oskirby
commented
4 months ago If this is something we can dynamically set, it would be even more amazing if this determination could be made by product and version. This would allow us to switch to new signing certificates as soon as a client is able to support them without affecting users on older versions of the client.
bhearsum
As part of the complicated root ca succession work for content signatures we will be switching all content signature signing to a new production certificate. One thing we might want to do is keep signing VPN for the old production certificate after GMP is signed with the new one. If we allow for this, we'll need some minor changes to make it possible.
The keyid we sign with in production is currently singular, and defined over here. (stage is overridden in https://github.com/mozilla-services/cloudops-infra/blob/master/projects/balrog/k8s/values/app.yaml). It is turned into an env variable over here. We'll need a second variable if we do this.
In Balrog itself we seem to largely have support for this already? https://github.com/mozilla-releng/balrog/blob/34e84ba2a9a19ac662d354ab059cd7b6d9dcffc0/uwsgi/public.wsgi#L62 is a block for VPN configuration, which includes picking up
AUTOGRAPH_KEYID. The subsequent block for GMP will useAUTOGRAPH_GMP_KEYIDif specifiedAUTOGRAPH_GMP_URLis in the environment, and otherwise fallback toAUTOGRAPH_KEYID. I think the code that consumes these will work as expected. I suggest we do the following in Balrog:public.wsgito allow only overriding the keyid (in fact, I think we can rip out support for using a separate autograph URL and creds)helpers.pylogic works as expected.These would have to be done after or at the same time as the
cloudops-infrachanges, but I don't think anything else would be needed.