Closed Bug 730328 Opened 8 years ago Closed 8 years ago

Sign Thunderbird builds using auto-signing

Categories

(Release Engineering :: General, defect, P2)

x86
Linux
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jhopkins, Assigned: rail)

References

Details

(Whiteboard: [signing][thunderbird])

Attachments

(3 files, 2 obsolete files)

No description provided.
We want to sign Thunderbird using the same "auto-sign" instance and tools that Firefox uses.
We should have a required effort estimate next week and then we can shoot for a specific release to cut over.
Assignee: nobody → rail
Autosigning requires some other changes as well:

  * make sure if build system patches created for signing on demand work for Thunderbird
  * Automation should upload files to win32 instead of unsignied/win32
    ** What makes impossible to use FtpPoller to trigger updates
      *** Need to use l10n poller, or AggregatingScheduler
  * If you want to sign MAR files as well:
    ** Need to switch to ScriptFactory for l10n repacks

Anything else?
IMO this should be done as a part of porting Thunderbird release automation to the new procedure used by Firefox. I don't think that it's worth to spend time backporting it to the current Thunderbird release automation.

Back to the pool
Assignee: rail → nobody
Component: Release Engineering → Release Engineering: Automation
QA Contact: release → catlee
Whiteboard: [signing][thunderbird]
Severity: normal → enhancement
Priority: -- → P3
Thunderbird builds are now being manually signed using Firefox signing infra.
Blocks: 750461
No longer blocks: 698843
Depends on: 755999
It seems for Mac OS X 10.8, we also need to developer-id-sign the Thunderbird Mac bundle (is now Bug 756830).
No longer blocks: 750461
No longer depends on: 755999
Nomis101, please be careful about altering dependencies - bug 750461 is a tracking bug we're using for follow-up work, and this bug does depend on bug 755999 to be fixed before this will work, as per the comment in that bug.
Blocks: 750461
Depends on: 755999
(In reply to Nomis101 from comment #5)
> It seems for Mac OS X 10.8, we also need to developer-id-sign the
> Thunderbird Mac bundle (is now Bug 756830).

Oh and whilst that's true, it isn't necessarily anything directly to do with this bug, but we can assess it when we do the work.
(In reply to Mark Banner (:standard8) from comment #6)
> Nomis101, please be careful about altering dependencies - bug 750461 is a
> tracking bug we're using for follow-up work, and this bug does depend on bug
> 755999 to be fixed before this will work, as per the comment in that bug.
Sorry, it was not my intent to alter any dependencies in this bug! If I've done so, this was accidentally (Bugzilla was a bit buggy to me yesderday). Sorry!
This is essentially required for Mac signing - we need nightlies and aurora signed for them to function on OOB 10.8 installs. Raising priority.
Severity: enhancement → critical
Priority: P3 → --
Assignee: nobody → rail
Priority: -- → P2
Attached patch comm-central changes (obsolete) — Splinter Review
Depends on: 723176
Attached patch [WIP] Mac signing (obsolete) — Splinter Review
Comment on attachment 626154 [details] [diff] [review]
[WIP] Mac signing

Mark, could you take a look at mail/app/macbuild/Contents/_CodeSignature/CodeResources, especially at entries with "omit". Should we add/remove other things here?
Attachment #626154 - Flags: feedback?(mbanner)
Comment on attachment 626121 [details] [diff] [review]
comm-central changes

The patch worked fine in staging.

buildbot-configs part incoming
Attachment #626121 - Attachment description: [WIP] comm-central changes → comm-central changes
Attachment #626121 - Flags: review?(mbanner)
Attachment #626820 - Flags: review?(catlee)
Probably we'll also need to disable updates on comm-central, use nightlytest channel to verify them, and enable nightly updates afterwards.
Comment on attachment 626121 [details] [diff] [review]
comm-central changes

Do we need to be adding ac_add_options --enable-signmar to the mozconfigs as well?
You don't need --enable-signmar. That's only included in the Firefox ones in order to make sure that binary still builds. Only the signing servers actually run it.
Blocks: 758326
Depends on: 758328
Comment on attachment 626121 [details] [diff] [review]
comm-central changes

I moved this to bug 758328 for tracking purposes, it has now landed as well.
Attachment #626121 - Attachment is obsolete: true
Attachment #626121 - Flags: review?(mbanner)
In case if we want to use nightlytest
Attachment #627196 - Flags: review?(mbanner)
Attachment #627196 - Flags: review?(mbanner) → review+
Attachment #626820 - Flags: review?(catlee) → review+
Comment on attachment 627196 [details] [diff] [review]
upload snippets to comm-central-test

http://hg.mozilla.org/build/buildbot-configs/rev/780b3f90d30e
Attachment #627196 - Flags: checked-in+
Comment on attachment 627196 [details] [diff] [review]
upload snippets to comm-central-test

http://hg.mozilla.org/build/buildbot-configs/rev/cbab683e89b9
Attachment #627196 - Flags: checked-in+ → checked-in-
Attached patch toolsSplinter Review
comm-central should be a fork of mozilla-central! :)
Attachment #627262 - Flags: review?(catlee)
Attachment #627262 - Flags: review?(catlee) → review+
Depends on: 757829
Comment on attachment 627262 [details] [diff] [review]
tools

+    mozillaDir = ''
+    if 'thunderbird' in productName:
+        mozillaDir = 'mozilla/'

Note: Thunderbird does now have the mozilla_dir set in GLOBAL_VARS (the value is missing for Firefox).
Depends on: 759114
Comment on attachment 626154 [details] [diff] [review]
[WIP] Mac signing

AFAIK we don't actually have any different requirements to Firefox here. So can you refresh the patch with the latest changes and attach to bug 759114? Then we can sync up on what we want to do about landing etc.
Attachment #626154 - Attachment is obsolete: true
Attachment #626154 - Flags: feedback?(mbanner)
Down to normal since almost everything is done.
Severity: critical → normal
All done here. We may want to use the corresponding configs to enable this feature for 13.0 and esr10 releases (already on track).

GPG/codesign comm-central changes ported to comm-esr10, comm-beta and will be migrated to comm-release channel for 13.0.

Mac signing comm-central changes ported to comm-beta and will be migrated to comm-release channel for 13.0.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.