Closed Bug 877531 Opened 11 years ago Closed 10 years ago

Signing certs for stage and altdev

Categories

(Cloud Services :: Operations: Marketplace, task, P2)

Product:
Cloud Services
Component:
Operations: Marketplace
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: krupa.mozbugs, Assigned: jason)

References

Details

Attachments

(3 files)

certs.tar.gz
1.66 KB, application/x-tar
Details
ezboot-http.log
187.47 KB, text/x-log
Details
ezboot-http.log
233.50 KB, text/x-log
Details 
We have signing certs for dev but we also need certs for testing on stage. PLease provide certs for both normal users and reviewers. Thanks!
Assignee: nobody → server-ops-amo
Component: General → Server Operations: AMO Operations
Product: Marketplace → mozilla.org
QA Contact: oremj
Version: 1.0 → other
Assignee: server-ops-amo → jthomas
Can we also get certs for altdev? Thanks
Summary: Signing certs for stage → Signing certs for stage and altdev
Stage app signing cert:

-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIEAgAAADANBgkqhkiG9w0BAQsFADCBjTEkMCIGA1UEAxMb
TWFya2V0cGxhY2UgU3RhZ2UgUm9vdCBDQSAxMRQwEgYDVQQLEwtFeGFtcGxsYSBD
QTEdMBsGA1UEChMURXhhbXBsbGEgQ29ycG9yYXRpb24xFjAUBgNVBAcTDU1vdW50
YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAeFw0xMzA2MTIxOTE0
MjNaFw0yMzA2MTAxOTE0MjNaMIGmMSgwJgYDVQQDEx9NYXJrZXRwbGFjZSBBcHAg
U3RhZ2UgU2lnbmluZyAxMSkwJwYDVQQLEyBFeGFtcGxsYSBNYXJrZXRwbGFjZSBB
cHAgU2lnbmluZzEdMBsGA1UEChMURXhhbXBsbGEgQ29ycG9yYXRpb24xFjAUBgNV
BAcTDU1vdW50YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZBuCLORwEKg/R9zTjnQQGXCeFX
9gHqGF3IIQmm8Fin4zS3CKYhWtU6+sbzKrlrRL7pMIypVfW5tGV9qJpyb2PvgpcX
2XYRO4SagcihFN9ooZY3GGOr3HrRMnK/Z8nYGdPebyviti0tJt3o1OnsmOpyyCN4
OYOwsDIjmYpDBOofGPBr89XQRVY1VxwhfoplC5TrpNaarKJIf6jGAYxDrv23k5GV
VSOIY9vD9yTPPGe2bISYb+eQ17XDXPrJoNCDy0TShEu0wR17mttSDyoDID4WQJbS
FyrjPSlS1lPle0uzhgOZVa6IiqDjTCaIu66u/gWWEA1CJbraZ75JUCB2D1cCAwEA
