Closed Bug 708739 Opened 13 years ago Closed 13 years ago

Renew BYOB authenticode signing certificate before it expires 09dec2011

Categories

(Release Engineering :: General, defect, P3)

Product:
Release Engineering
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: joduinn, Assigned: coop)

Details

(Whiteboard: [BYOB][signing])

(this work already done, but now that bugzilla is back, filing bug to track this for later reference.) Brought forward instructions from bug#677025. Pre-requisites not documented elsewhere: ======================================== *) you must use IE, even though that is not mentioned on thawte.com. Their website appears to work fine with Firefox, but some ActiveX components fail out silently, causing later steps to fail out in interesting and unusual ways. *) you must connect to thawte.com using the *same* install of IE throughout *all* the different steps below. *) you must use IE8 or above, and with security settings adjusted to allow thawte.com ActiveX component to work correctly. For these reasons, I have update the IE6 on cm-keymaster01 to IE8, with adjusted security settings on cm-keymaster01, and used it for generating new Authenticode key in this bug. To get a new Authenticode key from Thawte.com: ============================================== *) login to thawte.com using the release@mozilla.com address. *) on thawte.com, in their section of "Code Signing Certificates", you want to buy "Microsoft® Authenticode® (Multi-Purpose)" certificate. **) Make sure that the Key-size is 2048 (not 1024). Buy a 1-year version. On Thawte website, if you generate a code signing certificate it has sometimes silently defaulted to 1024bits and not provided the option to go higher. We require our key to be 2048bits, like our expiring key. While generating the keys in oct2011, Thawte website defaulted to 2048, and was fine. Noting here just to watch for next time. *) Have mrz watch emails to hostmaster@mozilla.com for a verification email from thawte, and a voicemsg containing a verify code. If mrz doesnt have time to call Thawte back and read them the verification code, mrz may ask you to do so in his place. If you do this, acting as mrz, you need to tell Thawte "security" that your name is "Matthew Zeier" and then read them the verification code. It is not enough to tell Thawte that you are "calling on mrz's behalf" and give them the same verification code. ?!? *) Once the verbal verification is done, wait a few minutes for an email "Order Confirmation: Thawte Code Signing Certificate", then wait for an email "thawte Automated Order Verification". *) If mrz is not around to get the verification code, your application will timeout and be cancelled after 2?3? days. This time we did not need to redo, but last year took several go-arounds to get past this step. *) When you get email "Your Thawte Code Signing Certificate Is Approved", you can login to thawte.com site and follow the instructions to download the private key to cm-keymaster01. Make sure the file extension is .pvk. Also, make a clear note of what is upper / lower case in the passphrase! *) In IE8, go to Tools->InternetOptions, then click the "Content" tab, then click the "Certificates" button. Select the certificate and click "Export". Select "PKCS#7" format, check the "Include all certificates in the certification path if possible" checkbox and save as MozAuthenticode.p7b. *) Rename the new MozAuthenticode.p7b to MozAuthenticode.spc. *) put them all into d:/2011-keys
Here's a simple set of steps that I used to check the validity of the new BYOB key. These should only take a couple of seconds to complete: * open the cygwin shell * copy one unsigned file (I used "Firefox Setup 9.0b4.exe") to a new, clean dir * from your new dir with the copied file, run the following to sign your file: $ signcode -spc D:/2011-BYOB-keys/MozAuthenticode.spc -v D:/2011-BYOB-keys/MozAuthenticode.pvk -t http://timestamp.verisign.com/scripts/timestamp.dll -i http://www.mozilla.com -a sha1 Firefox\ Setup\ 9.0b4.exe Succeeded * NOTE: the dir format to the spc and pvk files is important, or they won't be found. * run the following command to check the signed file: $ chktrust Firefox\ Setup\ 9.0b4.exe * Click on the Publisher to open the Signature Details * Click on View Certificate * Click Details tab * Verify cert details, i.e. Subject, Valid to, ...
Getting the keys over onto the BYOB signing machine and get the new password to Kev, then I'll mark this as fixed.
Assignee: nobody → coop
OS: Mac OS X → Windows Server 2003
Priority: -- → P3
Whiteboard: [BYOB][signing]
I've done a test signing on byob-keymaster1 using the new key, and I've handed over the new password to Kev.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.