Need it for 11.0b1.

The plan: 1) let puppet setup the master 2) put the release keys on the servers 3) start the new instances 4) add new entry fore release-signing in secrets.pp on master-puppet1 5) ... 6) PROFIT! Does the plan look accurate?

1.5) convert signcode keys

Comment on attachment 589606 [details] [diff] [review] puppet configs http://hg.mozilla.org/build/puppet-manifests/rev/825bf07b11e6

(In reply to Rail Aliiev [:rail] from comment #2) > The plan: > > 1) let puppet setup the master Done. > 1.5) convert signcode keys Done. Had to use a workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=509158#c36, I had problems running openssl x509 -in MozAuthenticode.spc -inform DER -text which was complaining about wrong format. openssl pkcs7 -inform DER -in MozAuthenticode.spc -print_certs -out certs.pem openssl x509 -in certs.pem -outform DER -out cert.cer cert2spc cert.cer MozAuthenticode.spc > 2) put the release keys on the servers Still need to figure out how to import (if we need) production keys using NSS utils into secrets/mar. I tried to import existing signcode key, but without success: certutil -d secrets/mar -N certutil -d mar -A -n rel1 -t ",,u" -i /path/to/cert.cer # generated above When I try to start the server it fails: 2012-01-23 12:16:00,173 - Running ['/home/cltsign/instances/rel-key-signing-server/bin/signmar', '-d', '/home/cltsign/instances/rel-key-signing-server/secrets/mar', '-n', 'rel1', '-s', '/home/cltsign/instances/rel-key-signing-server/test-files/test.mar', '/tmp/tmpvNJekz/test.mar.tmp'] 2012-01-23 12:16:00,182 - ERROR: Could not find private key ERROR: NSSSignBegin failed > 3) start the new instances TBD when 2) is done. > 4) add new entry fore release-signing in secrets.pp on master-puppet1 Done.

(In reply to Brian R. Bondy [:bbondy] from https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c3) > Chris could you provide the primary and backup certs as soon as possible to > bug 704285? The steps in Comment 1 is exactly how I did my testing, so > something similar would work best. We'd like to get this landed as soon as > possible, so the sooner the better. > > bsmith can probably help with the details for the certutil commands that > should be used for production. > > I'd also need an example signed mar with both the main private key and the > backup private key. bsmith, could you help with importing real certificates into a NSS database? Could we reuse existing authenicode certificates used for exe/dll signing or should we use something different?

(In reply to Rail Aliiev [:rail] from comment #6) > (In reply to Brian R. Bondy [:bbondy] from > https://bugzilla.mozilla.org/show_bug.cgi?id=701087#c3) > > Chris could you provide the primary and backup certs as soon as possible to > > bug 704285? The steps in Comment 1 is exactly how I did my testing, so > > something similar would work best. We'd like to get this landed as soon as > > possible, so the sooner the better. > > > > bsmith can probably help with the details for the certutil commands that > > should be used for production. > > > > I'd also need an example signed mar with both the main private key and the > > backup private key. > > bsmith, could you help with importing real certificates into a NSS database? > Could we reuse existing authenicode certificates used for exe/dll signing or > should we use something different? We should be using different certificates. The MAR signing keys are completely separate from the authenticode signing.

Ok, I generated a cert using the following commands: certutil -d secrets/mar -N certutil -d secrets/mar -S -n rel1 -t ",,u" -g 2048 -s "CN=Release MAR singing key" -x certutil -L -d secrets/mar -n rel1 -r > release_mar_signing.der Public key incoming.

I ended up with copying MozAuthenticode.spc file without any conversion. Converted one loses the certification path somehow...

Comment on attachment 591094 [details] release MAR signing public key Moved to bug 720777.

All done here. Additional steps: 1) copied .gpg directory content from cm-keymaster01 to secrets gpg 2) Amy adjusted nagios checks for running instances for signing servers (from 2 to 3)

bbondy suggested to generate the cert in the past so it would be expired from the beginnig: https://bugzilla.mozilla.org/show_bug.cgi?id=720777#c3 On my laptop: # disconnect from the Internet so ntpdate stops updating the system clock sudo date -s "4 months ago" mkdir -p secrets/mar certutil -d secrets/mar -N certutil -d secrets/mar -S -n rel1 -t ",,u" -g 2048 -s "CN=Release MAR singing key" -x certutil -L -d secrets/mar -n rel1 -r > release_mar_signing.der