Closed
Bug 1126898
Opened 10 years ago
Closed 10 years ago
Add support for separate "preliminary" signing endpoint URL
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
2015-02
People
(Reporter: rtilder, Assigned: magopian)
References
Details
Attachments
(2 files)
Per our discussion on IRC, something akin to Zamboni's handling of reviewer signing for FirefoxOS privileged apps found here: https://github.com/mozilla/zamboni/blob/master/lib/crypto/packaged.py#L101-104
Assignee | ||
Comment 1•10 years ago
|
||
Jason, is it clear for you what is needed? From what I understand, it needs another instance of trunion running with different settings. Once it's in place, could you please update this bug with the endpoint to use? I believe all the necessary information are in bug 1123915 Thanks!
Component: Payments/Refunds → Admin/Editor Tools
Depends on: 1123915
Flags: needinfo?(jthomas)
Product: Marketplace → addons.mozilla.org
Target Milestone: --- → 2015-02
Version: 1.5 → unspecified
Comment 3•10 years ago
|
||
I've added PRELIMINARY_SIGNING_SERVER to olympia's private settings file. https://github.com/mozilla-services/svcops-puppet/commit/12a6f90029ecc8778b4e0c875d9b8018f3a9a39c
Flags: needinfo?(jthomas)
Assignee | ||
Comment 4•10 years ago
|
||
PR: https://github.com/mozilla/olympia/pull/438 Ryan, is there a way, given a signed addon, to see if it's been fully or preliminary signed? What are the steps to make sure the correct endpoint (with the correct settings) has been used?
Flags: needinfo?(rtilder)
Assignee | ||
Comment 5•10 years ago
|
||
Fixed in https://github.com/mozilla/olympia/commit/da3f26487557af5719a5c3916939a820ee867d32
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•10 years ago
|
||
:rtilder, :dveditz, :jason, is there a way, given a signed addon, to manually check if it's been signed with the correct endpoint?
Flags: needinfo?(jthomas)
Flags: needinfo?(dveditz)
Comment 8•10 years ago
|
||
I usually test by extracting the addon xpi and running the following openssl command: openssl pkcs7 -inform der -in META-INF/zigbert.rsa -print_certs -text -noout OU should be equal to 'Preliminary'. Certificate: Data: Version: 3 (0x2) Serial Number: 01:4b:c7:e3:db:4a Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Mountain View, O=Addons Test Signing, CN=test.addons.signing.root.ca/emailAddress=opsec+stagerootaddons@mozilla.com Validity Not Before: Feb 26 21:56:13 2015 GMT Not After : Feb 23 21:56:13 2025 GMT Subject: OU=Preliminary, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=someaddonuid Subject Public Key Info: Public Key Algorithm: rsaEncryption
Flags: needinfo?(jthomas)
Assignee | ||
Comment 9•10 years ago
|
||
Ah, excellent, thanks Jason! So the STR are: 1/ submit an addon and choose the prelim review 2/ download the (signed) addon from the listing page 3/ run the above command, and make sure the OU says "Preliminary" 4/ submit another addon and chose the full review 5/ download the (signed) addon from the listing page 6/ run the above command, and make sure the OU says... "Full"? Not sure about the text here, but it shouldn't be "Preliminary"
Flags: needinfo?(rtilder)
Flags: needinfo?(dveditz)
Comment 10•10 years ago
|
||
I have followed the steps above and for both full review and preliminary review the OU is "Preliminary" Attaching the logs files for both full and preliminary reviews.
Updated•10 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 12•10 years ago
|
||
Thanks Madalin. Jason? Is there a way we can double check that? How can I help?
Flags: needinfo?(jthomas)
Comment 13•10 years ago
|
||
Logs shows addon in comment 10 (id=490498) was sent to preliminary server. Both servers are configured correctly in the settings. ar 5 14:24:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.devhub:INFO FileUpload created: 33a08667fc5c4757beaf317e32206a9e :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/devhub/views.py:607 Mar 5 14:28:28 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:DEBUG clean_name called without an instance: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/forms.py:42 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Version changed from backup: None to None, current: None to None, latest: None to .1 for addon 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:716 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.amo:INFO Cache increment failed for key: ns:d2c-versions:490498. Resetting. :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/amo/utils.py:673 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Incrementing d2c-versions namespace for add-on [490498]: 1425565710:ns:d2c-versions:490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:854 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.versions:INFO New version: <Version: .1> (1526568) from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/versions/models.py:128 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Version changed from backup: None to None, current: None to .1, latest: .1 to .1 for addon 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:716 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Hash changed for file: 246970, addon: 490498, from: to: sha256:99f1ff8652fb1b7b115a94c75f0fa0d7abc3c0e0e8e888e7fdd09c044ec15418 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:469 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:DEBUG New file: <File: 246970> from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:172 Mar 5 14:28:30 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:DEBUG New addon <Addon: 490498: testPass3.5.2015> from <FileUpload: 