AaM4MDYwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAC0L59l3nAg33TZ/HFbV3IAS
Su+4RY5t+m/h7iDppeP46Ia+Wk2pVdf74vXXDscjuRe8ZjrdWRLgYY6EXujYJxFu
pHQvvjIqA/BmyQYpuTHMEsrW5GRGTemV+BJTewBbIEQB9DErqVYO/2j3gSuvNJtb
6ybcXR6IRXT3YA0qdWZHarhpTejtjJcmlquJcekkl9o9cPsVlcwQ1TRVoAvCd8qu
JfRAt/QNZMAiLprFnySESW/4e3FYBV2LoBXhyFTIQPLH8hXGzBVjC9XO/1e7CfRD
NmA+Pw/vluD9oSgLGDCsodAZzanhgQ946fi2Ufb29dFFsq6fKsLo8lhGAiWpMw4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0jCCArqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjTEkMCIGA1UEAxMbTWFy
a2V0cGxhY2UgU3RhZ2UgUm9vdCBDQSAxMRQwEgYDVQQLEwtFeGFtcGxsYSBDQTEd
MBsGA1UEChMURXhhbXBsbGEgQ29ycG9yYXRpb24xFjAUBgNVBAcTDU1vdW50YWlu
IFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAeFw0xMzA2MTIxOTE0MjFa
Fw0yMzA2MTAxOTE0MjFaMIGNMSQwIgYDVQQDExtNYXJrZXRwbGFjZSBTdGFnZSBS
b290IENBIDExFDASBgNVBAsTC0V4YW1wbGxhIENBMR0wGwYDVQQKExRFeGFtcGxs
YSBDb3Jwb3JhdGlvbjEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzELMAkGA1UECBMC
Q0ExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
1nB0rPwsWe2r0z2Kj/XkWOm1KiVGj687li/kvlahXKqLXBZL4CGqFVGZnXtZFo9n
hoTOFoCoS2CrWin+3amRGecZQezxUkIwRjp4xdukljDgDqOfxVrvReYtFTl4fE1S
JbxswOelKyEW1OKiNY+/wVqVI801+kaEu5CMPf1qrriew7BKFhl8QcZsPQbeyUqE
hdiKUs7kl2SuUXLk6PefNihgxalzNY9wXCKxKWM34VfGRmKp/CxgXkQ/o+kioElo
HO0rQw3uDBaGbq29A0OXt+YoO8yMW8KXu5HZ5lBNeF8t87/U/98gl/5d6Vd+6/8n
spwNeKvpaVAcLfeUSa9DAQIDAQABozswOTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwICBDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQUF
AAOCAQEAkN9UtuAovLuBHGku3e59Wr1RrYPbI/E+czvn62DzFvbj62pCLmuLCAaF
gzD8H0Y0qE6X5Qu8XkZG72+yFlB4Z4IQXF0fFbd6VZgb0QpuY1FlB1DjGzhacHca
FsYjbt84aGzxGSeMZy+AlAkBTXsJVl5gO8wGVpE82Gzh6ezxfzqkzeTJBNty90Vx
8uFOr8fOW1hS2mXQmTDAbLvGc0gwvIMNnULOMKp2cak7gpDSV+Ck3frzfmILng/6
1WzX4IIziJBr65iOIXUIwniiCy3I6cTEfmOw5B44qpdOB+qHAkS5D+kmWTyFurtI
X8H0fyBVyF+I0aEf0TAY+wYKXViI7g==
-----END CERTIFICATE-----

