Closed Bug 569489 Opened 10 years ago Closed 8 years ago

Create and upload checksums files of internals of release packages/installers

Categories

(Release Engineering :: Release Automation: Other, defect, P4)

All
Windows 7
defect

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: christian, Unassigned)

Details

(Whiteboard: [releases])

When dealing with AV vendors, I have to give them checksums of all signed files in addition to the signed installers. Currently I pull down the exe, install it, and then slurp up the installed files.

I'd be able to automate the process a lot more if the build system saved the signed files before putting them into an exe.

Basically, I want /cygdrive/c/DOCUME~1/cltsign/LOCALS~1/Temp/1/tmpSFjFh6/nonlocalized from ftp://ftp.mozilla.org/pub/firefox/nightly/3.6.4-candidates/build6/win32_signing_build6.log zipped up and placed into somewhere like ftp://ftp.mozilla.org/pub/firefox/nightly/3.6.4-candidates/build6/
What if we wrote another checksums files during signing, listing all files within the installers ? With that, the SHA1SUMs file and installers in the candidates dir, they'd have everything they need ?
I think that would work. Would they even need to look at the installers in the candidate dir? It looks like the exes are included in ftp://ftp.mozilla.org/pub/firefox/nightly/3.6.4-candidates/build6/SHA1SUMS and ideally the signed SHA1SUMS would include the signed exe's as well.
(In reply to comment #2)
> I think that would work. Would they even need to look at the installers in the
> candidate dir? It looks like the exes are included in
> ftp://ftp.mozilla.org/pub/firefox/nightly/3.6.4-candidates/build6/SHA1SUMS and
> ideally the signed SHA1SUMS would include the signed exe's as well.

You're talking about the EXEs from inside the installers?

I suspect we'd want those in a separate file or files. Most would be common to all locales, but one (uninstall/helper.exe) is localized.
Blocks: 478420
Priority: -- → P4
Whiteboard: [releases]
Updating summary per comment #1
Summary: Upload signed yet unpacked binaries to ftp for each release → Create and upload checksums files of internals of release packages/installers
No longer blocks: hg-automation
Mass move of bugs to Release Automation component.
Component: Release Engineering → Release Engineering: Automation (Release Automation)
No longer blocks: hg-automation
(In reply to Christian Legnitto [:LegNeato] from comment #0)
> When dealing with AV vendors, I have to give them checksums of all signed
> files in addition to the signed installers. Currently I pull down the exe,
> install it, and then slurp up the installed files.

Alex or Lukas, does still happen with releases?
(In reply to Ben Hearsum [:bhearsum] from comment #6)
> (In reply to Christian Legnitto [:LegNeato] from comment #0)
> > When dealing with AV vendors, I have to give them checksums of all signed
> > files in addition to the signed installers. Currently I pull down the exe,
> > install it, and then slurp up the installed files.
> 
> Alex or Lukas, does still happen with releases?

I'm following up with Christian to find out if we were still doing this in late 2011.
Christian let us know this is no longer necessary because of process changes in how the AV vendors grab our builds.
Ok, we can reopen if we need it again in the future
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.