sign-release.pl, maybe other signing scripts, need to learn how to talk hg

RESOLVED FIXED

Status

Release Engineering
General
P2
normal
RESOLVED FIXED
10 years ago
5 years ago

People

(Reporter: bhearsum, Assigned: bhearsum)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [hg-automation])

Attachments

(2 attachments, 2 obsolete attachments)

(Assignee)

Description

10 years ago
While doing the 3.1a1 release I noticed that sign-release.pl checks out stub files from CVS. For this release I worked around it by tagging them with FIREFOX_3_1a1_BUILD1 in CVS, we need to fix this before the next release. The signing tools need to be able to check this files out from HG, or get them some other way. This probably means doing a full clone of hg.m.o/m-c when we sign. Not a big deal, really.

We'll need a way to toggle CVS/hg mode, probably could just set another environment variable, eg, 'export VCS=hg', or w/e.
Urk, sounds like fun. Agreed we should fix this asap.
OS: Mac OS X → All
Priority: -- → P3
Hardware: PC → All
(Assignee)

Updated

10 years ago
Blocks: 433930
No longer blocks: 433390
(Assignee)

Updated

10 years ago
Whiteboard: [hg-automation]
(Assignee)

Updated

10 years ago
Summary: sign-release.pl, maybe other scripts, need to learn how to talk hg → sign-release.pl, maybe other signing scripts, need to learn how to talk hg
(Assignee)

Updated

10 years ago
Component: Release Engineering → Release Engineering: Future
Status: NEW → ASSIGNED
Component: Release Engineering: Future → Release Engineering
Priority: P3 → P2
Assignee: nobody → nthomas
Created attachment 353906 [details] [diff] [review]
WIP

This is a WIP patch which has had limited testing on my own machine, needs checking on signing box and/or it's staging VM. Typical use changes to
 sign-release.pl -M dir -o signed-build1 -d unsigned-build1 -a firefox --release FIREFOX_3_1b2_RELEASE --repo releases/mozilla-1.9.1
Leave off the --repo to use CVS.

We should also do 
 http://benjamin.smedbergs.us/blog/2008-08-27/how-to-teach-wget-about-security/
(perhaps Mook's first comment?) so that wget checks the ssl cert when we download the files from hg.m.o
Not going to have time to finish this before the break, calling all kind souls who have space in their heart for a Q4 goal.
Assignee: nthomas → nobody
Status: ASSIGNED → NEW
(Assignee)

Updated

10 years ago
Assignee: nobody → bhearsum
Priority: P2 → P3
(Assignee)

Updated

10 years ago
Priority: P3 → P2
(Assignee)

Comment 4

10 years ago
Okay, here's instructions for installing the Equifax cert (already done on keymaster02):
Download the DER version of the cert, from here: https://www.geotrust.com/resources/root-certificates/index.html (You'll have to add this to the IE 'secure zone' to do so).
Run the following command to convert it to a PEM:
openssl x609 -inform DER -in Equifax<tab> -out equifax.pem

Login as Administrator to do the rest:
cp equifax.pem /usr/ssl/certs
echo "ca_certificate = /usr/ssl/certs/equifax.pem" >> /etc/wgetrc

Now wget works without --no-check-certificate, hooray!
Status: NEW → ASSIGNED
(Assignee)

Comment 5

10 years ago
Created attachment 357978 [details] [diff] [review]
pull stub files, update-packaging from hg, when desired

Nick, this is basically your patch + the changes to CheckoutUpdateTools. I removed the --no-check-certificate from the wget parts, since we'll have the certificate installed RSN.

Pulling update-packaging from Mercurial kindof sucks because we have to clone the entire repository. I suppose we could just pull the two files we need, now that I think harder about it - I can make that change if you want.

The way it is now we'll need to install Mercurial on keymaster before b3.
Attachment #353906 - Attachment is obsolete: true
Attachment #357978 - Flags: review?(nthomas)
Comment on attachment 357978 [details] [diff] [review]
pull stub files, update-packaging from hg, when desired

Looks fine to me, but pulling the three files we need from update-packaging/ could be a pretty nice speed up. Don't forget common.sh for make_incremental_update.sh.

We should also use $tag in CheckoutUpdateTools() - it's even passed in already! - for both cvs and hg cases.
Attachment #357978 - Flags: review?(nthomas) → review-
(In reply to comment #6)
> Don't forget common.sh for make_incremental_update.sh.

make_full_update.sh even
(Assignee)

Comment 8

10 years ago
Created attachment 358407 [details] [diff] [review]
pull stubs + tools from the tag, and only the specific files needed

I ended up factoring the checkouts into a separate function. This worked OK in my tests.
Attachment #358407 - Flags: review?(nthomas)
Attachment #358407 - Flags: review?(nthomas) → review+
Comment on attachment 358407 [details] [diff] [review]
pull stubs + tools from the tag, and only the specific files needed

Looks good to me.
(Assignee)

Updated

10 years ago
Attachment #357978 - Attachment is obsolete: true
(Assignee)

Comment 10

10 years ago
Comment on attachment 358407 [details] [diff] [review]
pull stubs + tools from the tag, and only the specific files needed

Checking in sign-release.pl;
/mofo/release/signing/tools/sign-release.pl,v  <--  sign-release.pl
new revision: 1.31; previous revision: 1.30
done
Attachment #358407 - Flags: checked‑in+
(Assignee)

Comment 11

10 years ago
I installed the Equifax cert onto keymaster, too:
cltsign@keymaster ~
$ wget https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other-licen
ses/7zstub/firefox/7zSD.sfx
--08:06:36--  https://hg.mozilla.org/mozilla-central/raw-file/c989bb1f272d/other
-licenses/7zstub/firefox/7zSD.sfx
           => `7zSD.sfx'
Resolving hg.mozilla.org... 63.245.208.188, 63.245.208.189
Connecting to hg.mozilla.org|63.245.208.188|:443... connected.
ERROR: Certificate verification error for hg.mozilla.org: self signed certificat
e in certificate chain
To connect to hg.mozilla.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

cltsign@keymaster ~
$ wget --no-check-certificate https://www.geotrust.com/resources/root_certifica
tes/certificates/Equifax_Secure_Certificate_Authority_DER.cer
--08:06:40--  https://www.geotrust.com/resources/root_certificates/certificates/
Equifax_Secure_Certificate_Authority_DER.cer
           => `Equifax_Secure_Certificate_Authority_DER.cer'
Resolving www.geotrust.com... 65.205.249.113
Connecting to www.geotrust.com|65.205.249.113|:443... connected.
WARNING: Certificate verification error for www.geotrust.com: self signed certif
icate in certificate chain
HTTP request sent, awaiting response... 200 OK
Length: 804 [text/plain]

100%[====================================>] 804           --.--K/s

08:06:41 (1.53 MB/s) - `Equifax_Secure_Certificate_Authority_DER.cer' saved [804
/804]


cltsign@keymaster ~
$ openssl x509 -inform DER -in Equifax_Secure_Certificate_Authority_DER.cer -ou
t equifax.pem
(Assignee)

Comment 12

10 years ago
I just updated the Combined Signing doc to fix the example tag and remove the notes about pulling files from CVS. I don't think there's any other scripts that need updating, so I'll call this bug FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Created attachment 360284 [details] [diff] [review]
u+x on update scripts

We lose the executable bit on the update scripts by pulling them via wget, this just adds that back.
Attachment #360284 - Flags: review?(bhearsum)
(Assignee)

Updated

10 years ago
Attachment #360284 - Flags: review?(bhearsum) → review+
Attachment #360284 - Flags: checked‑in+
Status: REOPENED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.