Stage reviewer app signing cert:

-----BEGIN CERTIFICATE-----
MIIEGTCCAwGgAwIBAgIEAQAAADANBgkqhkiG9w0BAQsFADCBmjEhMB8GA1UEAxMY
UmV2aWV3ZXIgU3RhZ2UgUm9vdCBDQSAxMRwwGgYDVQQLExNFeGFtcGxsYVJldmll
d2VyIENBMSUwIwYDVQQKExxFeGFtcGxsYVJldmlld2VyIENvcnBvcmF0aW9uMRYw
FAYDVQQHEw1Nb3VudGFpbiBWaWV3MQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMw
HhcNMTMwNjEyMTkyNDEyWhcNMjMwNjEwMTkyNDEyWjCBxzE5MDcGA1UEAxMwRXhh
bXBsbGFSZXZpZXdlciBNYXJrZXRwbGFjZSBTdGFnZSBBcHAgU2lnbmluZyAxMTEw
LwYDVQQLEyhFeGFtcGxsYVJldmlld2VyIE1hcmtldHBsYWNlIEFwcCBTaWduaW5n
MSUwIwYDVQQKExxFeGFtcGxsYVJldmlld2VyIENvcnBvcmF0aW9uMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB1ZzJkD6OmBD/fWuo0Bo8wpA6TJ0v
cCOfHfy/6Z2Q+hegoJcrHZLY+IXjRpZobxLXgLEFBvXCFoPNKoZZNT3DfShfEjzZ
jNLN2kEHwVUbQiU/L+x5QoZ8IH4QpAVnV0tDfBWBAJVmKRBUXjqV3MvJMUxz+4oK
Fs+7REReDR0liHnolbYPUPXeTj5TOh3GFM63MTk41HUFZdqLr3ajur1ljwINrEBM
vv9pKSHTv/ckJwMdJOnnVV+afb+iK77nLKUK1i6JTorlIITADztrgSU3wqgC3lB+
Tls2FqpwJOeaWALf0D5w3axAY2zs9iMjuw30ZqM0U2LMwSxF6H2Upom9AgMBAAGj
ODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoG
CCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQB97PbJ3C+hxstkcjnFxp1TtR6k
8Z0m9yKftTizJ0ozwLgFPhqPjD4O34gm7iq4nx8ANAYa960vQ3nX7gkO8Rgs6FtX
snoOp7G4PPS3QlvZWo7+Zwce3GPk5P5EPcklIFcc501yJUiJRXRfTWpVezmBAnNf
L/Gq422hIhYX4gLnS1Y1blP3cvPCV/srHGmcGUX9boSJDvpNhw9DL83LqQeM/kRa
phoce0sxdMTUzAlI6GVdNRrAhIwqBKus4hTnbIiSHg2mhJjba+c0SxMhmC2AWhA8
d741L4VbZeevbP0O2uImPNoS4fVXtfsMDrET1sna06YPhGkDiOch2eIJkh57
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID7DCCAtSgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmjEhMB8GA1UEAxMYUmV2
aWV3ZXIgU3RhZ2UgUm9vdCBDQSAxMRwwGgYDVQQLExNFeGFtcGxsYVJldmlld2Vy
IENBMSUwIwYDVQQKExxFeGFtcGxsYVJldmlld2VyIENvcnBvcmF0aW9uMRYwFAYD
VQQHEw1Nb3VudGFpbiBWaWV3MQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMwHhcN
MTMwNjEyMTkyNDEwWhcNMjMwNjEwMTkyNDEwWjCBmjEhMB8GA1UEAxMYUmV2aWV3
ZXIgU3RhZ2UgUm9vdCBDQSAxMRwwGgYDVQQLExNFeGFtcGxsYVJldmlld2VyIENB
MSUwIwYDVQQKExxFeGFtcGxsYVJldmlld2VyIENvcnBvcmF0aW9uMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUSx3xUxrYLo8ieoEH2KOOLAfajG81
xEp8TlkMHQLvn8a17eH8MEczUmD0WCUaLjADXo4jZIEX5fTTvZ8r43esgkksZwQY
oSZZH/TgKUjKapqWt6qLl5sw4pQQ+nCQ505h7tx8WUqmgHwWmCN0o2mRVJPeMv81
O/ehE/tbX4/SIpDlAUSB2iAxkZ0W8BCGn4bfiRA9K5T5me2wrFVxW6xjo4mF++oo
Hd+0M54GBbsJV6p43oP2jO16Ol4b43zkF/3fCpfPsiOuBXVOTDcLWpG7K2ocDp4B
qILsutUOVKpiBlEqJ9AZeM1Vi6aMQH8WvfPpPdWq6eoMljvM/CnAMrMbAgMBAAGj
OzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMBYGA1UdJQEB/wQM
MAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IBAQBLiFuGg1mJkearwiIMPHjT
YzrnZV91qbb0P6V1zEeGRBFmAxhlbexQiG50iDCQMn+FG2p7q+GjwBvVxHxJCV8m
u8FRSVnNnPXTvghATZsGb1IAIPsdWsPljKmOejg1JAH8HHBxtU3uDWVkboHyidgH
JPl3HD7zdAlFjDEwJ1FAm/VbNpMUf7YGrwyGHt0m/xpIKFDmDonUY/khHJ9Zu+dA
rNUjy9AKeqb5IKwQGdfIuFY28sSzO7QkJwPHcqHUZqRMdopiWJk4EVKJ/9V7/II8
Xf+hnTzybNZU3p+AifWjuj+3evv9E7xCDJ0rK8S9sJQztTMwlruX2ORg4DzONGFW
-----END CERTIFICATE-----
Stage app and reviewer app signing service is up and stage is pointed to use it. -altdev will continue to use -devs signing service.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
I don't believe this fully gives us what we need. The certs we need to install on device to use stage look more like this: https://github.com/briansmith/marketplace-certs/blob/master/push_certdb.sh#L42-L44

Brian, is that something you need to generate?

