While doing the 3.1a1 release I noticed that sign-release.pl checks out stub files from CVS. For this release I worked around it by tagging them with FIREFOX_3_1a1_BUILD1 in CVS, we need to fix this before the next release. The signing tools need to be able to check this files out from HG, or get them some other way. This probably means doing a full clone of hg.m.o/m-c when we sign. Not a big deal, really. We'll need a way to toggle CVS/hg mode, probably could just set another environment variable, eg, 'export VCS=hg', or w/e.
Urk, sounds like fun. Agreed we should fix this asap.
OS: Mac OS X → All
Priority: -- → P3
Hardware: PC → All
Summary: sign-release.pl, maybe other scripts, need to learn how to talk hg → sign-release.pl, maybe other signing scripts, need to learn how to talk hg
Component: Release Engineering → Release Engineering: Future
Status: NEW → ASSIGNED
Component: Release Engineering: Future → Release Engineering
Priority: P3 → P2
Created attachment 353906 [details] [diff] [review] WIP This is a WIP patch which has had limited testing on my own machine, needs checking on signing box and/or it's staging VM. Typical use changes to sign-release.pl -M dir -o signed-build1 -d unsigned-build1 -a firefox --release FIREFOX_3_1b2_RELEASE --repo releases/mozilla-1.9.1 Leave off the --repo to use CVS. We should also do http://benjamin.smedbergs.us/blog/2008-08-27/how-to-teach-wget-about-security/ (perhaps Mook's first comment?) so that wget checks the ssl cert when we download the files from hg.m.o
Not going to have time to finish this before the break, calling all kind souls who have space in their heart for a Q4 goal.
Assignee: nthomas → nobody
Assignee: nobody → bhearsum
Priority: P2 → P3
Okay, here's instructions for installing the Equifax cert (already done on keymaster02): Download the DER version of the cert, from here: https://www.geotrust.com/resources/root-certificates/index.html (You'll have to add this to the IE 'secure zone' to do so). Run the following command to convert it to a PEM: openssl x609 -inform DER -in Equifax<tab> -out equifax.pem Login as Administrator to do the rest: cp equifax.pem /usr/ssl/certs echo "ca_certificate = /usr/ssl/certs/equifax.pem" >> /etc/wgetrc Now wget works without --no-check-certificate, hooray!
Status: NEW → ASSIGNED
Created attachment 357978 [details] [diff] [review] pull stub files, update-packaging from hg, when desired Nick, this is basically your patch + the changes to CheckoutUpdateTools. I removed the --no-check-certificate from the wget parts, since we'll have the certificate installed RSN. Pulling update-packaging from Mercurial kindof sucks because we have to clone the entire repository. I suppose we could just pull the two files we need, now that I think harder about it - I can make that change if you want. The way it is now we'll need to install Mercurial on keymaster before b3.
Comment on attachment 357978 [details] [diff] [review] pull stub files, update-packaging from hg, when desired Looks fine to me, but pulling the three files we need from update-packaging/ could be a pretty nice speed up. Don't forget common.sh for make_incremental_update.sh. We should also use $tag in CheckoutUpdateTools() - it's even passed in already! - for both cvs and hg cases.
Attachment #357978 - Flags: review?(nthomas) → review-
(In reply to comment #6) > Don't forget common.sh for make_incremental_update.sh. make_full_update.sh even
Created attachment 358407 [details] [diff] [review] pull stubs + tools from the tag, and only the specific files needed I ended up factoring the checkouts into a separate function. This worked OK in my tests.
Attachment #358407 - Flags: review?(nthomas)
Attachment #358407 - Flags: review?(nthomas) → review+
Comment on attachment 358407 [details] [diff] [review] pull stubs + tools from the tag, and only the specific files needed Looks good to me.
Attachment #357978 - Attachment is obsolete: true
Comment on attachment 358407 [details] [diff] [review] pull stubs + tools from the tag, and only the specific files needed Checking in sign-release.pl; /mofo/release/signing/tools/sign-release.pl,v <-- sign-release.pl new revision: 1.31; previous revision: 1.30 done
Attachment #358407 - Flags: checked‑in+
I installed the Equifax cert onto keymaster, too: cltsign@keymaster ~ $ wget https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other-licen ses/7zstub/firefox/7zSD.sfx --08:06:36-- https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other -licenses/7zstub/firefox/7zSD.sfx => `7zSD.sfx' Resolving hg.mozilla.org... 18.104.22.168, 22.214.171.124 Connecting to hg.mozilla.org|126.96.36.199|:443... connected. ERROR: Certificate verification error for hg.mozilla.org: self signed certificat e in certificate chain To connect to hg.mozilla.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection. cltsign@keymaster ~ $ wget --no-check-certificate https://www.geotrust.com/resources/root_certifica tes/certificates/Equifax_Secure_Certificate_Authority_DER.cer --08:06:40-- https://www.geotrust.com/resources/root_certificates/certificates/ Equifax_Secure_Certificate_Authority_DER.cer => `Equifax_Secure_Certificate_Authority_DER.cer' Resolving www.geotrust.com... 188.8.131.52 Connecting to www.geotrust.com|184.108.40.206|:443... connected. WARNING: Certificate verification error for www.geotrust.com: self signed certif icate in certificate chain HTTP request sent, awaiting response... 200 OK Length: 804 [text/plain] 100%[====================================>] 804 --.--K/s 08:06:41 (1.53 MB/s) - `Equifax_Secure_Certificate_Authority_DER.cer' saved [804 /804] cltsign@keymaster ~ $ openssl x509 -inform DER -in Equifax_Secure_Certificate_Authority_DER.cer -ou t equifax.pem
I just updated the Combined Signing doc to fix the example tag and remove the notes about pulling files from CVS. I don't think there's any other scripts that need updating, so I'll call this bug FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Created attachment 360284 [details] [diff] [review] u+x on update scripts We lose the executable bit on the update scripts by pulling them via wget, this just adds that back.
Attachment #360284 - Flags: review?(bhearsum)
Attachment #360284 - Flags: review?(bhearsum) → review+
Status: REOPENED → RESOLVED
Last Resolved: 10 years ago → 10 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.