SeaMonkey would like to sign their Windows installers and updates, to enable them to support Silent Update. After discussion between Callek, John O'Duinn, Harvey, Mitchell and myself about the best way to do this, the conclusion is as follows: 1) Mozilla should obtain a suitable code signing certificate for SeaMonkey to use 2) SeaMonkey will then be given this certificate to manage the signing on their own infra 3) The certificate should not 'look like' the one RelEng uses to sign Firefox This bug is to get server ops to obtain such a certificate. The only question which remains is to work out exactly what should be in each field of the certificate, particularly the O field (which, I believe, is the one displayed in the relevant UI). This needs to be acceptable to the CA from a legal perspective, but also meet criteria 3. My initial proposal for us to present to the CA for the O field is "Mozilla Foundation, SeaMonkey Project". If they refuse that, it would be good to get some guidance on the parameters they are having to work within. Gerv

CC'ing folks who could help. From what I could figure, this is what needs to be purchased - https://www.verisign.com/code-signing/ The process seems similar to a EV cert purchase.

I don't purchase code certs, no idea how to go about one. mrz? or someone in releng will have a better idea, they use code signing certs all the time.

mrz/joduinn: can you guys get together and figure out who on one of your teams can make this purchase? This bug seems to be bouncing around a lot... Thanks :-) Gerv

(In reply to Gervase Markham [:gerv] from comment #3) > mrz/joduinn: can you guys get together and figure out who on one of your > teams can make this purchase? This bug seems to be bouncing around a lot... > > Thanks :-) > > Gerv Two months have passed, ping?

I didn't know I owned this. IT doesn't manage code-signing certificates. RelEng does, as part of their code signing process. I'd suggest this is something they should own, not IT.

(In reply to matthew zeier [:mrz] from comment #5) > I didn't know I owned this. > > IT doesn't manage code-signing certificates. RelEng does, as part of their > code signing process. I'd suggest this is something they should own, not IT. Found during triage - I'll grab this and make sure it finds an owner.

per irc w/callek: 1) At this time, SeaMonkey does not sign any release builds, and does not have any signing cert for windows. This means users are unable to have background updates or the hotfix addon. 2) SeaMonkey will soon also need an apple signing ID for signing 10.8 builds. Same problem space, so morphing to include. Might as well kill-two-certs-with-one-bug (ahem!).

Instructions documented in bug#677025#c4 and then updated in bug#696775. 1) I've ordered authenticode cert just now for "Mozilla Foundation", "Release Engineering (SeaMonkey)". Order#USMOZIX12. Status still "Pending", although cshields confirmed no emails in hostmaster@m.c at this time. 2) work on OSX signing cert not yet started.

Is there any update on this (at least on the already ordered cert)?

(In reply to Frank Wein [:mcsmurf] from comment #9) > Is there any update on this (at least on the already ordered cert)? Its in joduinn's hands, he was on PTO last week and was in and out of meetings before and after his PTO, we're both working on juggling his calendar to find a time to get it handed to me.

I've got these certs in hand. I'll be handing them off along with the passphrases to Callek today.

Callek has the keys + passphrases now.