It would be nicer IMO to put these certs directly in the repo: https://github.com/briansmith/marketplace-certs/issues/1
Status: RESOLVED → REOPENED
Flags: needinfo?(bsmith)
Resolution: FIXED → ---
(In reply to Kumar McMillan [:kumar] from comment #4)
> I don't believe this fully gives us what we need. The certs we need to
> install on device to use stage look more like this:
> https://github.com/briansmith/marketplace-certs/blob/master/push_certdb.
> sh#L42-L44
> 
> Brian, is that something you need to generate?
> 
> It would be nicer IMO to put these certs directly in the repo:
> https://github.com/briansmith/marketplace-certs/issues/1

I agree with you. However, https://github.com/briansmith is not the place that this stuff should be living. I suggest we move it all to to be next to the other server-related stuff in github (tramboni or something like that?) or into mozilla-central (security/apps or similar). Caitlin, perhaps you could talk to Sid about who's going to "own" this and then we can decide where to put it from there.
Flags: needinfo?(bsmith) → needinfo?(cgalimidi)
These are my assumptions. Please tell me where I'm wrong. (engaging Sid Stamm so we can solve this)

HSM Server Cert Requests
1 - web ops generates certs for server environments
2 - certs for use of marketplace devs, qa and reviewers need to look something like: https://github.com/briansmith/marketplace-certs/blob/master/push_certdb.sh#L42-L44 
3 - certs need to be stored in a common github repository, not specific to any one employee or developer 


Jason - Putting you on the spot
a) Are you able to re-generate the certs to the spec needed per comment 4? 
b) Where do certs need to live once generated?
Flags: needinfo?(cgalimidi)
(In reply to Caitlin Galimidi from comment #6)
> These are my assumptions. Please tell me where I'm wrong. (engaging Sid
> Stamm so we can solve this)
> 
> HSM Server Cert Requests
> 1 - web ops generates certs for server environments
> 2 - certs for use of marketplace devs, qa and reviewers need to look
> something like:
> https://github.com/briansmith/marketplace-certs/blob/master/push_certdb.
> sh#L42-L44 
> 3 - certs need to be stored in a common github repository, not specific to
> any one employee or developer 
> 
> 
> Jason - Putting you on the spot
> a) Are you able to re-generate the certs to the spec needed per comment 4? 
> b) Where do certs need to live once generated?

a. I will need instructions on how to do this. The certs in comment 2 are generated using script http://jason.pastebin.mozilla.org/2542235, the same method we have used in the past to create -dev and test prod certs for the app and reviewer signing service.
b. If the certs need to be in a public location let's add them to the same git repository as the app signing service code? https://github.com/mozilla/trunion
Blocks: 855143
Would someone be able to provide me instructions on how to generate certs in comment 6?
Flags: needinfo?
Brian can you provide instructions for how to generate certs that we can use to install the marketplace stage app (packaged)? Or does Sid know how to generate them? details are in comment #4
Flags: needinfo? → needinfo?(brian)
If the certificates are for a staging server then I am guessing that the staging server needs to have an HSM. Otherwise, you aren't really staging in a similar environment to the production system, which would defeat the purpose of staging.

AFAICT, kang was the one that generated the certs based on keys stored on the HSM for the production server. IIRC, he documented quite a lot of how all of that was done. Basically, we just need to take what kang did for the production server and do it for staging too.

