Bug 1298947 - Pin hg.mozilla.org fingerprint; r=dustin
☠☠ backed out by 4d17ab529fbd ☠ ☠
authorGregory Szorc <gps@mozilla.com>
Thu, 01 Sep 2016 15:38:30 -0700
changeset 313084 d31f5e1edb53ced0cfd71d6692354713e40615be
parent 313083 22093eae5f63d2a81669b7c8cd0d4fe7ae372147
child 313085 4d17ab529fbdb3c68c287c26225f1f28fc7c6763
push id30671
push usercbook@mozilla.com
push dateThu, 08 Sep 2016 09:59:51 +0000
treeherdermozilla-central@bd28be90aed8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin
bugs1298947
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1298947 - Pin hg.mozilla.org fingerprint; r=dustin We just upgraded our run-time environment to Mercurial 3.9. 3.9 features a new [hostsecurity] config section and allows certificate fingerprints to be defined using SHA-256 hashes (not just SHA-1). A TaskCluster secret with the Mercurial 3.9 fingerprint format has been added. This commit takes advantage of it. MozReview-Commit-ID: 5NwJl9zOse2
testing/docker/recipes/run-task
--- a/testing/docker/recipes/run-task
+++ b/testing/docker/recipes/run-task
@@ -14,21 +14,26 @@ current time to improve log usefulness.
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 import argparse
 import datetime
 import errno
 import grp
+import json
 import os
 import pwd
 import re
 import subprocess
 import sys
+import urllib2
+
+
+FINGERPRINT_URL = 'http://taskcluster/secrets/v1/secret/project/taskcluster/gecko/hgfingerprint'
 
 
 def print_line(prefix, m):
     now = datetime.datetime.utcnow()
     print(b'[%s %sZ] %s' % (prefix, now.isoformat(), m), end=b'')
 
 
 def run_and_prefix_output(prefix, args):
@@ -83,18 +88,38 @@ def vcs_checkout(args):
         revision = os.environ['GECKO_HEAD_REV']
     elif os.environ.get('GECKO_HEAD_REF'):
         revision_flag = b'--branch'
         revision = os.environ['GECKO_HEAD_REF']
     else:
         print('revision is not specified for checkout')
         sys.exit(1)
 
+    # Obtain certificate fingerprints.
+    try:
+        print_line(b'vcs', 'fetching hg.mozilla.org fingerprint from %s\n' %
+                   FINGERPRINT_URL)
+        res = urllib2.urlopen(FINGERPRINT_URL, timeout=10)
+        secret = res.read()
+    except urllib2.URLError as e:
+        print('error retrieving hg fingerprint: %s' % e)
+        sys.exit(1)
+
+    try:
+        secret = json.loads(secret, encoding='utf-8')
+    except ValueError:
+        print('invalid JSON in hg fingerprint secret')
+        sys.exit(1)
+
+    hgmo_fingerprint = secret['secret']['fingerprints'].encode('ascii')
+
     res = run_and_prefix_output(b'vcs', [
-        b'/usr/bin/hg', b'robustcheckout',
+        b'/usr/bin/hg',
+        b'--config', b'hostsecurity.hg.mozilla.org:fingerprints=%s' % hgmo_fingerprint,
+        b'robustcheckout',
         b'--sharebase', b'/home/worker/hg-shared',
         b'--purge',
         b'--upstream', base_repo,
         revision_flag, revision,
         os.environ['GECKO_HEAD_REPOSITORY'], args.vcs_checkout
     ])
 
     if res: