Bug 1712633 - Set MOZ_REQUIRE_SIGNING appropriately by default. r=firefox-build-system-reviewers,mhentges

At the same time, move the option to python configure, which changes how
to disable it (setting to an empty value rather than 0).

Differential Revision: https://phabricator.services.mozilla.com/D115844

browser/config/mozconfigs/linux32/devedition

@@ -1,7 +1,7 @@
 . "$topsrcdir/browser/config/mozconfigs/linux32/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/aurora
 

browser/config/mozconfigs/linux64/add-on-devel

@@ -1,7 +1,7 @@
 . $topsrcdir/browser/config/mozconfigs/linux64/nightly
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/unofficial
 ac_add_options --enable-update-channel=default

browser/config/mozconfigs/linux64/asan-fuzzing-ccov

@@ -3,7 +3,7 @@ ac_add_options --disable-debug
 ac_add_options --enable-optimize="-O2 -gline-tables-only"
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 . $topsrcdir/build/mozconfig.wasm-sandboxing
 

browser/config/mozconfigs/linux64/devedition

@@ -1,7 +1,7 @@
 . "$topsrcdir/browser/config/mozconfigs/linux64/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/aurora
 

browser/config/mozconfigs/linux64/nightly-fuzzing-asan

@@ -3,7 +3,7 @@ ac_add_options --disable-debug
 ac_add_options --enable-optimize="-O2 -gline-tables-only"
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 . $topsrcdir/build/mozconfig.wasm-sandboxing
 

browser/config/mozconfigs/linux64/nightly-fuzzing-asan-noopt

@@ -3,7 +3,7 @@ ac_add_options --disable-debug
 ac_add_options --disable-optimize
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 . $topsrcdir/build/mozconfig.wasm-sandboxing
 

browser/config/mozconfigs/macosx64-aarch64/devedition

@@ -1,7 +1,7 @@
 . "$topsrcdir/browser/config/mozconfigs/macosx64-aarch64/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --enable-instruments
 

browser/config/mozconfigs/macosx64/add-on-devel

@@ -1,7 +1,7 @@
 . $topsrcdir/browser/config/mozconfigs/macosx64/nightly
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/unofficial
 ac_add_options --enable-update-channel=default

browser/config/mozconfigs/macosx64/devedition

@@ -1,7 +1,7 @@
 . "$topsrcdir/browser/config/mozconfigs/macosx64/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --enable-instruments
 

browser/config/mozconfigs/win32/add-on-devel

@@ -1,7 +1,7 @@
 . $topsrcdir/browser/config/mozconfigs/win32/nightly
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/unofficial
 ac_add_options --enable-update-channel=default

browser/config/mozconfigs/win32/devedition

@@ -3,7 +3,7 @@
 . "$topsrcdir/browser/config/mozconfigs/win32/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/aurora
 

browser/config/mozconfigs/win64-aarch64/devedition

@@ -3,7 +3,7 @@
 . "$topsrcdir/browser/config/mozconfigs/win64-aarch64/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/aurora
 

browser/config/mozconfigs/win64/add-on-devel

@@ -1,7 +1,7 @@
 . $topsrcdir/browser/config/mozconfigs/win64/nightly
 
 #add-on signing is checked but not enforced
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/unofficial
 ac_add_options --enable-update-channel=default

browser/config/mozconfigs/win64/devedition

@@ -3,7 +3,7 @@
 . "$topsrcdir/browser/config/mozconfigs/win64/common-opt"
 
 # Add-on signing is not required for DevEdition
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 ac_add_options --with-branding=browser/branding/aurora
 

build/mozconfig.common

@@ -18,9 +18,6 @@ mk_add_options AUTOCLOBBER=1
 
 ac_add_options --enable-crashreporter
 
-# Disable enforcing that add-ons are signed by the trusted root
-MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-0}
-
 ac_add_options --enable-js-shell
 
 . "$topsrcdir/build/mozconfig.automation"

mobile/android/config/mozconfigs/common.override

@@ -5,6 +5,6 @@
 # This file is included at the bottom of all native android mozconfigs
 #
 # Disable enforcing that add-ons are signed by the trusted root
-MOZ_REQUIRE_SIGNING=0
+MOZ_REQUIRE_SIGNING=
 
