Closed bhearsum closed 4 months ago
If this is something we can dynamically set, it would be even more amazing if this determination could be made by product and version. This would allow us to switch to new signing certificates as soon as a client is able to support them without affecting users on older versions of the client.
We spoke about this on Slack as well - I agree that if we're going to do anything here, we should do that.
Fixed by #3110
As part of the complicated root ca succession work for content signatures we will be switching all content signature signing to a new production certificate. One thing we might want to do is keep signing VPN for the old production certificate after GMP is signed with the new one. If we allow for this, we'll need some minor changes to make it possible.
The keyid we sign with in production is currently singular, and defined over here. (stage is overridden in https://github.com/mozilla-services/cloudops-infra/blob/master/projects/balrog/k8s/values/app.yaml). It is turned into an env variable over here. We'll need a second variable if we do this.
In Balrog itself we seem to largely have support for this already? https://github.com/mozilla-releng/balrog/blob/34e84ba2a9a19ac662d354ab059cd7b6d9dcffc0/uwsgi/public.wsgi#L62 is a block for VPN configuration, which includes picking up
AUTOGRAPH_KEYID
. The subsequent block for GMP will useAUTOGRAPH_GMP_KEYID
if specifiedAUTOGRAPH_GMP_URL
is in the environment, and otherwise fallback toAUTOGRAPH_KEYID
. I think the code that consumes these will work as expected. I suggest we do the following in Balrog:public.wsgi
to allow only overriding the keyid (in fact, I think we can rip out support for using a separate autograph URL and creds)helpers.py
logic works as expected.These would have to be done after or at the same time as the
cloudops-infra
changes, but I don't think anything else would be needed.