Once that step is done, create a pull request to https://github.com/briansmith/marketplace-certs that adds the binary DER-encoded root certificates to the repository and that updates the script. See marketplace-dev-public-root.der in that repo for an example of what your new root certificates should look like. Presumably the new files should be named marketplace-staging-public-root.der (for the root cert that signs the certificate that will be used to sign apps after they have been review on staging) and marketplace-staging-reviewers-root.der (for the root cert that signs the certificate that will be used to sign apps for reviewers on staging). If you need some "altdev" certs then that means two more roots, I guess, depending on what you are trying to do.

However many roots you generate, you also need to generate the same number of end-entity certificates. For staging, those end-entity certificates need to have their private keys stored in HSMs. For "altdev" I guess that isn't necessary, especially if marketplace-dev doesn't use HSMs. However, these end-entity certificates don't need to be added to the "marketplace-certs" repo.

In addition to adding the new root certs in the pull request, the add_or_replace_root_cert.sh script needs to be modified. Include these modifications to the script as part of the pull request. (Also, I noticed an existing bug with the script: the message printed from the usage function only lists two of the three acceptable certificates to add.)

Make sure you test your modifications before you send the pull request to verify that everything is working correctly. (Before you get to this point, you might want to attach the binary DER encoded root and end-entity certificates to this bug as attachments and NOT as text pasted into a comment, so that kang and I can review them.)

Given such a pull request, I will prompt review the pull request, double-checking that the certificates make sense.

Finally, the scripts that are used to generate the certificates also should be put into some repo, along with the documentation necessary to help people use and modify them. I think that kang already did this for the scripts he made for the production server, but I don't know where all that lives.
Flags: needinfo?(brian)
How the HSM are setup, guidelines for scripting, etc.: https://mana.mozilla.org/wiki/display/SECURITY/HSM+Operational+Procedures
How the HSMs are actually used (still draft): https://mana.mozilla.org/wiki/display/SECURITY/HSM+Policy

The actual scripts are also linked to this last page. I can try to clean the draft up so that it becomes final if that helps.
Bug 891451 for HSM server for marketplace stage use.
Severity: normal → major
Greetings!  

We have a PO pending approval for bug 891451 on 2 x HSM PCI-E devices.  We will also have 2 servers shipped from SCL3 to PHX1 for HSM stage use.  I'll update here and on bug 891451 for a better ETA on when the hardware will land and go live (as well as any bugs for ACLs to be opened with Netops, DCOps for racking, etc)
We have two boxes racked in PHX1 for Marketplace HSM stage.  Looks like finance is in the process of generating the PO to order the HSM devices.  Will obtain an update from finance to see how far the PO has gone.
(In reply to Justin Lazaro [:jlaz] from comment #14)
> We have two boxes racked in PHX1 for Marketplace HSM stage.  Looks like
> finance is in the process of generating the PO to order the HSM devices. 
> Will obtain an update from finance to see how far the PO has gone.

Thanks.  Let me know if you need any help pushing stuff through.
Any updates?
Flags: needinfo?(jlaz)
We have a PO approved (bug 920650) and are awaiting updates from Emagined on when the hardware will arrive.  Shot an email to Emagined on October 14th, and re-pinged again to get a status on the order
Flags: needinfo?(jlaz)
Looks like the hardware landed on October 16th, with FedEx tracking number 796908311018.  Going to schedule some time with opsec to configure the stage HSM boxes, which are currently racked in PHX1
Tentative date for configuring the stage HSM boxes onsite in PHX1 is 10/29.  Bug 930119 has been to track the progress of that work
Depends on: 930119
rediscussed this with :jlaz as I'm training him to use the HSMs.
For stage, since new/different certs are created, those may need to be signed by a CA.
We can't sign with the official CA of course as it would make no sense. This means a new CA has to be created, or to have anything that uses stage to be able to use self signed certs.

I don't believe that we need or want a full-fledged CA that is under the same security constraints as the production CA. But if for some reason, we do, let me know. This is an time consuming setup.
Jason, do you know what security is required for stage? ie, what is going to use it. Does it need to be at the same security level as production?
We can discuss it if necessary.
Flags: needinfo?(jthomas)
Spoke with :rforbes on IRC:
> rforbes | your question is, can we treat staging as less risk than production, correct? 
> kang | correct
> rforbes | kang: well, i think that is a correct statement
> rforbes | we should confirm with the marketplace people, however. 

