Merge pull request #6 from rail/verify_mar_signatures

Bug 1176309 - Verify MAR signatures

docker/funsize-update-generator/Dockerfile

@@ -1,9 +1,9 @@
-FROM ubuntu:trusty
+FROM ubuntu:vivid
 MAINTAINER Rail Aliiev <rail@mozilla.com>
 
 # Required software
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt-get update -q && apt-get install -yyq python python-pip
+RUN apt-get update -q && apt-get install -yyq python python-pip python-cryptography
 RUN useradd -d /home/worker -s /bin/bash -m worker
 COPY requirements.txt /tmp/
 RUN pip install -r /tmp/requirements.txt
@@ -16,6 +16,8 @@ RUN mkdir /home/worker/bin
 COPY scripts/* /home/worker/bin/
 COPY runme.sh /runme.sh
 RUN chmod 755 /home/worker/bin/* /runme.sh
+RUN mkdir /home/worker/keys
+COPY *.pubkey /home/worker/keys/
 
 ENV           HOME          /home/worker
 ENV           SHELL         /bin/bash

docker/funsize-update-generator/Makefile

@@ -7,3 +7,8 @@ build:
 
 push:
 	docker push $(FULL_IMAGE_NAME)
+
+update_pubkeys:
+	curl https://hg.mozilla.org/mozilla-central/raw-file/default/toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der | openssl x509 -inform DER -pubkey -noout > nightly.pubkey
+	curl https://hg.mozilla.org/mozilla-central/raw-file/default/toolkit/mozapps/update/updater/dep1.der | openssl x509 -inform DER -pubkey -noout > dep.pubkey
+	curl https://hg.mozilla.org/mozilla-central/raw-file/default/toolkit/mozapps/update/updater/release_primary.der | openssl x509 -inform DER -pubkey -noout > release.pubkey

docker/funsize-update-generator/dep.pubkey

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzjHSobdeiQ3JHP/cCIOp
+WaX9y12rL5mIo9OR9bpqEZdD0yXJJJeZA887Mv8slqsM+qObMUpKvfEE6zyYPIZJ
+ANib31neI5BBYHhfhf2f5EnkilSYlmU3Gx+uRsmsdt58PpYe124tOAGgca/8bUy3
+eb6kUUTwvMI0oWQuPkGUaoHVQyj/bBMTrIkyF3UbfFtiX/SfOPvIoabNUe+pQHUe
+pqC2+RxzDGj+shTq/hYhtXlptFzsEEb2+0foLy0MY8C30dP2QqbM2iavvr/P8OcS
+Gm3H0TQcRzIEBzvPcIjiZi1nQj/r/3TlYRNCjuYT/HsNLXrB/U5Tc990jjAUJxdH
+0wIDAQAB
+-----END PUBLIC KEY-----

docker/funsize-update-generator/nightly.pubkey

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4j/IS3gWbyVVnWn4ZRnC
+Fuzb6VAaHa0I+4E504ekhVAhbKlSfBstkLbXajdjUVAJpn02zWnOaTl5KAdpDpIp
+SkdA4mK20ej3/Ij7gIt8IwaX+ArXL8mP84pxDn5BgaNADm3206Z6YQzc/TDYu529
+qkDFmLqNUVRJAhPO+qqhKHIcVGh8HUHXN6XV1qOFip+UU0M474jAGgurVmAv8Rh7
+VvM0v5KmB6V6WHwM5gwjg2yRY/o+xYIsNeSes9rpp+MOs/RnUA6LI4WZGY4YahvX
+VclIXBDgbWPYtojexIJkmYj8JIIRsh3eCsrRRe14fq7cBurp3CxBYMlDHf0RUoaq
+hQIDAQAB
+-----END PUBLIC KEY-----

docker/funsize-update-generator/release.pubkey

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH4r94FpQ0gvr1hhTfV9
+NUeWPJ5CN6TZRq7v/Dc4nkJ1J4IP1B3UEii34tcNKpy1nKupiZuTT6T1zQYT+z5x
+3UkDF9qQboQ8RNb/BEz/cN3on/LTEnZ7YSraRL11M6cEB8mvmJxddCEquwqccRbs
+Usp8WUB7uRv1w6Anley7N9F/LE1iLPwJasZypRnzWb3aYsJy0cMFOYy+OXVdpktn
+qYqlNIjnt84u4Nil6UXnBbIJNUVOCY8wOFClNvVpubjPkWK1gtdWy3x/hJU5RpAO
+K9cnHxq4M/I4SUWTWO3r7yweQiHG4Jyoc7sP1jkwjBkSG93sDEycfwOdOoZft3wN
+sQIDAQAB
+-----END PUBLIC KEY-----

docker/funsize-update-generator/requirements.txt

@@ -1,2 +1,3 @@
 requests==2.5.1
 sh==1.08
+mar==1.2

docker/funsize-update-generator/runme.sh

@@ -6,6 +6,7 @@ test $FROM_MAR
 test $TO_MAR
 test $PLATFORM
 test $LOCALE
+test $SIGNING_CERT
 
 ARTIFACTS_DIR="/home/worker/artifacts"
 mkdir -p "$ARTIFACTS_DIR"
@@ -15,4 +16,5 @@ mkdir -p "$ARTIFACTS_DIR"
     --from-mar "$FROM_MAR" \
     --to-mar "$TO_MAR" \
     --platform "$PLATFORM" \
-    --locale "$LOCALE"
+    --locale "$LOCALE" \
+    --signing-cert "/home/worker/keys/${SIGNING_CERT}.pubkey"

docker/funsize-update-generator/scripts/funsize.py

@@ -12,10 +12,17 @@
 
 import requests
 import sh
+from mardor.marfile import MarFile
 
 log = logging.getLogger(__name__)
 
 
+def verify_signature(mar, signature):
+    log.info("Checking %s signature", mar)
+    m = MarFile(mar, signature_versions=[(1, signature)])
+    m.verify_signatures()
+
+
 def download(url, dest, mode=None):
     log.debug("Downloading %s to %s", url, dest)
     r = requests.get(url)
@@ -140,6 +147,7 @@ def main():
     parser.add_argument("--locale", required=True)
     parser.add_argument("--workdir")
     parser.add_argument("--branch")
+    parser.add_argument("--signing-cert", required=True)
     parser.add_argument("-q", "--quiet", dest="log_level",
                         action="store_const", const=logging.WARNING,
                         default=logging.DEBUG)
@@ -155,6 +163,7 @@ def main():
         dest = os.path.join(work_env.workdir, f.split("/")[-1])
         unpack_dir = os.path.join(work_env.workdir, mar_type)
         download(f, dest)
+        verify_signature(dest, args.signing_cert)
         complete_mars["%s_size" % mar_type] = os.path.getsize(dest)
         complete_mars["%s_hash" % mar_type] = get_hash(dest)
         unpack(work_env, dest, unpack_dir)

funsize/tasks/funsize.yml

@@ -31,7 +31,7 @@ tasks:
         createdForUser: rail@mozilla.com
 
       payload:
-        image: 'rail/funsize-update-generator:v0.2'
+        image: 'rail/funsize-update-generator:v0.3'
         maxRunTime: 900
         command:
             - /runme.sh
@@ -41,6 +41,7 @@ tasks:
           TO_MAR: '{{ to_MAR }}'
           PLATFORM: '{{ platform }}'
           LOCALE: '{{ locale }}'
+          SIGNING_CERT: 'nightly'
 
         artifacts:
           'public/env':