Closed Bug 1226191 Opened 9 years ago Closed 9 years ago

Firefox 43.0 win builds should be signed with sha2

Categories

(Release Engineering :: Release Requests, defect)

Product:
Release Engineering
Component:
Release Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox43+ fixed, firefox44- fixed, firefox45- fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox43 + fixed
firefox44 - fixed
firefox45 - fixed

People

(Reporter: rail, Unassigned)

References

Details

This will require some changes in the build system: MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/signing.mk#11 should be changed from "osslsigncode" to "sha2signcode".
I wonder if we should start signing nightly/aurora/beta with SHA2 before 43.0.
Flags: needinfo?(benjamin)
(In reply to Rail Aliiev [:rail], on PTO Nov 21 - Mozlandia from comment #0) > This will require some changes in the build system: > > MOZ_INTERNAL_SIGNING_FORMAT and MOZ_EXTERNAL_SIGNING_FORMAT in > https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/installer/ > signing.mk#11 should be changed from "osslsigncode" to "sha2signcode". FTR, "sha2signcode" comes from https://dxr.mozilla.org/build-central/source/puppet/modules/buildmaster/templates/passwords.py.erb#14, one of the signing formats supported by our signing servers.
I think we should start rolling this out to nightly ASAP, and aurora as soon as we're comfortable. My understanding was that should not do this for beta 43 since we need the client changes which disable the maintenance service on WinXP and need to deploy that (to release) before we enabled SHA2 codesigning. But I'm not the expert/haven't thought this through well.
Flags: needinfo?(benjamin)
Tracking this for 43, and nominating for 44/45 as well.
status-firefox43: --- → affected
status-firefox44: --- → affected
status-firefox45: --- → affected
tracking-firefox43: --- → +
tracking-firefox44: --- → ?
tracking-firefox45: --- → +
Tracked for 44 because it's related to SHA-1 signing deprecation.
tracking-firefox44: ?+
Jordan do you know how is this going and is there a way to test it out before the 43 release? Or did we already cover this in testing? Are we planning to roll this out to other channels? Sorry to bug you about it, I'm not sure who else to ask though.
Flags: needinfo?(jlund)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > Jordan do you know how is this going and is there a way to test it out > before the 43 release? Or did we already cover this in testing? catlee is helping here: https://bugzilla.mozilla.org/show_bug.cgi?id=1079858#c74 I will make sure to stay in touch with sheriffs and get this merged into m-c before EOD then we can quickly uplift this across branches tomorrow. We should test this before RC on monday everywhere.
Flags: needinfo?(jlund)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.