-
Notifications
You must be signed in to change notification settings - Fork 28
Manual Rollout with Puppet
Nick Thomas edited this page Oct 24, 2019
·
27 revisions
Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps.
Some of the secrets are in the releng passwords repo, notarization-*
.
Some of the files below may already exist thanks to Puppet, but they will contain dummy values This is so that we can deploy them with puppet later, after secrets safety is assessed in more depth.
widevine_dep.crt
dep-signing.keychain
for username in depbld1 depbld2 tbbld; do
cp widevine_dep.crt /builds/${username}/certs/
cp dep-signing.keychain /builds/${username}/certs/
chown ${user} /builds/${username}/certs/*
done
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld1.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.depbld2.plist
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.tbbld.plist
widevine_prod.crt
nightly-signing.keychain
release-signing.keychain
ed25519_privkey
- Copy all the above files to
/builds/cltbld/certs/
-
ed25519_privkey
must have no EOL. If you create it by editing it, make sure toperl -pi -e 'chomp if eof' ed25519_privkey
-
chown cltbld /builds/cltbld/certs/*
chmod 400 /builds/cltbld/certs/*
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist
widevine_prod.crt
nightly-signing.keychain
release-signing.keychain
ed25519_privkey
- Copy all the above files to
/builds/cltbld/certs/
-
ed25519_privkey
must have no EOL. If you create it by editing it, make sure toperl -pi -e 'chomp if eof' ed25519_privkey
-
chown tbbld /builds/cltbld/certs/*
chmod 400 /builds/cltbld/certs/*
launchctl load /Library/LaunchDaemons/org.mozilla.scriptworker.cltbld.plist