Closed willdurand closed 6 months ago
Discussed that with @willdurand today and I'm not sure it's a good idea.
Essentially the idea would be to pretend everything on dev/stage has always been signed with the certificate setup from https://github.com/mozilla/addons/issues/9503 (not the new one for https://bugzilla.mozilla.org/show_bug.cgi?id=1882147) instead of whatever we actually used.
There seem to be very little benefit - someone from QA correct me if I'm wrong, but I imagine that usually when trying to test installs on dev/stage, QA either uses very specific existing add-ons, or submits entirely new ones. So I'm leaning towards not doing this, unless QA objects.
cc @vcarciu @ioanarusiczki
Hello @diox ,
These are preferences that are used for dev and stage in auto: extensions.install.requireBuiltInCerts : False xpinstall.signatures.required : False xpinstall.signatures.dev-root: True extensions.webapi.testing: True ui.popup.disable_autohide: True devtools.console.stdout.content: True extensions.getAddons.discovery.api_url: https://services.addons.allizom.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION% extensions.getAddons.get.url: https://services.addons.allizom.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE% extensions.update.url:
I'm having trouble on both stage and dev, with installing addons/themes from about:addons page(probably because of the current problem):
Examples of addons/ themes used for dev in installs: Theme: full-moon-kitty Addons: aarafow-molla-mantinch
for STAGE: Theme: japanese-tattoo Addons: stealthy, ghostery
@diox
We use existing ones. Lang packs require new submissions because they have strict compatibility.
Ok. Do you use any existing ones or specific existing ones ? And do you just install the latest version or do you try installing older versions as well ? If it's only a handful and you just care about the latest version, we could upload new versions.
xpinstall.signatures.required : False
This should usually be set to true
. When set to false
, signing is by-passed, which doesn't sound to great when verifying bugs about signing...
We can make new submissions and replace the existing data for AMO installs.
I try to figure out something in addon manager though. I'm still on it.
Please make sure to have enough add-ons signed with the new cert in -dev (and soon stage), e.g. for all kind of add-on types, different badges, etc. because all these add-ons (and versions) will be useful when we'll have to verify the root succession plan.
Closing as we've agreed not to automatically resign existing dev/stage add-ons with the cas_cur
cert. These will break, so QA will need to replace add-ons they test with "manually".
Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDSRV-764
Once https://github.com/mozilla/addons/issues/9503 is fixed, we should consider re-signing the add-ons in nonprod envs (-dev and stage) since (1) Autograph will sign newly submitted versions with the new certificate, and (2) Firefox will also be updated with this new certificate (Bug 1885349).
This is not necessarily a high-priority issue but OTOH we might want to get the add-ons re-signed to avoid debugging install problems in 6+ months (when we'll have forgotten about this staging certificate update...).
┆Issue is synchronized with this Jira Task