Re: Upcoming hg.mozilla.org certificate change

2016-09-26 Thread Gregory Szorc 
Yup. There are a few outstanding issues in automation. People in #releng
are on it.

On Mon, Sep 26, 2016 at 11:22 AM, Justin D'Arcangelo <
jdarcang...@mozilla.com> wrote:

> Looks like the cert change broke try:
>
> https://treeherder.mozilla.org/#/jobs?repo=try=a83c34bc2716 <
> https://treeherder.mozilla.org/#/jobs?repo=try=a83c34bc2716>
>
> -Justin
>
>
> > On Sep 26, 2016, at 2:11 PM, Mats Palmgren  wrote:
> >
> > On 09/26/2016 07:20 PM, Gregory Szorc wrote:
> >> # Mercurial 3.9+
> >>
> >> [hostsecurity]
> >> hg.mozilla.org:fingerprints =
> >> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:
> ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
> >>
> >> # Mercurial <= 3.8
> >>
> >> [hostfingerprints]hg.mozilla.org =
> >> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
> >
> >
> > Note that the "name = value" should be on a single line or else
> > you will get "hg: parse error".  That is, there should be
> > no newline after the "=".
> >
> > In case your mail reading application helpfully added a newline
> > there for you...
> >
> > /Mats
> >
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Upcoming hg.mozilla.org certificate change

2016-09-26 Thread Justin D'Arcangelo 
Looks like the cert change broke try:

https://treeherder.mozilla.org/#/jobs?repo=try=a83c34bc2716 


-Justin


> On Sep 26, 2016, at 2:11 PM, Mats Palmgren  wrote:
> 
> On 09/26/2016 07:20 PM, Gregory Szorc wrote:
>> # Mercurial 3.9+
>> 
>> [hostsecurity]
>> hg.mozilla.org:fingerprints =
>> sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9
>> 
>> # Mercurial <= 3.8
>> 
>> [hostfingerprints]hg.mozilla.org =
>> 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
> 
> 
> Note that the "name = value" should be on a single line or else
> you will get "hg: parse error".  That is, there should be
> no newline after the "=".
> 
> In case your mail reading application helpfully added a newline
> there for you...
> 
> /Mats
> 
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Upcoming hg.mozilla.org certificate change

2016-09-26 Thread Mats Palmgren 

On 09/26/2016 07:20 PM, Gregory Szorc wrote:

# Mercurial 3.9+

[hostsecurity]
hg.mozilla.org:fingerprints =
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9

# Mercurial <= 3.8

[hostfingerprints]hg.mozilla.org =
73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56



Note that the "name = value" should be on a single line or else
you will get "hg: parse error".  That is, there should be
no newline after the "=".

In case your mail reading application helpfully added a newline
there for you...

/Mats

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Upcoming hg.mozilla.org certificate change

2016-09-26 Thread Gregory Szorc 
The certificate has been flipped.

New hashes are:

sha1:73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9

You can pin these in your hgrc via:

# Mercurial 3.9+

[hostsecurity]
hg.mozilla.org:fingerprints =
sha256:8e:ad:f7:6a:eb:44:06:15:ed:f3:e4:69:a6:64:60:37:2d:ff:98:88:37:bf:d7:b8:40:84:01:48:9c:26:ce:d9

# Mercurial <= 3.8

[hostfingerprints]hg.mozilla.org =
73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56

Please make noise in #vcs or #releng if you see breakage.


On Thu, Sep 22, 2016 at 1:57 PM, Gregory Szorc  wrote:

> hg.mozilla.org's x509 server certificate (AKA an "SSL certificate")
> expires next week.
>
> A new certificate has already been issued and it is scheduled to be
> swapped in around 2016-09-26T17:00Z (Monday September 26 10:00 PDT). The
> transition may be delayed to avoid downtime in automation, which hasn't
> fully prepared for the change yet.
>
> The only major change to the certificate is it is using SHA-256 for
> signatures. This is known to not work with ancient software (such as
> Windows XP SP2). We don't anticipate any major problems with this, however.
>
> If you pin the host fingerprint in your Mercurial config file, you'll need
> to install a new fingerprint or Mercurial will refuse to connect once the
> certificate is swapped. The fingerprint of the new certificate and
> Mercurial config snippets for configuring it are available at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12.
>
> It's worth noting that Mercurial 3.8+ supports pinning multiple
> fingerprints per host. So, if you install the new fingerprint today, you
> don't need to take action when the server certificate is swapped next week.
>
> If you notice any problems after the cert change, please make noise in
> #vcs on IRC.
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform