The default bug view has changed. See this FAQ.

Status

Release Engineering
General Automation
P5
normal
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: bbondy, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [signing][updates])

(Reporter)

Description

5 years ago
If x64 becomes a supported platform, then we should sign the x64 builds so that we can enable the security tasks.  See bug bug 730821 for more info.

By running:

> signmar -T downloaded_x64_mar.mar 

It tells me there is a signature block and product info block, but that there are 0 signatures currently.
Blocks: 558448
Priority: -- → P5
doing authenticode signing of win64 binaries is busted (see bug 711210). is just signing the mars sufficient?
Depends on: 711210
(Reporter)

Comment 2

5 years ago
I think that bug is related to authenticode only and not related to signmar which is used for signing the MAR files.
Given the uncertain nature of this platform I don't think we should do any signing at all until we know we're going to ship it.
(Reporter)

Comment 4

5 years ago
That's fine with me, I'll remove bug 711210 as a dependency for now since just signing the MARs is sufficient for this bug.
No longer depends on: 711210

Updated

5 years ago
Component: Release Engineering → Release Engineering: Automation (General)
Priority: P5 → --
QA Contact: release → catlee
Whiteboard: [signing][updates]
(Reporter)

Updated

5 years ago
Blocks: 740669

Updated

5 years ago
Priority: -- → P5
(Reporter)

Updated

4 years ago
Blocks: 715876
(Assignee)

Updated

4 years ago
Product: mozilla.org → Release Engineering
(Reporter)

Updated

4 years ago
Blocks: 880004
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 974570
(Reporter)

Comment 6

3 years ago
So it's not a dupe after all.  Other MAR files on other platforms are being signed now (recently) but x64 is not.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Reporter)

Comment 7

3 years ago
In Bug 974570 we made it so MARs will be signed as long as MOZ_SIGN_CMD is defined.
Which was going to enable it on all platforms.
But x64 is still not signed.

I did a search here:
http://dxr.mozilla.org/mozilla-central/search?tree=mozilla-central&q=MOZ_SIGN_CMD&redirect=true

But I don't see where it is defined. Does this have to do with build infra in another repo?
Flags: needinfo?(catlee)
(In reply to Brian R. Bondy [:bbondy] from comment #7)
> In Bug 974570 we made it so MARs will be signed as long as MOZ_SIGN_CMD is
> defined.
> Which was going to enable it on all platforms.
> But x64 is still not signed.
> 
> I did a search here:
> http://dxr.mozilla.org/mozilla-central/search?tree=mozilla-
> central&q=MOZ_SIGN_CMD&redirect=true
> 
> But I don't see where it is defined. Does this have to do with build infra
> in another repo?

I'm pretty sure we need a block like https://github.com/mozilla/build-buildbot-configs/blob/master/mozilla/config.py#L736 for the win64 platform...I can probably verify that...
Flags: needinfo?(catlee)
(Reporter)

Comment 9

3 years ago
That would be awesome if possible. I'd like to re-enable the security enhancements for MAR verification for x64 builds.
Indeed, making that change causes differences like:
-    C {'command': ['bash', '-c', 'rm -rf *.mar'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'name': 'rm_existing_mars', 'usePTY': 'slave-config', 'workdir': 'build/obj-firefox/dist/update'} {}
-    MockCommand {'command': ['python',  <WithProperties "%(basedir)s/build/build/pymake/make.py">,  '-C',  'obj-firefox/tools/update-packaging'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'mock': None, 'mock_args': ['--unpriv'], 'mock_login': 'mock_mozilla', 'mock_workdir_mutator': <function <lambda>>, 'mock_workdir_prefix': '%(basedir)s/', 'name': 'make_complete_mar', 'target': None, 'usePTY': 'slave-config', 'workdir': 'build'} {}
+    C {'command': ['bash', '-c', 'rm -rf *.mar'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SIGN_CMD': <WithProperties "python %(toolsdir)s/release/signing/signtool.py --cachedir %(basedir)s/signing_cache -t %(basedir)s/token -n %(basedir)s/nonce -c %(toolsdir)s/release/signing/host.cert -H dev-master01.build.mozilla.org:8080">,  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'name': 'rm_existing_mars', 'usePTY': 'slave-config', 'workdir': 'build/obj-firefox/dist/update'} {}
+    MockCommand {'command': ['python',  <WithProperties "%(basedir)s/build/build/pymake/make.py">,  '-C',  'obj-firefox/tools/update-packaging'], 'description': None, 'descriptionDone': None, 'env': {'HG_SHARE_BASE_DIR': 'c:/builds/hg-shared',  'IS_NIGHTLY': 'yes',  'MOZ_CRASHREPORTER_NO_REPORT': '1',  'MOZ_OBJDIR': 'obj-firefox',  'MOZ_SIGN_CMD': <WithProperties "python %(toolsdir)s/release/signing/signtool.py --cachedir %(basedir)s/signing_cache -t %(basedir)s/token -n %(basedir)s/nonce -c %(toolsdir)s/release/signing/host.cert -H dev-master01.build.mozilla.org:8080">,  'MOZ_SYMBOLS_EXTRA_BUILDID': 'win64',  'MOZ_UPDATE_CHANNEL': 'nightly',  'PATH': '${MOZILLABUILD}python27;${MOZILLABUILD}buildbotve\\scripts;${PATH}',  'PDBSTR_PATH': '/c/Program Files (x86)/Windows Kits/8.0/Debuggers/x64/srcsrv/pdbstr.exe',  'POST_SYMBOL_UPLOAD_CMD': '/usr/local/bin/post-symbol-upload.py',  'SYMBOL_SERVER_HOST': 'symbolpush.mozilla.org',  'SYMBOL_SERVER_PATH': '/mnt/netapp/breakpad/symbols_ffx/',  'SYMBOL_SERVER_SSH_KEY': '/c/Users/cltbld/.ssh/ffxbld_dsa',  'SYMBOL_SERVER_USER': 'ffxbld',  'TINDERBOX_OUTPUT': '1'}, 'haltOnFailure': True, 'log_eval_func': None, 'logfiles': {}, 'mock': None, 'mock_args': ['--unpriv'], 'mock_login': 'mock_mozilla', 'mock_workdir_mutator': <function <lambda>>, 'mock_workdir_prefix': '%(basedir)s/', 'name': 'make_complete_mar', 'target': None, 'usePTY': 'slave-config', 'workdir': 'build'} {}


The full change requires tweaking things some other places too, like https://github.com/mozilla/build-buildbot-configs/blob/master/mozilla/config.py#L1810.

Flipping this one would also enable exe signing right now, which won't work because of bug 711210. If https://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/signing.mk#9 was changed to not enable signcode for win64 we could make this change before bug 711210 is fixed.
(Reporter)

Comment 11

3 years ago
Bummer, sounds like more work than you probably have time avail to look at right now.
Thanks for looking into it though!
(Reporter)

Updated

3 years ago
Blocks: 991997
This got fixed when I enabled signing authenticode signing for these builds in bug 711210.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.