Closed Bug 718804 Opened 13 years ago Closed 13 years ago

Set up signing master for releases

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rail, Assigned: rail)

References

Details

Attachments

(1 file, 1 obsolete file)

puppet configs
1.49 KB, patch
catlee
: review+
rail
: checked-in+
Details | Diff | Splinter Review
Need it for 11.0b1.
Assignee: nobody → rail
Priority: -- → P2
Attached patch puppet configsSplinter Review
The plan: 1) let puppet setup the master 2) put the release keys on the servers 3) start the new instances 4) add new entry fore release-signing in secrets.pp on master-puppet1 5) ... 6) PROFIT! Does the plan look accurate?
1.5) convert signcode keys
Attachment #589606 - Flags: review?(catlee)
Attachment #589606 - Flags: review?(catlee) → review+
(In reply to Rail Aliiev [:rail] from comment #2) > The plan: > > 1) let puppet setup the master Done. > 1.5) convert signcode keys Done. Had to use a workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=509158#c36, I had problems running openssl x509 -in MozAuthenticode.spc -inform DER -text which was complaining about wrong format. openssl pkcs7 -inform DER -in MozAuthenticode.spc -print_certs -out certs.pem openssl x509 -in certs.pem -outform DER -out cert.cer cert2spc cert.cer MozAuthenticode.spc > 2) put the release keys on the servers Still need to figure out how to import (if we need) production keys using NSS utils into secrets/mar. I tried to import existing signcode key, but without success: certutil -d secrets/mar -N certutil -d mar -A -n rel1 -t ",,u" -i /path/to/cert.cer # generated above When I try to start the server it fails: 2012-01-23 12:16:00,173 - Running ['/home/cltsign/instances/rel-key-signing-server/bin/signmar', '-d', '/home/cltsign/instances/rel-key-signing-server/secrets/mar', '-n', 'rel1', '-s', '/home/cltsign/instances/rel-key-signing-server/test-files/test.mar', '/tmp/tmpvNJekz/test.mar.tmp'] 2012-01-23 12:16:00,182 - ERROR: Could not find private key ERROR: NSSSignBegin failed > 3) start the new instances TBD when 2) is done. > 4) add new entry fore release-signing in secrets.pp on master-puppet1 Done.
(In reply to Brian R. Bondy [:bbondy] from https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c3) > Chris could you provide the primary and backup certs as soon as possible to > bug 704285? The steps in Comment 1 is exactly how I did my testing, so > something similar would work best. We'd like to get this landed as soon as > possible, so the sooner the better. > > bsmith can probably help with the details for the certutil commands that > should be used for production. > > I'd also need an example signed mar with both the main private key and the > backup private key. bsmith, could you help with importing real certificates into a NSS database? Could we reuse existing authenicode certificates used for exe/dll signing or should we use something different?
(In reply to Rail Aliiev [:rail] from comment #6) > (In reply to Brian R. Bondy [:bbondy] from > https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c3) > > Chris could you provide the primary and backup certs as soon as possible to > > bug 704285? The steps in Comment 1 is exactly how I did my testing, so > > something similar would work best. We'd like to get this landed as soon as > > possible, so the sooner the better. > > > > bsmith can probably help with the details for the certutil commands that > > should be used for production. > > > > I'd also need an example signed mar with both the main private key and the > > backup private key. > > bsmith, could you help with importing real certificates into a NSS database? > Could we reuse existing authenicode certificates used for exe/dll signing or > should we use something different? We should be using different certificates. The MAR signing keys are completely separate from the authenticode signing.
Ok, I generated a cert using the following commands: certutil -d secrets/mar -N certutil -d secrets/mar -S -n rel1 -t ",,u" -g 2048 -s "CN=Release MAR singing key" -x certutil -L -d secrets/mar -n rel1 -r > release_mar_signing.der Public key incoming.
Attached file release MAR signing public key (obsolete) —
I ended up with copying MozAuthenticode.spc file without any conversion. Converted one loses the certification path somehow...
Attachment #591094 - Attachment is patch: false
Attachment #591094 - Attachment mime type: text/plain → application/octet-stream
Comment on attachment 591094 [details] release MAR signing public key Moved to bug 720777.
Attachment #591094 - Attachment is obsolete: true
All done here. Additional steps: 1) copied .gpg directory content from cm-keymaster01 to secrets gpg 2) Amy adjusted nagios checks for running instances for signing servers (from 2 to 3)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
bbondy suggested to generate the cert in the past so it would be expired from the beginnig: https://bugzilla.mozilla.org/show_bug.cgi?id=720777#c3 On my laptop: # disconnect from the Internet so ntpdate stops updating the system clock sudo date -s "4 months ago" mkdir -p secrets/mar certutil -d secrets/mar -N certutil -d secrets/mar -S -n rel1 -t ",,u" -g 2048 -s "CN=Release MAR singing key" -x certutil -L -d secrets/mar -n rel1 -r > release_mar_signing.der
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: