This now applies to the Mac as well.

Hi Chris, please don't consider this an urgent request, but I'm wondering how possible it would be to produce signed versions of mozregression? It seems like mozregression is getting detected as a virus on Windows and is rather difficult to install on Mac due to this issue.

Currently mozregression is being built with travis/appveyor but moving it over to the taskcluster community instance should be possible.

(In reply to William Lachance (:wlach) (use needinfo!) from comment #5)

Hi Chris, please don't consider this an urgent request, but I'm wondering how possible it would be to produce signed versions of mozregression? It seems like mozregression is getting detected as a virus on Windows and is rather difficult to install on Mac due to this issue.

Currently mozregression is being built with travis/appveyor but moving it over to the taskcluster community instance should be possible.

Gotten a bunch more reports on this issue.

I did some more research, and it does appear signing is technically possible- for example we do this for taskcluster builds of firefox reality on the community instance: https://github.com/mozilla/community-tc-config/blob/master/config/projects/firefoxreality.yml

So realistically this means something like:

1. Set up a mozregression group on taskcluster's community instance (not very difficult: #taskcluster on Matrix can probably help)
2. Port mozregression's ci to taskcluster (a day or two's worth of work? not sure how difficult tbh)
3. Figure out how to sign pyinstaller-produced binaries on (at least) Mac and Windows (pretty easy, most likely)
4. Figure out who at Mozilla can provide them, then add certificates and whatever artifacts necessary to do signing to taskcluster
5. Actually sign builds produced from mozilla/mozregression (making sure that pull requests coming from forks are not signed)

So probably not a huge amount of work, but not trivial either-- 4 in particular might require some help/favours from other parts of Mozilla.

This is a little different, but similar enough that it's worth connecting some things: geckodriver does something like this over in https://bugzilla.mozilla.org/show_bug.cgi?id=1427849 and related tickets.

If you are making infrequent releases, you can ask RelEng to manually sign the releases.

eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.

(In reply to :glob 🎈 from comment #8)

If you are making infrequent releases, you can ask RelEng to manually sign the releases.

eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.

Thanks :glob, that sounds like a good interim solution. Filed bug 1661025 about that, let's see where it goes.

(In reply to William Lachance (:wlach) (use needinfo!) from comment #9)

(In reply to :glob 🎈 from comment #8)

If you are making infrequent releases, you can ask RelEng to manually sign the releases.

eg. bug 1588707 where I did that for the MozillaBuild NSIS installer.

Thanks :glob, that sounds like a good interim solution. Filed bug 1661025 about that, let's see where it goes.

Ok so that worked, at least for Windows. However I realized (too late) that the problem isn't in the installer, it's the actual mozregression executable that gets installed. :aki and I talked about this a bit, and I think the most viable way forward is to move this in-tree and (eventually) reuse Firefox's signing mechanisms. Not sure when we'll have time to do that, but I'll file a bug soon.

As per discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1661025#c4 -- it seems like the "right way" to solve this issue is to move mozregression in-tree, where we can reuse the existing signing/trust infrastructure for Firefox.

It occurs to me that we could possibly just make the in-tree version a mirror if we want to continue development on GitHub.

Going forward, mozregression-gui.exe and mozregression-gui.dmg will be signed, however, they may not show up immediately on a new release and may take up to 1-2 hours to be available.