And therefore, i'm copying :andym for feedback on this. If there is any concern with losing the keys from staging in the wild, we should probably discuss how we're going to do this, since, once again, setting up a CA that complies to the same strict standards as the production CA is very time consuming and requires multiple people.
Flags: needinfo?(amckay)
(In reply to Guillaume Destuynder [:kang] (use NEEDINFO!) from comment #21)
> Jason, do you know what security is required for stage? ie, what is going to
> use it. Does it need to be at the same security level as production?
> We can discuss it if necessary.

This HSM will be used to test stage app and reviewer app signing. I don't think it needs to be the same security level as production.
Flags: needinfo?(jthomas)
Agreed I don't think it needs the same level of security as production. There should be a very limited number of people trying to install off stage, reviewers and developers mostly. 

For example, if we wanted to rotate or change stage certificates regularly, pointing them at a mana or intranet page where they could get the new certs would be easy given the small number of users.
Flags: needinfo?(amckay)
Made a quick double-check on IRC:

> if keys or machine is lost to an attacker, the risk is that testers may install malware. we're ok with that (right?)
andym | yes

So, I propose that the stage HSM generate their own security world with their own keys, using the same scripts as the production HSM - scripts are at https://mana.mozilla.org/wiki/download/attachments/26416648/hsm_scripts-marketplace-2.tar.gz.gpg?version=1&modificationDate=1360627052958&api=v2

I also propose creating a software CA to sign these certificates, living on a separate VM if possible. The attached scripts can also be used, but need to be modified as they won't use the HSM engine (I can help with that).

This should be very close to the production setup, without the additional maintenance the offline CA requires.

The modified scripts should be saved/documented somewhere (it can be puppet + a mana page, I think).
Stage HSM boxes have had their security world set up this past week onsite in PHX (woohoo!).  We'll be generating the CA cert next, and should hopefully have keys generated sometime next week.
This was filed in May and is currently blocking us from many things, namely payments, SIM detection, QA verification, smooth pushes. What can we do to get this set up ASAP? And what is the estimated ETA? Thanks!
The HSM stage boxes are up and the keys have been generated (thanks :jlaz and :kang). I am working on setting up trunion service on the stage hsm for app and reviewer app signing.
The trunion service is configured on the HSM stage hosts however it is having issues with app signing. I will be working with :jlaz and :kang to sort out the issues. If no other unexpected issues arise I should have this up and running by end of this week.
Attached file certs.tar.gz 
Please see attached certificates in DER format for verification.
The app and reviewer app signing service for stage is now up and ready for testing. As per comment 10 :bsmith or :kang please verify the certificates in comment 30.
Flags: needinfo?(gdestuynder)
Flags: needinfo?(brian)
the root cert has a 1024RSA key, i think the production root cert had a 2048RSA
Flags: needinfo?(gdestuynder)
Please give a status update and ETA in this bug.  What is blocking us?  What are the next steps?
If no additional verification is required for the certs in comment 30 then these can be added to https://github.com/briansmith/marketplace-certs.
@briansmith please let me know if there is a issue with the PR in comment 35.
(In reply to Jason Thomas [:jason] from comment #36)
> @briansmith please let me know if there is a issue with the PR in comment 35.

I merged the PR.
Flags: needinfo?(brian)
What else is needed here?
We were unable to install the new certs for the packaged apps because of the following issues:
- after downloading the marketplace-certs from GitHub and running the command “./new_certdb.sh certdb.tmp” in order to create the certificate to uploaded, the following error was displayed: “./new_certdb.sh: 27: ./new_certdb.sh: certutil: not found”. 
- the “./change_trusted_servers.sh” command worked, but for “./push_certdb.sh” command we received the following error “cannot stat ‘certdb.tmp/cert9.db’: No such file or directory”.

