730824 - Sign Windows x64 MARs

Status: RESOLVED FIXED

(Release Engineering :: General, defect, P5)

Description

[Brian R. Bondy [:bbondy]]

If x64 becomes a supported platform, then we should sign the x64 builds so that we can enable the security tasks.  See bug bug 730821 for more info.

By running:

> signmar -T downloaded_x64_mar.mar 

It tells me there is a signature block and product info block, but that there are 0 signatures currently.

Comment 1

[Chris AtLee [:catlee]]

doing authenticode signing of win64 binaries is busted (see bug 711210). is just signing the mars sufficient?

Comment 2

[Brian R. Bondy [:bbondy]]

I think that bug is related to authenticode only and not related to signmar which is used for signing the MAR files.

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

Given the uncertain nature of this platform I don't think we should do any signing at all until we know we're going to ship it.

Comment 4

[Brian R. Bondy [:bbondy]]

That's fine with me, I'll remove bug 711210 as a dependency for now since just signing the MARs is sufficient for this bug.

Comment 6

[Brian R. Bondy [:bbondy]]

So it's not a dupe after all.  Other MAR files on other platforms are being signed now (recently) but x64 is not.

Comment 7

[Brian R. Bondy [:bbondy]]

In Bug 974570 we made it so MARs will be signed as long as MOZ_SIGN_CMD is defined.
Which was going to enable it on all platforms.
But x64 is still not signed.

I did a search here:
http://dxr.mozilla.org/mozilla-central/search?tree=mozilla-central&q=MOZ_SIGN_CMD&redirect=true

But I don't see where it is defined. Does this have to do with build infra in another repo?

Comment 8

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Brian R. Bondy [:bbondy] from comment #7)
> In Bug 974570 we made it so MARs will be signed as long as MOZ_SIGN_CMD is
> defined.
> Which was going to enable it on all platforms.
> But x64 is still not signed.
> 
> I did a search here:
> http://dxr.mozilla.org/mozilla-central/search?tree=mozilla-
> central&q=MOZ_SIGN_CMD&redirect=true
> 
> But I don't see where it is defined. Does this have to do with build infra
> in another repo?

I'm pretty sure we need a block like https://github.com/mozilla/build-buildbot-configs/blob/master/mozilla/config.py#L736 for the win64 platform...I can probably verify that...

Comment 9

[Brian R. Bondy [:bbondy]]

That would be awesome if possible. I'd like to re-enable the security enhancements for MAR verification for x64 builds.

Comment 10

[bhearsum@mozilla.com (:bhearsum)]

Indeed, making that change causes differences like:
-    C {'command': ['bash', '-c', 'rm -rf *.mar'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'name': 'rm_existing_mars', 'usePTY': 'slave-config', 'workdir': 'build/obj-firefox/dist/update'} {}
-    MockCommand {'command': ['python',  <WithProperties "%(basedir)s/build/build/pymake/make.py">,  '-C',  'obj-firefox/tools/update-packaging'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'mock': None, 'mock_args': ['--unpriv'], 'mock_login': 'mock_mozilla', 'mock_workdir_mutator': <function <lambda>>, 'mock_workdir_prefix': '%(basedir)s/', 'name': 'make_complete_mar', 'target': None, 'usePTY': 'slave-config', 'workdir': 'build'} {}
+    C {'command': ['bash', '-c', 'rm -rf *.mar'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SIGN_CMD': <WithProperties "python %(toolsdir)s/release/signing/signtool.py --cachedir %(basedir)s/signing_cache -t %(basedir)s/token -n %(basedir)s/nonce -c %(toolsdir)s/release/signing/host.cert -H dev-master01.build.mozilla.org:8080">,  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'name': 'rm_existing_mars', 'usePTY': 'slave-config', 'workdir': 'build/obj-firefox/dist/update'} {}
+    MockCommand {'command': ['python',  <WithProperties "%(basedir)s/build/build/pymake/make.py">,  '-C',  'obj-firefox/tools/update-packaging'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SIGN_CMD': <WithProperties "python %(toolsdir)s/release/signing/signtool.py --cachedir %(basedir)s/signing_cache -t %(basedir)s/token -n %(basedir)s/nonce -c %(toolsdir)s/release/signing/host.cert -H dev-master01.build.mozilla.org:8080">,  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'mock': None, 'mock_args': ['--unpriv'], 'mock_login': 'mock_mozilla', 'mock_workdir_mutator': <function <lambda>>, 'mock_workdir_prefix': '%(basedir)s/', 'name': 'make_complete_mar', 'target': None, 'usePTY': 'slave-config', 'workdir': 'build'} {}


The full change requires tweaking things some other places too, like https://github.com/mozilla/build-buildbot-configs/blob/master/mozilla/config.py#L1810.

Flipping this one would also enable exe signing right now, which won't work because of bug 711210. If https://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/signing.mk#9 was changed to not enable signcode for win64 we could make this change before bug 711210 is fixed.

Comment 11

[Brian R. Bondy [:bbondy]]

Bummer, sounds like more work than you probably have time avail to look at right now.
Thanks for looking into it though!

Comment 12

[bhearsum@mozilla.com (:bhearsum)]

This got fixed when I enabled signing authenticode signing for these builds in bug 711210.