Skip to content

Manual Rollout with Puppet

Jump to bottom
Ben Hearsum edited this page Jan 15, 2021 · 27 revisions

Imaging and puppetizing

For imaging, see this page.

  • As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
  • As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
  • As of 2020.06.18, v3 ronin_puppet now works, with python 3.8. Details here.
  • As of 2010.07.15, it looks like production puppet now works for poller and scriptworker, with python 3.8, for everything but the 4 secrets in certs/ and starting up the launchctl services. Dep signing puppetization is currently broken. Set these up by hand.

This will create the following files:

  • /var/root/bootstrap_mojave.sh which contains the logic for puppetizing
  • /var/root/vault.yaml with the secrets

It's missing the /etc/puppet directory.

Notarization rollout

Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps.

Some of the secrets are in the releng passwords repo, notarization-*.

Some of the files below may already exist thanks to Puppet, but they will contain dummy values This is so that we can deploy them with puppet later, after secrets safety is assessed in more depth.

dep

Note: Dep signing puppetization is currently broken. Set these up by hand.

Requires

  • widevine_dep.crt
  • dep-signing.keychain

Steps

for username in depbld1 depbld2 tbbld; do 
  cp widevine_dep.crt /builds/${username}/certs/
  cp dep-signing.keychain /builds/${username}/certs/
  chown ${user} /builds/${username}/certs/* 
done

launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld1.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld2.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.tbbld.plist

Firefox and Thunderbird Production

Requires

  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey

Steps

  • Copy all the above files to /builds/scriptworker/certs/
    • The simplest way to do this is to tar up this directory from an existing scriptworker of the same type
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
  • chown cltbld /builds/scriptworker/certs/*
  • chmod 400 /builds/scriptworker/certs/*
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist
launchctl load /Library/LaunchDaemons/org.mozilla.notarization_poller.poller.plist
Clone this wiki locally