33a08667fc5c4757beaf317e32206a9e> :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:500 Mar 5 14:29:44 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Moving file to mirror: /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi => /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:338 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.files:INFO Moving file to mirror: /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi => /mnt/netapp_amo_dev/addons-dev.allizom.org/files/490498/testpass352015-.1-fx.xpi :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/files/models.py:338 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.addons:INFO Incrementing d2c-versions namespace for add-on [490498]: 1425565711:ns:d2c-versions:490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/addons/models.py:854 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Signing version: 1526568 :./lib/crypto/packaged.py:120 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO File signature contents: Signature-Version: 1.0#012MD5-Digest-Manifest: BlommQe74LyMBZrPXgUyaA==#012SHA1-Digest-Manifest: IQuXOG8WeBEurfcRZjTFlVR4F4Q=#012 :./lib/crypto/packaged.py:58 Mar 5 14:29:45 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Calling signing service: http://prelim-signer.addons.allizom.org/1.0/sign_addon :./lib/crypto/packaged.py:62 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.crypto:INFO Signing complete for file 246970. :./lib/crypto/packaged.py:110 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.mailer:INFO Making 490498: testPass3.5.2015 public :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/helpers.py:667 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.mailer:INFO Sending email for 490498: testPass3.5.2015 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/helpers.py:668 Mar 5 14:29:46 dev1.addons.phx1.mozilla.com: [madalinc][62.231.92.162] z.users:INFO Awarding 120 points to user 10620563: madalinc for "Full Add-on Review" for addon 490498 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305074456-1dce168012/olympia/apps/editors/models.py:405 The addon.status = 4 for the addon so it should have been sent to the 'final' server. I manually signed the addon with sign_addon management command and it sent it to the correct server: Mar 5 18:50:34 addonsadm.private.phx1.mozilla.com: [<anon>][None] z.crypto:INFO File signature contents: Signature-Version: 1.0#012MD5-Digest-Manifest: BlommQe74LyMBZrPXgUyaA==#012SHA1-Digest-Manifest: IQuXOG8WeBEurfcRZjTFlVR4F4Q=#012 :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305174131-8d37083345/olympia/lib/crypto/packaged.py:58 Mar 5 18:50:34 addonsadm.private.phx1.mozilla.com: [<anon>][None] z.crypto:INFO Calling signing service: http://signer.addons.allizom.org/1.0/sign_addon :/data/addons-dev/www/addons-dev.allizom.org/deploy-olympia-dev-20150305174131-8d37083345/olympia/lib/crypto/packaged.py:62 Certificate: Data: Version: 3 (0x2) Serial Number: 1425581439580 (0x14beb467a5c) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Mountain View, O=Addons Test Signing, CN=test.addons.signing.root.ca/emailAddress=opsec+stagerootaddons@mozilla.com Validity Not Before: Mar 5 18:50:39 2015 GMT Not After : Mar 2 18:50:39 2025 GMT Subject: OU=Testing, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odf9zGfgG6AG0lsTvg@jetpack Subject Public Key Info:
Flags: needinfo?(jthomas)
Comment 14•10 years ago
|
||
Possibly related to mysql replication lag? Although lag should be very minimal especially on the -dev server.
Assignee | ||
Comment 15•10 years ago
|
||
Should be fixed by https://github.com/mozilla/olympia/pull/503/files#diff-1ff978159be740b1b8edc4fcc67c4faaR27, needs to be tested on -dev or stage
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Flags: needinfo?(jthomas)
Resolution: --- → FIXED
Updated•10 years ago
|
Flags: needinfo?(jthomas)
Comment 17•10 years ago
|
||
Tested this again on stage For preliminary review: Validity Not Before: Apr 22 14:00:08 2015 GMT Not After : Apr 19 14:00:08 2025 GMT Subject: OU=Preliminary, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odd9gGdgT8AG1lsTvg@jetpack For full review: Validity Not Before: Apr 22 13:51:40 2015 GMT Not After : Apr 19 13:51:40 2025 GMT Subject: OU=Testing, C=US, L=Mountain View, O=Addons Testing, ST=CA, CN=gr14hyte-ZmmhUZdl7odf9gGdgT8AG8lsTvg@jetpack I do not think this is expected. :magopian?
Flags: needinfo?(mathieu)
Assignee | ||
Comment 18•10 years ago
|
||
From what I can tell, this is exactly what's expected: - the preliminary reviewed addon has "preliminary" in the OU - the fully reviewed addon doesn't have "preliminary" in the OU
Flags: needinfo?(mathieu)
Comment 19•10 years ago
|
||
Ok so for fully reviewed add-ons the text should be testing. Thanks for response. Closing bug.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 20•10 years ago
|
||
I think the content is not important, it's just the presence (or absence) of "preliminary" that is. Maybe :dveditz can confirm?
Flags: needinfo?(dveditz)
Comment 21•10 years ago
|
||
We have two separate roots, a testing root and a prod root. I would hope that the prod root doesn't use OU=Testing for the non-preliminary one (and not O=Addons Testing). The text doesn't really matter though as long as it's not a case-insensitive match for "Preliminary", it would just look strange/bad.
Flags: needinfo?(dveditz)
Comment 22•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21) > I would hope that the prod root doesn't use OU=Testing for the non-preliminary one (and not O=Addons Testing). It doesn't, Bug 1130020 comment 13 has an example.
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•