Closed Bug 915131 Opened 11 years ago Closed 10 years ago

document jar secret details on signing docs

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: bhearsum, Assigned: mozilla)

Details

We just need some brief details on how to generate jar secrets on https://intranet.mozilla.org/RelEngWiki/index.php/Signing#Set_up_.22secrets.22_directory.
Now at https://mana.mozilla.org/wiki/display/RelEng/Signing. I was wondering how android signing worked today.
Aki, any chance you can do this before you leave us?
Flags: needinfo?(escapewindow+mozbugs)
What do you mean by jar secrets?  Generating a signing key?
Flags: needinfo?(bhearsum)
Or changing the passphrase?
(In reply to Aki Sasaki [:aki] from comment #3)
> What do you mean by jar secrets?  Generating a signing key?

Basically, how do I go from nothing -> having the bits I need to do JAR signing. So signing key generation, any conversion that needs to happen, etc. Changing the passphrase could be useful too.
Flags: needinfo?(bhearsum)
Ok, I'll take it.
The biggest thing here is probably an admonition that losing the signing key for android will be Very Very Bad, as in losing everyone's profile bad.  But there may be a need for a new one for some reason, so it may be useful.
Assignee: nobody → escapewindow+mozbugs
Flags: needinfo?(escapewindow+mozbugs)
Android-signing-on-demand is https://bugzilla.mozilla.org/show_bug.cgi?id=705807 .  I was actually not a part of this, nor did I deal much with signing* so I don't know what was done with the jar secrets.  I also don't seem to have access to log into signing* so I can't try to reverse engineer it currently.

https://bugzilla.mozilla.org/show_bug.cgi?id=705807 was the signing-on-demand bug.... looks like Catlee set up the server + in-tree makefiles, and then I did the client-side stuff.


http://developer.android.com/tools/publishing/app-signing.html#cert are the official docs for private key creation.

http://stackoverflow.com/questions/4387954/changing-android-signing-key-password for changing the passwords... essentially 'keytool' allows for a new keypass and storepass (there are two passphrases).

https://bugzilla.mozilla.org/show_bug.cgi?id=562843 has attempts at creating an official Verisign android signing key, and found it was impossible... Google *requires* a cert with an expiration date longer than 22 October 2033.  If we lose our secrets/keys, we are going to have to abandon all of our current Firefox for Android installs for Nightly, Beta, and Release, and publish a new product and convince people it's really us and have them install it manually.  It will be Bad.
(In reply to Aki Sasaki [:aki] from comment #7)
> Android-signing-on-demand is
> https://bugzilla.mozilla.org/show_bug.cgi?id=705807 .  I was actually not a
> part of this, nor did I deal much with signing* so I don't know what was
> done with the jar secrets.  I also don't seem to have access to log into
> signing* so I can't try to reverse engineer it currently.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=705807 was the
> signing-on-demand bug.... looks like Catlee set up the server + in-tree
> makefiles, and then I did the client-side stuff.

Yes, these contradict each other.  I was a part of this, but did not touch the server- or jar-secrets- side.
Updated https://mana.mozilla.org/wiki/display/RelEng/Signing#Signing-Setup%22secrets%22directory with my guesses sans-signing* server access.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Thanks Aki!
Status: RESOLVED → VERIFIED
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.