Consider re-signing add-ons in nonprod envs (-dev/stage)

[willdurand]

Once https://github.com/mozilla/addons/issues/9503 is fixed, we should consider re-signing the add-ons in nonprod envs (-dev and stage) since (1) Autograph will sign newly submitted versions with the new certificate, and (2) Firefox will also be updated with this new certificate (Bug 1885349).

This is not necessarily a high-priority issue but OTOH we might want to get the add-ons re-signed to avoid debugging install problems in 6+ months (when we'll have forgotten about this staging certificate update...).

┆Issue is synchronized with this Jira Task

[diox]

Discussed that with @willdurand today and I'm not sure it's a good idea.

Essentially the idea would be to pretend everything on dev/stage has always been signed with the certificate setup from https://github.com/mozilla/addons/issues/9503 (not the new one for https://bugzilla.mozilla.org/show_bug.cgi?id=1882147) instead of whatever we actually used.

• If we want to do this, we should do it very soon, before we swap to the actual new cert
• We currently have a lot of add-ons to resign:
  • 80k add-ons, 118k versions on dev (including soft-deleted)
  • 400k add-ons, 800k versions on stage (including soft-deleted)
• We would have to resign in-place, not bumping the version number, if we want to be fully transparent. We would likely need to do it for every version so that every version remains installable for testing purposes. So we can't re-use the existing resign script.
  • That means we would still have an inconsistency to deal with, the date on the cert would not match the approval date etc.

There seem to be very little benefit - someone from QA correct me if I'm wrong, but I imagine that usually when trying to test installs on dev/stage, QA either uses very specific existing add-ons, or submits entirely new ones. So I'm leaning towards not doing this, unless QA objects.

[diox]

cc @vcarciu @ioanarusiczki

[alexandruschek]

Hello @diox ,

These are preferences that are used for dev and stage in auto: extensions.install.requireBuiltInCerts : False xpinstall.signatures.required : False xpinstall.signatures.dev-root: True extensions.webapi.testing: True ui.popup.disable_autohide: True devtools.console.stdout.content: True extensions.getAddons.discovery.api_url: https://services.addons.allizom.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION% extensions.getAddons.get.url: https://services.addons.allizom.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE% extensions.update.url:

• STAGE: https://versioncheck.allizom.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%
• DEV: https://versioncheck-dev.allizom.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%

I'm having trouble on both stage and dev, with installing addons/themes from about:addons page(probably because of the current problem):

Examples of addons/ themes used for dev in installs: Theme: full-moon-kitty Addons: aarafow-molla-mantinch

for STAGE: Theme: japanese-tattoo Addons: stealthy, ghostery

[ioanarusiczki]

@diox

We use existing ones. Lang packs require new submissions because they have strict compatibility.

[diox]

Ok. Do you use any existing ones or specific existing ones ? And do you just install the latest version or do you try installing older versions as well ? If it's only a handful and you just care about the latest version, we could upload new versions.

[willdurand]

xpinstall.signatures.required : False

This should usually be set to true. When set to false, signing is by-passed, which doesn't sound to great when verifying bugs about signing...

[ioanarusiczki]

We can make new submissions and replace the existing data for AMO installs.

I try to figure out something in addon manager though. I'm still on it.

[willdurand]

Please make sure to have enough add-ons signed with the new cert in -dev (and soon stage), e.g. for all kind of add-on types, different badges, etc. because all these add-ons (and versions) will be useful when we'll have to verify the root succession plan.

[diox]

Closing as we've agreed not to automatically resign existing dev/stage add-ons with the cas_cur cert. These will break, so QA will need to replace add-ons they test with "manually".

[KevinMind]

Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDSRV-764