Closed Bug 792284 Opened 12 years ago Closed 12 years ago

Please sign the OS X 10.5 EOL hotfix XPI (v20120817.01)

Categories

(Release Engineering :: Release Requests, defect)

Product:
Release Engineering
Component:
Release Requests
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: MattN, Assigned: bhearsum)

References

(
URL
)

Details

Attachments

(2 files)

signed hotfix
(deleted), application/x-xpinstall
Details
modal dialog during installation
(deleted), image/png
Details 
Please sign hotfix v20120817.01 from https://hg.mozilla.org/users/dtownsend_mozilla.com/hotfixes

Package instructions (feel free to improve the Makefile):

hg clone https://hg.mozilla.org/users/dtownsend_mozilla.com/hotfixes
cd hotfixes
HOTFIX=v20120817.01 make package

Then sign the XPI at build/hotfix-v20120817.01.xpi

Run |make| from the hotfixes directory for a list of targets (package & clean) with descriptions.

We'd like to QA the hotfix early next week.

Thanks
We've never signed an OSX hotfix before. Which keys should be used to sign this? We have converted windows authenticode keys that have been used in the past to sign hotfix XPIs. The OSX binaries themselves are signed with keys purchased from Apple.

IIRC, firefox accepts just the windows authenticode keys' certs, so we would sign the XPIs with those.
(In reply to Chris AtLee [:catlee] from comment #1)

It should be the same type of keys as bug 747044 as I only see one pref extensions.hotfix.certs.1.sha1Fingerprint which says the sha1 fingerprint is F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45

Defined at https://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js?rev=414b774c927b#60
I built the hotfix using the instructions from comment #0 (in the future, it would be helpful to have a prebuilt one attached to the bug).
Signed it with the directions from https://intranet.mozilla.org/RelEngWiki/index.php/Signing#XPI_Signing_2

Will be attaching it momentarily.
Assignee: nobody → bhearsum
Attached file signed hotfix (deleted) — 
I'd appreciate extra verification on this - it's the first one that was signed on our new signing machine.
(In reply to Ben Hearsum [:bhearsum] from comment #3)
> I built the hotfix using the instructions from comment #0 (in the future, it
> would be helpful to have a prebuilt one attached to the bug).

I intentionally didn't attach the XPI because there was a concern from Gavin with the last hotfix signing that RelEng shouldn't be signing arbitrary hotfixes because there's a chance it doesn't match what was reviewed and was checked-in.  The idea is that people watch the commits in the repo and are more likely to notice something malicious compared to inspecting a binary file attached to a bug.

(In reply to Ben Hearsum [:bhearsum] from comment #4)
> I'd appreciate extra verification on this - it's the first one that was
> signed on our new signing machine.

The simple test of just installing the XPI normally showed that the hotfix was signed by Mozilla Corporation.  We'll find out from QA in bug 774509 whether this works end-to-end starting with the AMO hotfix ping.

Thanks
Attached image modal dialog during installation (deleted) — 
Installation of the add-on hot fix seems to go fine, but when I run the "codesign -vv" command on the actual xpi file, it says the code object isn't signed. Should it have validated it in the terminal?
(In reply to Matthew N. [:MattN] from comment #5)
> (In reply to Ben Hearsum [:bhearsum] from comment #3)
> > I built the hotfix using the instructions from comment #0 (in the future, it
> > would be helpful to have a prebuilt one attached to the bug).
> 
> I intentionally didn't attach the XPI because there was a concern from Gavin
> with the last hotfix signing that RelEng shouldn't be signing arbitrary
> hotfixes because there's a chance it doesn't match what was reviewed and was
> checked-in.  The idea is that people watch the commits in the repo and are
> more likely to notice something malicious compared to inspecting a binary
> file attached to a bug.

OK. We should probably have a more formal process for building these at some point. This is fine for now.

> (In reply to Ben Hearsum [:bhearsum] from comment #4)
> > I'd appreciate extra verification on this - it's the first one that was
> > signed on our new signing machine.
> 
> The simple test of just installing the XPI normally showed that the hotfix
> was signed by Mozilla Corporation.  We'll find out from QA in bug 774509
> whether this works end-to-end starting with the AMO hotfix ping.
> 

Excellent! I think this means we're all done here?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: