Consider signing all OS X builds (available for download) using a "real" signing cert



Release Engineering
General Automation
6 years ago
5 years ago


(Reporter: smichaud, Unassigned)


Firefox Tracking Flags

(Not tracked)


This bug is spun off from bug 723176 comment #109.

Currently OS X builds available for download aren't signed with a "real" signing cert unless they:  a) live on a Level 3 branch (, and b) have ordinary users (not just Mozilla developers).

I agree this isn't a huge inconvenience ... though I just spent more than an hour doing damage control because I thought this was a real problem.

But I wonder why we're doing it at all.  I can't think of any good reason.

It can't be because we're worried about someone cracking the keys (since the builds signed using "real" certs are readily available).  And it can't be because we think signing a build with "real" certs encourages people to use the builds who shouldn't (that's a function of branding).

Is it because there's a problem with ensuring the security of the infrastructure that's used to do the signing?  But then how much extra trouble would it be to securely sign the few builds we don't already sign with "real" certs?

I hope there are good reasons for our having done this, and that I've missed them.  If so, please let us know what they are.

If not, please start signing all Mac builds with "real" certs.
Component: Build Config → Release Engineering
Product: Core →
QA Contact: build-config → release
Version: unspecified → other
Component: Release Engineering → Release Engineering: Automation (General)
QA Contact: release → catlee
It's because we don't want somebody doing a build on inbound or try that gets signed with a real cert, has real Mozilla Firefox branding (easy to enable official branding as part of your push) and yet has possibly unsafe code.

We count on the Level 3 restriction + extra eyes on the main repos where we use real keys for nightlies to protect against somebody abusing the infrastructure to produce a malicious build that is signed by real keys.
Last Resolved: 6 years ago
Resolution: --- → WONTFIX

Comment 2

6 years ago
OK, I agree that makes sense for try builds, and perhaps also for other regular builds that aren't nightlies.

But I found that the mozilla beta debug nightlies aren't signed with a real cert, either.  Surely code on the beta branch is safe enough to sign.

Would you consider signing these builds?  I find them useful for tracking down regression ranges for bugs (admittedly not many of them) that appear to happen only on the beta branch.


5 years ago
Product: → Release Engineering
You need to log in before you can comment on or make changes to this bug.