We currently use Autograph to sign our files with a number of our signing formats. Occasionally the autograph team will ask us to test to make sure things are working properly.
Testing Autograph Stage#
We currently use Autograph to sign our files with a number of our signing formats. In CI, we point at autograph-prod, to avoid having autograph-stage changes or availability affect production CI, nightlies, or releases.
However, sometimes the Autograph team needs to make changes to autograph-stage, and want us to verify that it still works for us. Here’s how.
Autograph-stage mar signing test#
There is a tier 3 task that doesn’t run automatically. This task,
mar-signing-autograph-stage-linux64-nightly/opt, can be added to a push
that has run nightly builds and repackage tasks.
First, go to the latest Firefox desktop index. Click on
View Task. Click on
Task Group at the top left to go to the taskgroup view.
Make sure you’re signed in, then click on the three dots in the lower right hand corner.
Add new jobs. Add
mar-signing-autograph-stage-linux64-shippable/opt to the list of tasks in the input so it looks like:
Add new jobs in the lower left. Once the task finishes, click on the log. You’ll see a line like:
[task 2020-09-08T20:12:48.698Z] Creating task with taskId Z6FmfYVCRpOimAafnoziKQ for mar-signing-autograph-stage-linux64-shippable/opt
In which case, check task
Z6FmfYVCRpOimAafnoziKQ for status. Report back to the bug.
First, go to mozilla-central treeherder. Make sure you’re logged in (top right).
Find the push with the most recent finished successful nightly. (It may be
easiest to search for
On this push, click the down-arrow at the top right of the push. Choose
Add new jobs. The push will now show all the unscheduled jobs.
Find the autograph-stage mar-signing test job. It will be in the
Linux x64 opt row, with the
ms-stage(N) symbol. Click on it. It should
change colors to a dark grey.
Go back up to the top right of the push. Choose
Trigger New Jobs. Assuming
you’ve selected the right job, and you have the right scopes, it should now
add-new action task that triggers the autograph-stage mar-signing
You can either watch treeherder or the taskcluster task. The task will be in
the on-push graph. The treeherder view may require you to enable
Tiers menu at the top right of the page.
mar-signing-autograph-stage-linux64-nightly/opt task goes green,
we know that autograph-stage has signed the mar, and signingscript has verified
that the signature matches the autograph-stage mar public key. Report back to
#autograph on irc that it has passed.
Testing Autograph Prod#
Once we roll out to prod, we want to make sure everything still works.
Autograph-prod mar signing test#
To test autograph-prod mar-signing, find a recent (but ideally not the most-recent) nightly graph. Find a mar-signing task in that graph.
To retrigger it via treeherder:
sign in to mozilla-central treeherder (top right of the page)
click on the task
...menu in the lower left of the page, click on it
Triggerin the lower right
(A retrigger here is preferable to a rerun, because it won’t affect chain of trust verification for the rest of the graph.)
Make sure this task runs green. If it goes green, then the task signed the mar file(s) via autograph-prod, and verified the signature matches the public key.