 . "$topsrcdir/build/mozconfig.common.override"

old-configure.in

@@ -2488,11 +2488,6 @@ if test -n "$MOZ_BINARY_EXTENSIONS"; then
   AC_DEFINE(MOZ_BINARY_EXTENSIONS)
 fi
 
-AC_SUBST(MOZ_REQUIRE_SIGNING)
-if test "$MOZ_REQUIRE_SIGNING" = 1; then
-  AC_DEFINE(MOZ_REQUIRE_SIGNING)
-fi
-
 dnl ========================================================
 dnl = Mac bundle name prefix
 dnl ========================================================

taskcluster/ci/config.yml

@@ -282,12 +282,6 @@ merge-automation:
                 - - browser/config/mozconfigs/macosx64/l10n-mozconfig
                   - ac_add_options --with-branding=browser/branding/nightly
                   - ac_add_options --enable-official-branding
-                - - build/mozconfig.common
-                  - 'MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-0}'
-                  - 'MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-1}'
-                - - build/mozconfig.common
-                  - '# Disable enforcing that add-ons are signed by the trusted root'
-                  - '# Enable enforcing that add-ons are signed by the trusted root'
             merge-old-head: true
             base-tag: 'FIREFOX_BETA_{major_version}_BASE'
             end-tag: 'FIREFOX_BETA_{major_version}_END'
@@ -317,9 +311,6 @@ merge-automation:
                 - - "build/mozconfig.common"
                   - "# Enable enforcing that add-ons are signed by the trusted root"
                   - "# Disable enforcing that add-ons are signed by the trusted root"
-                - - build/mozconfig.common
-                  - 'MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-1}'
-                  - 'MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-0}'
             merge-old-head: false
             base-tag: "FIREFOX_ESR_{major_version}_BASE"
             from-repo: 'https://hg.mozilla.org/releases/mozilla-release'

testing/mozharness/configs/merge_day/central_to_beta.py

@@ -29,19 +29,6 @@ config = {
             "browser/config/mozconfigs/win64-aarch64/l10n-mozconfig",
             "browser/config/mozconfigs/macosx64/l10n-mozconfig",
         ]
-    ]
-    + [
-        # File, from, to
-        (
-            "build/mozconfig.common",
-            "MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-0}",
-            "MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-1}",
-        ),
-        (
-            "build/mozconfig.common",
-            "# Disable enforcing that add-ons are signed by the trusted root",
-            "# Enable enforcing that add-ons are signed by the trusted root",
-        ),
     ],
     "vcs_share_base": os.path.join(ABS_WORK_DIR, "hg-shared"),
     # "hg_share_base": None,

testing/mozharness/configs/merge_day/release_to_esr.py

@@ -14,17 +14,6 @@ config = {
         {"file": "browser/config/version_display.txt", "suffix": "esr"},
     ],
     "replacements": [
-        # File, from, to
-        (
-            "build/mozconfig.common",
-            "# Enable enforcing that add-ons are signed by the trusted root",
-            "# Disable enforcing that add-ons are signed by the trusted root",
-        ),
-        (
-            "build/mozconfig.common",
-            "MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-1}",
-            "MOZ_REQUIRE_SIGNING=${MOZ_REQUIRE_SIGNING-0}",
-        ),
     ],
     "vcs_share_base": os.path.join(ABS_WORK_DIR, "hg-shared"),
     # Pull from ESR repo, since we have already branched it and have landed esr-specific patches on it

toolkit/moz.configure

@@ -1432,6 +1432,15 @@ add_old_configure_assignment("ACCESSIBILITY", accessibility)
 # Addon signing
 # ==============================================================
 
+option(
+    env="MOZ_REQUIRE_SIGNING",
+    default=milestone.is_release_or_beta,
+    help="Enforce that add-ons are signed by the trusted root",
+)
+
+set_config("MOZ_REQUIRE_SIGNING", True, when="MOZ_REQUIRE_SIGNING")
+set_define("MOZ_REQUIRE_SIGNING", True, when="MOZ_REQUIRE_SIGNING")
+
 option(
     "--with-unsigned-addon-scopes",
     nargs="+",