Closed
Bug 701087
Opened 10 years ago
Closed 10 years ago
Sign MAR files as part of the build process
Categories
(Release Engineering :: General, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bbondy, Assigned: catlee)
References
Details
(Whiteboard: [release][automation][signing])
Attachments
(1 file)
|
2.25 KB,
patch
|
bhearsum
:
review+
catlee
:
checked-in+
|
Details | Diff | Splinter Review |
As of bug 699700 MAR files will be signed. This task is to actually do the signing of the MAR files. For Nightly and Aurora this will be an automated process. Details on how to do this will be available when bug 699700 is done or close to done.
|
Reporter | |
Comment 1•10 years ago
|
||
bsmith from bug 699700 wrote the details of how to get a private/public key that will most likely be what I use. > By far, the easiest way to accomplish your task ( > assuming we are not currently using a hardware security > module for signing): > 0. mkdir foo && cd foo > 1. certutil -d . -N > 2. certutil -S -d . -s "CN=My Cert" -n mycert -x -t ",,u" -g 2048 > 3. certutil certutil -L -d . -n mycert -r > mycert.der > (Note that this doesn't set all the cert options > like the validity period correctly. It is just a demo.) The mycert.der certificate contains the public key and is what you would send me to add into the installer beside updater.exe.
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → catlee
Priority: -- → P2
|
||
Updated•10 years ago
|
Whiteboard: [release][automation][signing]
|
|
Reporter | |
Comment 2•10 years ago
|
||
Here's the info for working with MAR files now with the mar program. It uses NSS to do the signing, so the steps in Comment 1 should be done first. This also means you can do these steps on any platform you want. usage: mar [-C workingDir] {-c|-x|-t} archive.mar [files...] mar [-C workingDir] -d NSSConfigDir -n certname -s archive.mar signed_archive.mar mar [-C workingDir] -d NSSConfigDir -n certname -v signed_archive.mar Examples: Create a MAR: mar -c c:\Users\bbondy\Desktop\test.mar c:\martest\1.txt c:\martest\2.txt c:\martest\0.txt Sign a MAR: mar -d c:\Users\bbondy\Desktop\foo2 -n mycert -s c:\Users\bbondy\Desktop\test.mar c:\Users\bbondy\Desktop\test_signed.mar Verify a MAR: mar -d c:\Users\bbondy\Desktop\foo2 -n mycert -v c:\Users\bbondy\Desktop\test_signed.mar Extract a MAR: (Doesn't check the signature) mar -x c:\Users\bbondy\Desktop\test_signed.mar
|
|
Reporter | |
Comment 3•10 years ago
|
||
Chris could you provide the primary and backup certs as soon as possible to bug 704285? The steps in Comment 1 is exactly how I did my testing, so something similar would work best. We'd like to get this landed as soon as possible, so the sooner the better. bsmith can probably help with the details for the certutil commands that should be used for production. I'd also need an example signed mar with both the main private key and the backup private key.
|
||
Comment 4•10 years ago
|
||
Apologies in advance for any time wasted, as I haven't been involved with all of the planning for this, but something here caught my attention: (In reply to Brian R. Bondy [:bbondy] from comment #2) > Verify a MAR: > mar -d c:\Users\bbondy\Desktop\foo2 -n mycert -v > c:\Users\bbondy\Desktop\test_signed.mar > > Extract a MAR: (Doesn't check the signature) > mar -x c:\Users\bbondy\Desktop\test_signed.mar If we're not verifying signatures at extraction time, doesn't that leave us vulnerable to someone replacing the MAR between verification and extraction?
|
|
Reporter | |
Comment 5•10 years ago
|
||
> If we're not verifying signatures at extraction time, doesn't that leave us > vulnerable to someone replacing the MAR between verification and extraction? That command line program is only used by RelEng to create, sing, verify, and extract MAR files. updater.exe will use the same library that the mar program uses which was coded in bug 699700. The work for verifying in updater.exe will be done in bug 704285. We will probably lock the MAR file for write access during the whole process.
|
|
||
Comment 6•10 years ago
|
||
(In reply to Brian R. Bondy [:bbondy] from comment #5) > > If we're not verifying signatures at extraction time, doesn't that leave us > > vulnerable to someone replacing the MAR between verification and extraction? > > That command line program is only used by RelEng to create, sing, verify, > and extract MAR files. Ah, okay. Thanks!
|
|
Assignee | |
Comment 7•10 years ago
|
||
signmar needs a newline sent on stdin for the passphrase also attach a few utility scripts for generating certificates
Attachment #587301 -
Flags: review?(bhearsum)
|
|
||
Comment 8•10 years ago
|
||
Comment on attachment 587301 [details] [diff] [review] passphrase protected NSS dir support for signing mars Review of attachment 587301 [details] [diff] [review]: ----------------------------------------------------------------- Do we need changes to the puppet-manifests to cope with this? Where is the required nss going to come from?
Attachment #587301 -
Flags: review?(bhearsum) → review+
|
|
Assignee | |
Updated•10 years ago
|
Attachment #587301 -
Flags: checked-in+
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•