Confirmed users
613
edits
AMO/SigningService: Difference between revisions
→Schedule of Signing Rollout: schedule crrection
No edit summary |
(→Schedule of Signing Rollout: schedule crrection) |
||
| (22 intermediate revisions by 4 users not shown) | |||
| Line 2: | Line 2: | ||
Hi. This project is the AMO piece of the larger [https://docs.google.com/a/mozilla.com/document/d/1KhpDteoHFmVRkzlrT8v0N3F-KrPxLoZFM3mWmEmOses/edit Add-on Signature System]. Please read that document so the rest of this wiki page makes sense. | Hi. This project is the AMO piece of the larger [https://docs.google.com/a/mozilla.com/document/d/1KhpDteoHFmVRkzlrT8v0N3F-KrPxLoZFM3mWmEmOses/edit Add-on Signature System]. Please read that document so the rest of this wiki page makes sense. | ||
== Meetings == | |||
*the Add-On Signing Team meets Fridays at 16:00 UTC (9am Pacific). Meeting minutes are archived [https://wiki.mozilla.org/AMO/SigningService/Meetings here] | |||
== Signing Architecture == | |||
We will need to modify several pieces of AMO and its libraries in order to accommodate this new system. Those changes are roughly laid out below and divided up into phases. See the diagram below (which compares to Marketplace for a reference) for a high level view: | We will need to modify several pieces of AMO and its libraries in order to accommodate this new system. Those changes are roughly laid out below and divided up into phases. See the diagram below (which compares to Marketplace for a reference) for a high level view: | ||
| Line 20: | Line 25: | ||
== Roadmap == | == Roadmap == | ||
=== Schedule of Signing Rollout === | |||
(updated September 15, 2015) | |||
* Firefox 40-42: Firefox warns about signatures but doesn't enforce them. | |||
* Firefox 43: Firefox will have a preference that allows signature enforcement to be disabled (xpinstall.signatures.required in about:config). | |||
* Firefox 44: Release and Beta versions of Firefox will not allow unsigned extensions to be installed, with no override. | |||
=== Phase 1: Signing with Trunion=== | === Phase 1: Signing with Trunion=== | ||
| Line 25: | Line 37: | ||
|- | |- | ||
! Current Status | ! Current Status | ||
| <span style="color:green; font-weight:bold"> | | <span style="color:green; font-weight:bold">Done</span> | ||
|- | |- | ||
! Owners | ! Owners | ||
| Ryan Tilder | | Ryan Tilder | ||
|} | |} | ||
| Line 53: | Line 65: | ||
* Modifying Trunion to send meta-data about what it signed (at least the certificate serial number) | * Modifying Trunion to send meta-data about what it signed (at least the certificate serial number) | ||
* Modifying Trunion to generate certs on-the-fly | * Modifying Trunion to generate certs on-the-fly | ||
[[AMO/SigningService/API|See API Documentation]] | |||
Open Bugs: | Open Bugs: | ||
| Line 58: | Line 72: | ||
{ | { | ||
"blocks": "1070152", | "blocks": "1070152", | ||
"include_fields": "id, priority, status, summary" | "include_fields": "id, priority, status, summary", | ||
"status": ["UNCONFIRMED", "ASSIGNED", "NEW", "REOPENED"] | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 72: | Line 87: | ||
Open Questions: | Open Questions: | ||
* How do we push updates to all existing add-ons after they are signed? Updating to a new version number may be necessary. | * How do we push updates to all existing add-ons after they are signed? Updating to a new version number may be necessary. ([andym] is this still a valid question, or has it been answered?) | ||
Tracking bug: {{Bugzilla|1070153}} | |||
Open Bugs: | Open Bugs: | ||
| Line 78: | Line 95: | ||
{ | { | ||
"blocks": "1070153", | "blocks": "1070153", | ||
"include_fields": "id, priority, status, summary" | "include_fields": "id, priority, status, summary", | ||
"status": ["UNCONFIRMED", "ASSIGNED", "NEW", "REOPENED"] | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 87: | Line 105: | ||
|- | |- | ||
! Current Status | ! Current Status | ||
| <span style="color: | | <span style="color:green; font-weight:bold">Wontfixed</span> | ||
|} | |} | ||
| Line 106: | Line 124: | ||
{ | { | ||
"blocks": "1070154", | "blocks": "1070154", | ||
"include_fields": "id, priority, status, summary" | "include_fields": "id, priority, status, resolution, summary", | ||
"status": ["UNCONFIRMED", "ASSIGNED", "NEW", "REOPENED"] | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
| Line 115: | Line 134: | ||
|- | |- | ||
! Current Status | ! Current Status | ||
| <span style="color:green; font-weight:bold"> | | <span style="color:green; font-weight:bold">Closing bugs</span> | ||
|} | |} | ||
| Line 125: | Line 144: | ||
{ | { | ||
"blocks": "1122114", | "blocks": "1122114", | ||
"include_fields": "id, priority, status, summary" | "include_fields": "id, priority, status, summary", | ||
"status": ["UNCONFIRMED", "ASSIGNED", "NEW", "REOPENED"] | |||
} | |||
</bugzilla> | |||
=== Phase 5: Code Deployment === | |||
{| | |||
|- | |||
! Current Status | |||
| <span style="color:green; font-weight:bold">Donesies</span> | |||
|} | |||
Open Bugs (note private bugs won't show up here): | |||
<bugzilla> | |||
{ | |||
"blocks": "1130124", | |||
"include_fields": "id, priority, status, summary", | |||
"status": ["UNCONFIRMED", "ASSIGNED", "NEW", "REOPENED"] | |||
} | } | ||
</bugzilla> | </bugzilla> | ||
== Usage == | |||
There's two management commands to manually sign add-ons: | |||
===sign_addons=== | |||
This can be used to sign a list of add-ons, by providing their IDs: | |||
'''python manage.py sign_addons 123 124 125''' | |||
===process_addons=== | |||
This is a more general management command that can run tasks on every add-on: | |||
'''python manage.py process_addons --task sign_addons''' | |||
Running this will sign each add-on. Celery tasks will be used. | |||