ReleaseEngineering/Testing a new Signing Server

From MozillaWiki
Jump to: navigation, search

When a new Signing Server is set-up it's helpful to verify it before putting it into production service. One way of doing this is to set up a dev master and point it at the new signing server(s). If that's too much trouble, you can hack the build system to do it. Here's an example from when new mac-v2-signing servers were tested:

diff --git a/toolkit/mozapps/installer/upload-files.mk b/toolkit/mozapps/installer/upload-files.mk
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -556,7 +556,7 @@ MAKE_SDK = $(CREATE_FINAL_TAR) - $(MOZ_A
 endif
 
 ifdef MOZ_INTERNAL_SIGNING_FORMAT
-MOZ_SIGN_PREPARED_PACKAGE_CMD=$(MOZ_SIGN_CMD) $(foreach f,$(MOZ_INTERNAL_SIGNING_FORMAT),-f $(f)) $(foreach i,$(SIGN_INCLUDES),-i $(i)) $(foreach x,$(SIGN_EXCLUDES),-x $(x))
+MOZ_SIGN_PREPARED_PACKAGE_CMD=python /builds/slave/try-m64-0000000000000000000000/build/tools/release/signing/signtool.py -v --cachedir /builds/slave/try-m64-0000000000000000000000/build/signing_cache -t /builds/slave/try-m64-0000000000000000000000/token -n /builds/slave/try-m64-0000000000000000000000/nonce -c /builds/slave/try-m64-0000000000000000000000/build/tools/release/signing/host.cert -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing4.srv.releng.scl3.mozilla.com:9110 -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing5.srv.releng.scl3.mozilla.com:9110 -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing6.srv.releng.scl3.mozilla.com:9110 -H dmgv2:mac-v2-signing6.srv.releng.scl3.mozilla.com:9110 $(foreach f,$(MOZ_INTERNAL_SIGNING_FORMAT),-f $(f)) $(foreach i,$(SIGN_INCLUDES),-i $(i)) $(foreach x,$(SIGN_EXCLUDES),-x $(x))
 ifeq (WINNT,$(OS_ARCH))
 MOZ_SIGN_PREPARED_PACKAGE_CMD += --nsscmd '$(_ABS_DIST)/bin/shlibsign$(BIN_SUFFIX) -v -i'
 endif
@@ -564,7 +564,7 @@ endif
 
 # For final GPG / authenticode signing / dmg signing if required
 ifdef MOZ_EXTERNAL_SIGNING_FORMAT
-MOZ_SIGN_PACKAGE_CMD=$(MOZ_SIGN_CMD) $(foreach f,$(MOZ_EXTERNAL_SIGNING_FORMAT),-f $(f))
+MOZ_SIGN_PACKAGE_CMD=python /builds/slave/try-m64-0000000000000000000000/build/tools/release/signing/signtool.py -v --cachedir /builds/slave/try-m64-0000000000000000000000/build/signing_cache -t /builds/slave/try-m64-0000000000000000000000/token -n /builds/slave/try-m64-0000000000000000000000/nonce -c /builds/slave/try-m64-0000000000000000000000/build/tools/release/signing/host.cert -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing4.srv.releng.scl3.mozilla.com:9110 -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing5.srv.releng.scl3.mozilla.com:9110 -H gpg:sha2signcode:osslsigncode:signcode:mar:jar:b2gmar:emevoucher:signing6.srv.releng.scl3.mozilla.com:9110 -H dmgv2:mac-v2-signing6.srv.releng.scl3.mozilla.com:9110 $(foreach f,$(MOZ_EXTERNAL_SIGNING_FORMAT),-f $(f))
 endif
 
 ifdef MOZ_SIGN_PREPARED_PACKAGE_CMD

The key thing to notice here is that $(MOZ_SIGN_CMD) has been replaced with an actual fleshed out sign command that was pulled out of a try build log. That command was then tweaked to point at the new signing server (mac-v2-signing6) instead of the existing ones.