We should setup an instance of keymaster in staging so we can properly play around with signing/scripts keys and not have to worry about breaking the production system. Not sure if this is already done based on bug 428132.

(In reply to comment #0) > Not sure if this is already done based on bug 428132. The machine referenced in bug 428132 is our current keymaster machine in production. I've filed bug 559353 to get a new keymaster clone.

This machine is setup now: cm-keystage01 Docs about how to use the staging keys are in the CombinedSigning wiki.

Two issues have come up: 1) Can't connect to staging-stage from cm-keystage01 2) Hitting "gpg: Can't check signature: public key not found" on verify-sigs

cvs checkouts from mofo repos also don't work

(In reply to comment #3) > 1) Can't connect to staging-stage from cm-keystage01 Filed bug 590999 > 2) Hitting "gpg: Can't check signature: public key not found" on verify-sigs Added a note to the staging section of CombinedSigning to address this for now. It doesn't work out of the box because the production public key is checked out from CVS, but the staging key can be copied in place. Probably need to come up with an automated solution to this that doesn't bend the production automation too much. (In reply to comment #4) > cvs checkouts from mofo repos also don't work I'll make sure the ssh config file still allows for this.

(In reply to comment #5) > (In reply to comment #4) > > cvs checkouts from mofo repos also don't work > > I'll make sure the ssh config file still allows for this. Fixed.

(In reply to comment #3) > 1) Can't connect to staging-stage from cm-keystage01 Currently waiting for the machine to be rebooted in bug 601134 so I can test this.

Will look at the remaining issues this afternoon.

These changes make it easier to sign in staging.

Coop -- I made some changes to keymaster for Android signing (JDK, Android SDK, release keystore). I'll need to either do those on this box or let you know what I did on keymaster, so we can have a staging env for that.

(In reply to comment #10) > I'll need to either do those on this box or let you know what I did on > keymaster, so we can have a staging env for that. If it's straightforward installation, I can do it, given a list.

1) install JDK http://www.oracle.com/technetwork/java/javase/downloads/index.html 2) install Android SDK http://developer.android.com/sdk/index.html sign_android.sh currently expects to find them in specific locations on disk (hardcoded at the top). If that works for you, awesome, otherwise we may need to tweak that for staging. http://hg.mozilla.org/build/tools/file/c6273c2278d0/release/signing/sign_android.sh I imagine we'll need to do something with the keystore. I assume we don't want to copy ~cltsign/android-release.keystore from keymaster, unless key-stage is as secure as keymaster. If we have to use a different key, I'd say copy ~cltbld/.android/android.keystore from a production linux slave, and we'd have to figure out how to point to the staging keystore/key alias in sign_android.sh. Maybe if [ "$STAGING." != "." ] ; then ...staging settings else ...release settings fi

Comment on attachment 483575 [details] [diff] [review] Make STAGE_HOST and GPG_KEY configurable http://hg.mozilla.org/build/tools/rev/5567acadd6ad

We can now connect to both stage.m.o and staging-stage.build.m.o from this box. Only thing left to do now is install the mobile tools from comment #12.

(In reply to comment #14) > We can now connect to both stage.m.o and staging-stage.build.m.o from this box. Is there any guard against accidentally pushing to stage.m.o from here ? Like having to explicitly go modify the ssh key settings ?

(In reply to comment #15) > Is there any guard against accidentally pushing to stage.m.o from here ? Like > having to explicitly go modify the ssh key settings ? I've commented out the block in the ssh config file that is currently granting access to stage by default. Mobile tools are also installed now in the locations expected by sign_android.sh. Docs have been updated: https://intranet.mozilla.org/Build:CombinedSigning#Signing_in_the_Staging_Environment