Skip to content

Manual Rollout with Puppet

Aki Sasaki edited this page Mar 19, 2021 · 27 revisions

Imaging and puppetizing

For imaging, see this page.

  • As of 2020.04.15, this automatically puppetizes the machine. However, it's busted due to an issue around widevine?
  • As of 2020.04.20, widevine is fixed with this commit on the notarization-poller branch.
  • As of 2020.06.18, v3 ronin_puppet now works, with python 3.8. Details here.
  • As of 2020.07.15, it looks like production puppet now works for poller and scriptworker, with python 3.8, for everything but the 4 secrets in certs/ and starting up the launchctl services. Dep signing puppetization is currently broken. Set these up by hand.
  • As of 2021.01.15, puppetization works for prod, tb-prod, and dep
  • As of 2021.03.18, puppetization will automatically run against the ronin_puppet production-mac-signing branch, every 15 minutes, and restart the scriptworker and poller daemons on change. We still need to populate the signing secrets and enable the scriptworker+poller daemons on reimage.

This will create the following files:

  • /var/root/ which contains the logic for puppetizing
  • /var/root/vault.yaml with the secrets

Running puppet without imaging

sudo -u root -i
# This will create a /tmp/.periodic-puppet lock directory, or exit if it exists
# to avoid a concurrent puppet run.
# It will log to /tmp/.periodic-puppet.log
# It will pull from ronin_puppet's production-mac-signing branch then puppetize
# We need to reimage to get new secrets in vault.yaml

# Old instructions
#cd ~/ronin_puppet
#git pull
## Puppet will break if you remain cd'ed in root's home dir
#cd /
#puppet apply --modulepath=/var/root/ronin_puppet/modules/:/var/root/ronin_puppet/r10k_modules/ --hiera_config=/var/root/ronin_puppet/hiera.yaml --logdest=console --noop /var/root/ronin_puppet/manifests
## Then repeat without --noop

Notarization rollout

Ronin Puppet doesn't have all of our secrets, so after a machine is deployed we need to manually perform a few steps. The easiest way to get the secrets is to pull them from an existing signing machine. Failing that, you will likely need to dig into offline backups.



  • widevine_dep.crt
  • dep-signing.keychain


for info in "depbld1:dep1" "depbld2:dep2" "tbbld:tb-dep"; do 
  username=$(echo $info | cut -f1 -d:)
  dir=$(echo $info | cut -f2 -d:)
  cp widevine_dep.crt /builds/${dir}/certs/
  cp dep-signing.keychain /builds/${dir}/certs/
  chown ${username} /builds/${dir}/certs/* 
  sh -x /builds/${dir}/

Firefox and Thunderbird Production


  • widevine_prod.crt
  • nightly-signing.keychain
  • release-signing.keychain
  • ed25519_privkey


  • Copy all the above files to /builds/scriptworker/certs/
    • The simplest way to do this is to tar up this directory from an existing scriptworker of the same type
    • ed25519_privkey must have no EOL. If you create it by editing it, make sure to perl -pi -e 'chomp if eof' ed25519_privkey
chown cltbld /builds/scriptworker/certs/*
chmod 400 /builds/scriptworker/certs/*
sh -x /builds/scriptworker/
Clone this wiki locally