just pull the two files we need, now that I think harder about it - I can make that change if you want. The way it is now we'll need to install Mercurial on keymaster before b3.
Attachment #353906 - Attachment is obsolete: true
Attachment #357978 - Flags: review?(nthomas)
Comment on attachment 357978 [details] [diff] [review] pull stub files, update-packaging from hg, when desired Looks fine to me, but pulling the three files we need from update-packaging/ could be a pretty nice speed up. Don't forget common.sh for make_incremental_update.sh. We should also use $tag in CheckoutUpdateTools() - it's even passed in already! - for both cvs and hg cases.
Attachment #357978 - Flags: review?(nthomas) → review-
(In reply to comment #6) > Don't forget common.sh for make_incremental_update.sh. make_full_update.sh even
I ended up factoring the checkouts into a separate function. This worked OK in my tests.
Attachment #358407 - Flags: review?(nthomas)
Attachment #358407 - Flags: review?(nthomas) → review+
Comment on attachment 358407 [details] [diff] [review] pull stubs + tools from the tag, and only the specific files needed Looks good to me.
Attachment #357978 - Attachment is obsolete: true
Comment on attachment 358407 [details] [diff] [review] pull stubs + tools from the tag, and only the specific files needed Checking in sign-release.pl; /mofo/release/signing/tools/sign-release.pl,v <-- sign-release.pl new revision: 1.31; previous revision: 1.30 done
Attachment #358407 - Flags: checked‑in+
I installed the Equifax cert onto keymaster, too: cltsign@keymaster ~ $ wget https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other-licen ses/7zstub/firefox/7zSD.sfx --08:06:36-- https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other -licenses/7zstub/firefox/7zSD.sfx => `7zSD.sfx' Resolving hg.mozilla.org... 63.245.208.188, 63.245.208.189 Connecting to hg.mozilla.org|63.245.208.188|:443... connected. ERROR: Certificate verification error for hg.mozilla.org: self signed certificat e in certificate chain To connect to hg.mozilla.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection. cltsign@keymaster ~ $ wget --no-check-certificate https://www.geotrust.com/resources/root_certifica tes/certificates/Equifax_Secure_Certificate_Authority_DER.cer --08:06:40-- https://www.geotrust.com/resources/root_certificates/certificates/ Equifax_Secure_Certificate_Authority_DER.cer => `Equifax_Secure_Certificate_Authority_DER.cer' Resolving www.geotrust.com... 65.205.249.113 Connecting to www.geotrust.com|65.205.249.113|:443... connected. WARNING: Certificate verification error for www.geotrust.com: self signed certif icate in certificate chain HTTP request sent, awaiting response... 200 OK Length: 804 [text/plain] 100%[====================================>] 804 --.--K/s 08:06:41 (1.53 MB/s) - `Equifax_Secure_Certificate_Authority_DER.cer' saved [804 /804] cltsign@keymaster ~ $ openssl x509 -inform DER -in Equifax_Secure_Certificate_Authority_DER.cer -ou t equifax.pem
I just updated the Combined Signing doc to fix the example tag and remove the notes about pulling files from CVS. I don't think there's any other scripts that need updating, so I'll call this bug FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We lose the executable bit on the update scripts by pulling them via wget, this just adds that back.
Attachment #360284 - Flags: review?(bhearsum)
Attachment #360284 - Flags: review?(bhearsum) → review+
Attachment #360284 - Flags: checked‑in+
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: