document jar secret details on signing docs

VERIFIED FIXED

Status

Release Engineering
General Automation
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: bhearsum, Assigned: aki)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
We just need some brief details on how to generate jar secrets on https://intranet.mozilla.org/RelEngWiki/index.php/Signing#Set_up_.22secrets.22_directory.
Now at https://mana.mozilla.org/wiki/display/RelEng/Signing. I was wondering how android signing worked today.
(Reporter)

Comment 2

4 years ago
Aki, any chance you can do this before you leave us?
Flags: needinfo?(escapewindow+mozbugs)
(Assignee)

Comment 3

4 years ago
What do you mean by jar secrets?  Generating a signing key?
Flags: needinfo?(bhearsum)
(Assignee)

Comment 4

4 years ago
Or changing the passphrase?
(Reporter)

Comment 5

4 years ago
(In reply to Aki Sasaki [:aki] from comment #3)
> What do you mean by jar secrets?  Generating a signing key?

Basically, how do I go from nothing -> having the bits I need to do JAR signing. So signing key generation, any conversion that needs to happen, etc. Changing the passphrase could be useful too.
Flags: needinfo?(bhearsum)
(Assignee)

Comment 6

4 years ago
Ok, I'll take it.
The biggest thing here is probably an admonition that losing the signing key for android will be Very Very Bad, as in losing everyone's profile bad.  But there may be a need for a new one for some reason, so it may be useful.
Assignee: nobody → escapewindow+mozbugs
Flags: needinfo?(escapewindow+mozbugs)
(Assignee)

Comment 7

4 years ago
Android-signing-on-demand is https://bugzilla.mozilla.org/show_bug.cgi?id=705807 .  I was actually not a part of this, nor did I deal much with signing* so I don't know what was done with the jar secrets.  I also don't seem to have access to log into signing* so I can't try to reverse engineer it currently.

https://bugzilla.mozilla.org/show_bug.cgi?id=705807 was the signing-on-demand bug.... looks like Catlee set up the server + in-tree makefiles, and then I did the client-side stuff.


http://developer.android.com/tools/publishing/app-signing.html#cert are the official docs for private key creation.

http://stackoverflow.com/questions/4387954/changing-android-signing-key-password for changing the passwords... essentially 'keytool' allows for a new keypass and storepass (there are two passphrases).

https://bugzilla.mozilla.org/show_bug.cgi?id=562843 has attempts at creating an official Verisign android signing key, and found it was impossible... Google *requires* a cert with an expiration date longer than 22 October 2033.  If we lose our secrets/keys, we are going to have to abandon all of our current Firefox for Android installs for Nightly, Beta, and Release, and publish a new product and convince people it's really us and have them install it manually.  It will be Bad.
(Assignee)

Comment 8

4 years ago
(In reply to Aki Sasaki [:aki] from comment #7)
> Android-signing-on-demand is
> https://bugzilla.mozilla.org/show_bug.cgi?id=705807 .  I was actually not a
> part of this, nor did I deal much with signing* so I don't know what was
> done with the jar secrets.  I also don't seem to have access to log into
> signing* so I can't try to reverse engineer it currently.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=705807 was the
> signing-on-demand bug.... looks like Catlee set up the server + in-tree
> makefiles, and then I did the client-side stuff.

Yes, these contradict each other.  I was a part of this, but did not touch the server- or jar-secrets- side.
(Assignee)

Comment 10

4 years ago
Updated https://mana.mozilla.org/wiki/display/RelEng/Signing#Signing-Setup%22secrets%22directory with my guesses sans-signing* server access.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Reporter)

Comment 11

4 years ago
Thanks Aki!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.