Could you please provide us info on how could we fix these issues? Thank you!
Flags: needinfo?
Do you have nss-tools installed?
Flags: needinfo?
Priority: -- → P2
Is there a way we can allow users to install the certs without having to have nss-tools installed?

We want to encourage partners and contributors to test on stage and this makes setup that much harder.

How about we put all the certs in certdb.tgz and then share it with people who need it? Users can update the trusted servers and just do push_certdb.sh. Will that work?
(In reply to krupa raj[:krupa] from comment #41)
> How about we put all the certs in certdb.tgz and then share it with people
> who need it? Users can update the trusted servers and just do
> push_certdb.sh. Will that work?

That should work, as long as you make sure the cert9.db file contains the right set of certs.

Also, we could fix bug 889744 and extend the default hard-coded mapping to including the staging server, so they wouldn't have to do anything except change the dom.mozApps.signed_apps_installable_from pref and avoid the scripts altogether.
Attached file ezboot-http.log 
I have managed to install the nss-tools on Ubuntu pretty easy using the following command:
sudo apt-get install libnss3-tools.
and installed the certs on my Inari FF OS 1.4, but when I try to instal a packaged app, I get a "Download stopped" error. Log ID: 4440c
Attached http log.
Please let me know if you need any other information or logs. Thanks
I've updated marketplace stage to point to the new stage signing service. Could you please test again?
needinfo iulian.timis@softvision.ro based on comment 44
Flags: needinfo?(iulian.timis)
Attached file ezboot-http.log 
I tried to install a new packaged app but I got the same error "Download stopped". LOG ID: 04e55
Attached http log.
I have FF OS 1.4 installed on my Inari, Build Identifier 20140312160210.
Flags: needinfo?(iulian.timis)
I see the following response in the logs which look okay:

1074365688[40331080]: http request [
1074365688[40331080]:   GET /downloads/file/248365/tapout-packed-1.0.zip HTTP/1.1
1074365688[40331080]:   Host: marketplace.allizom.org
1074365688[40331080]:   User-Agent: Mozilla/5.0 (Mobile; rv:30.0) Gecko/30.0 Firefox/30.0
1074365688[40331080]:   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1074365688[40331080]:   Accept-Language: en-US,en;q=0.5
1074365688[40331080]:   Accept-Encoding: gzip, deflate
1074365688[40331080]:   Cookie: __utma=42843833.288342224.1394713522.1394713522.1395130883.3; __utmz=42843833.1394713522.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=42843833.9.9.1395131806423; lang="en-US\054"; __utmc=42843833
1074365688[40331080]:   Connection: keep-alive
1074365688[40331080]: ]
16005000[40331980]: http response [
16005000[40331980]:   HTTP/1.1 200 OK
16005000[40331980]:   Server: nginx
16005000[40331980]:   Content-Type: application/zip
16005000[40331980]:   Date: Tue, 18 Mar 2014 08:36:49 GMT
16005000[40331980]:   Accept-Ranges: bytes
16005000[40331980]:   Etag: "e4e931ea9b6614e7fb692510e9bc80913526026656d3e995ca35455307abcb82"
16005000[40331980]:   Via: Moz-pp-zlb09
16005000[40331980]:   Connection: keep-alive
16005000[40331980]:   Last-Modified: Tue, 18 Mar 2014 08:30:10 GMT
16005000[40331980]:   Content-Length: 100026
16005000[40331980]: ]

but also see the following failure that happens a few times, not sure if it is related:

16005000[40331980]: SpdySession31 48b6d800 buffering frame header read failure 80470007

I checked the packaged app and META-INF/zigbert.rsa looks correct. 

Is there any other debugging information that we can obtain from the device?
Krupa has confirmed that stage certs are now working.
Status: REOPENED → RESOLVED
Closed: 11 years ago10 years ago
Resolution: --- → FIXED
Component: Server Operations: AMO Operations → Operations: Marketplace
Product: mozilla.org → Mozilla Services
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: