Autograph#
We currently use Autograph to sign our files with a number of our signing formats. Occasionally the autograph team will ask us to test to make sure things are working properly.
Testing Autograph Stage#
We currently use Autograph to sign our files with a number of our signing formats. In CI, we point at autograph-prod, to avoid having autograph-stage changes or availability affect production CI, nightlies, or releases.
However, sometimes the Autograph team needs to make changes to autograph-stage, and want us to verify that it still works for us. Here’s how.
Autograph-stage mar signing test#
There is a tier 3 task that doesn’t run automatically. This task,
mar-signing-autograph-stage-linux64-nightly/opt
, can be added to a push
that has run nightly builds and repackage tasks.
With indexes#
First, go to the latest Firefox desktop index. Click on View Task
. Click on Task Group
at the top left to go to the taskgroup view.
Make sure you’re signed in, then click on the three dots in the lower right hand corner. Add new jobs
. Add mar-signing-autograph-stage-linux64-shippable/opt
to the list of tasks in the input so it looks like:
tasks: [mar-signing-autograph-stage-linux64-shippable/opt]
times: 1
Click Add new jobs
in the lower left. Once the task finishes, click on the log. You’ll see a line like:
[task 2020-09-08T20:12:48.698Z] Creating task with taskId Z6FmfYVCRpOimAafnoziKQ for mar-signing-autograph-stage-linux64-shippable/opt
In which case, check task Z6FmfYVCRpOimAafnoziKQ
for status. Report back to the bug.
With treeherder#
First, go to mozilla-central treeherder. Make sure you’re logged in (top right).
Find the push with the most recent finished successful nightly. (It may be
easiest to search for nightly
).
On this push, click the down-arrow at the top right of the push. Choose
Add new jobs
. The push will now show all the unscheduled jobs.
Find the autograph-stage mar-signing test job. It will be in the
Linux x64 opt
row, with the ms-stage(N)
symbol. Click on it. It should
change colors to a dark grey.
Go back up to the top right of the push. Choose Trigger New Jobs
. Assuming
you’ve selected the right job, and you have the right scopes, it should now
create an add-new
action task that triggers the autograph-stage mar-signing
task.
You can either watch treeherder or the taskcluster task. The task will be in
the on-push graph. The treeherder view may require you to enable tier 3
in the Tiers
menu at the top right of the page.
Once the mar-signing-autograph-stage-linux64-nightly/opt
task goes green,
we know that autograph-stage has signed the mar, and signingscript has verified
that the signature matches the autograph-stage mar public key. Report back to
#autograph
on irc that it has passed.
Testing Autograph Prod#
Once we roll out to prod, we want to make sure everything still works.
Autograph-prod mar signing test#
To test autograph-prod mar-signing, find a recent (but ideally not the most-recent) nightly graph. Find a mar-signing task in that graph.
To retrigger it via treeherder:
sign in to mozilla-central treeherder (top right of the page)
click on the task
find the
...
menu in the lower left of the page, click on itchoose
Custom Action
choose
Retrigger
click
Trigger
in the lower right
(A retrigger here is preferable to a rerun, because it won’t affect chain of trust verification for the rest of the graph.)
Make sure this task runs green. If it goes green, then the task signed the mar file(s) via autograph-prod, and verified the signature matches the public key.