Closed
Bug 507660
Opened 16 years ago
Closed 16 years ago
update sign-release to point to new signing key location
Categories
(Release Engineering :: General, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Assigned: bhearsum)
References
Details
Attachments
(1 file)
|
1.31 KB,
patch
|
nthomas
:
review+
bhearsum
:
checked-in+
|
Details | Diff | Splinter Review |
Since we've moved signing operations off to cm-keymaster01 this scripts needs to be made aware of the new location: d:/2008-keys (rather than e:/2008-keys)
|
||
Comment 1•16 years ago
|
||
How about we change the scripts to instead use "d:/current-keys"?
d:/2009-keys
d:/2008-keys
d:/2007-keys
...could then be used for historical tracking, and we dont need to keep tweaking the script every time we refresh/renew the signing keys.
|
|
||
Updated•16 years ago
|
OS: Mac OS X → Windows Server 2003
|
Assignee | |
Comment 2•16 years ago
|
||
I think I'd feel more safe being explicit. I can see us forgetting to update a symlink / move the keys next time we generate new ones.
|
|
||
Comment 3•16 years ago
|
||
Maybe this is just a style thing, but I'd rather not modify the script every time the key gets updated:
- it takes more testing, to verify that you didnt somehow break the scripts with a typo. You can avoid this if you dont modify the script.
- its easy to forget (in which the next automation will use the old key even though you've created newer keys)
- As someone who did the GPG key renewal the last two times, I've found its intuitive to track what directory you put the keys in, including the cached ~/.gnupg/ but I've been tripped up about updating the script both times.
What about something like:
d:/current-keys <--- modify script uses this
d:/expired-keys/2009
d:/expired-keys/2008
d:/expired-keys/2007
As for what could possibly go wrong, worst case, afaict, is that a future person creating new keys, overwrites the current expiring key with new key before they make a historical copy of the current expiring key. Not ideal, but survivable.
Does that make sense?
|
|
Assignee | |
Comment 4•16 years ago
|
||
I don't care that much either way, so that sounds fine.
|
||
Comment 5•16 years ago
|
||
How about we keep the dated directories, drop the 'current-keys' directory, remove the hard coded value completely from sign-release.pl (and the default, but override-able value in sign-release.py), and force you to pass it in on the command line?
|
|
Assignee | |
Comment 6•16 years ago
|
||
WFM
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #5)
> How about we keep the dated directories, drop the 'current-keys' directory,
> remove the hard coded value completely from sign-release.pl (and the default,
> but override-able value in sign-release.py), and force you to pass it in on the
> command line?
WFM. (We'll need to update our signing notes with details once this happens.)
|
||
Comment 8•16 years ago
|
||
Who's going to do this?
|
|
||
Comment 9•16 years ago
|
||
During FF3.6a1 signing on new signing machine, I manually changed local copy of sign-verify.py from "e:/2008-keys" to "d:/2008-keys".
|
|
||
Comment 10•16 years ago
|
||
(In reply to comment #9)
> During FF3.6a1 signing on new signing machine, I manually changed local copy of
> sign-verify.py from "e:/2008-keys" to "d:/2008-keys".
No need to have done that. The key directory is specified via command line from the Makefile.
|
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → bhearsum
Priority: -- → P3
|
|
Assignee | |
Comment 11•16 years ago
|
||
I've updated both https://intranet.mozilla.org/Build:CombinedSigning and https://intranet.mozilla.org/Build:Signing to explicitly specify and pass KEYDIR. Next time we update the key or move it we should only have to change these docs.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•16 years ago
|
||
Still broken in these instructions: https://intranet.mozilla.org/Build:Signing#Installer.2Farchive_signing_before_release
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 13•16 years ago
|
||
This plus another update to https://intranet.mozilla.org/Build:Signing should do the trick.
Attachment #395425 -
Flags: review?(nthomas)
|
||
Comment 14•16 years ago
|
||
Comment on attachment 395425 [details] [diff] [review]
make sign-release require KEYDIR to be passed
>Index: sign-release
>+if [ -z $keydir ]; then
>+ echo ERROR must specify key dir
>+fi
Need an 'exit 1' here, and maybe a comment to indicate the path style for the argument. r+ to fix that on checkin.
Attachment #395425 -
Flags: review?(nthomas) → review+
|
|
Assignee | |
Comment 15•16 years ago
|
||
Comment on attachment 395425 [details] [diff] [review]
make sign-release require KEYDIR to be passed
Top section of sign-release on check-in:
+# should be win32 style dir with forward slashes
+# eg: d:/2008-keys
+keydir=$1
+
+if [ -z $keydir ]; then
+ echo ERROR must specify key dir (eg, d:/2008-keys)
+ exit 1
+fi
Checking in sign-release;
/mofo/release/signing/tools/sign-release,v <-- sign-release
new revision: 1.6; previous revision: 1.5
done
changeset: 354:54ad1fe69bcb
Attachment #395425 -
Flags: checked-in+
|
|
Assignee | |
Comment 16•16 years ago
|
||
I updated Build:Signing, too, https://intranet.mozilla.org/index.php?title=Build%3ASigning&diff=62605&oldid=62110
We're done for real here, now.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•