Closed Bug 582347 Opened 14 years ago Closed 9 years ago

infrastructure/automation for signing official Mozilla add-ons

Categories

(Release Engineering :: Release Automation: Other, defect, P3)

Product:
Release Engineering
Component:
Release Automation: Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: fligtar, Unassigned)

Details

This bug is spun off from an email thread started in May 2009 and picked back up as a request in March. We'd like to start signing add-ons that are made by Mozilla and hopefully those by Labs as well.

After Release Engineering gets the cert and sets it up, hopefully we can get a couple other folks set up to sign add-ons so that frequent add-on releases don't become a huge deal.

Some work has already been started trying to obtain a cert for this though I'm unsure of the current status. I'd really to be able to start signing this quarter as it's something we should have been doing long ago.

Thanks!
Hi,

Any updates on this?
fligtar:

Found during triage. Its been a while. Is this still needed, and if so, can you give a quick summary on what you're looking for nowadays, in case things have changed since mid2010?
It's still needed and nothing's changed: we'd like to sign the add-ons we build internally with a cert that says Mozilla.
(In reply to comment #3)
> It's still needed and nothing's changed: we'd like to sign the add-ons we build
> internally with a cert that says Mozilla.

ok. would you be doing the signing? would you expect to send new Addons to RelEng for signing? (if all these questions are in an email thread, can you reforward it to me?).

I'm trying to figure out whats involved here.
Given the frequency of Labs releases, I think it would probably be ideal if a person in Labs could sign their add-ons (Mardak perhaps?) and I could sign the non-Labs official add-ons.
There was some discussion about getting a code signing cert for automatic add-on installs with Lab Kit (bug 600036). Then, it was decided that there was little benefit for the added overhead; and an alternate way of securing Lab Kit add-on installs was available.

Some concerns involved who would have access. What's the process of getting something signed? What scope should a signing cert be used for (any labs add-on?) What to do about revocation, etc?

fligtar: Do you know any plans of future Firefox add-on install process regarding displaying signed/unsigned add-ons differently?
Blocks: 707207
From a mechanical standpoint, we might be able to use the signing server developer in bug 509158 to do this.
FWIW we are planning to do this manually for the hotfix certs in bug 707207. This bug can track future generalized / automated infrastructure.
No longer blocks: 707207
found in triage. 

1) I'm not working on this, and wont be soon, given other several higher priority projects on my plate, so removing myself from this. Also, moving to correct component, in case anyone else has time. 

2) Not sure of urgency/priority of this. From the last comment in this bug, ~12 months ago, legneato confirmed doing signing manually, and morphing this bug into non-blocking, more general improvement bug. If situation has changed, and this lack-of-automation is blocking, please provide details.
Assignee: joduinn → nobody
Component: Release Engineering → Release Engineering: Automation (Release Automation)
QA Contact: bhearsum
Priority: -- → P3
I keep coming across this bug in triage and thinking "but we're *already* able to sign add-ons". Updating the summary for clarity.
Summary: Ability to sign official Mozilla add-ons → infrastructure/automation for signing official Mozilla add-ons
(In reply to Ben Hearsum [:bhearsum] from comment #10)
> I keep coming across this bug in triage and thinking "but we're *already*
> able to sign add-ons". Updating the summary for clarity.

Is there actually anything worth keeping around for this bug? Are we ok with the status quo of signing hotfixes? We can't sign any other add-ons as we don't have certs for them but presumably if we did they we could just sign them in the same way as hotfixes.
I think it's worthwhile to keep open. I'd like to see better automation around this as well as integration with our signing servers, but it's certainly not a high priority right now.
Product: mozilla.org → Release Engineering
I think AMO went and did this themselves...
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.