mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1520591: switch gpg signing to autograph r=aki 

Differential Revision: https://phabricator.services.mozilla.com/D31135

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Chris AtLee 2019-05-15 13:17:26 +00:00
Родитель 56a3566948
Коммит 2ae1754b27
8 изменённых файлов: 16 добавлений и 28 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
taskcluster/docs/signing.rst
Просмотреть файл

@ -33,7 +33,7 @@ An example signing task payload:
"taskType": "build"
}, {
"paths": ["public/build/target.tar.gz"],
"formats": ["gpg"],
"formats": ["autograph_gpg"],
"taskId": "12345",
"taskType": "build"
}]
@ -46,7 +46,7 @@ task definitions via `chain of trust`_ verification. Then it will launch
`signingscript`_, which requests a signing token from the signing server pool.
Signingscript determines it wants to sign ``target.dmg`` with the ``macapp``
format, and ``target.tar.gz`` with the ``gpg`` format. Each of the
format, and ``target.tar.gz`` with the ``autograph_gpg`` format. Each of the
`signing formats`_ has their own behavior. After performing any format-specific
checks or optimizations, it calls `signtool`_ to submit the file to the signing
servers and poll them for signed output. Once it downloads all of the signed
@ -90,13 +90,8 @@ Signing formats
The known signingscript formats are listed in the fourth column of the
`signing password files`_.
The formats are specified in the ``upstreamArtifacts`` list-of-dicts. The task
must have a superset of scopes to match. For example, a Firefox signing task
with an ``upstreamArtifacts`` that lists both ``gpg`` and ``macapp`` formats must
have both ``project:releng:signing:format:gpg`` and
``project:releng:signing:format:macapp`` in its scopes.
``gpg`` signing results in a detached ``.asc`` signature file. Because of its
The formats are specified in the ``upstreamArtifacts`` list-of-dicts.
``autograph_gpg`` signing results in a detached ``.asc`` signature file. Because of its
nature, we gpg-sign at the end if given multiple formats for a given set of
files.

4
taskcluster/taskgraph/transforms/checksums_signing.py
Просмотреть файл

@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
from taskgraph.util.scriptworker import (
get_signing_cert_scope,
get_worker_type_for_scope,
add_scope_prefix,
)
from taskgraph.util.treeherder import replace_group
from taskgraph.transforms.task import task_description_schema
@ -75,7 +74,7 @@ def make_checksums_signing_description(config, jobs):
"paths": [
"public/target.checksums",
],
"formats": ["gpg"]
"formats": ["autograph_gpg"]
}]
signing_cert_scope = get_signing_cert_scope(config)
@ -88,7 +87,6 @@ def make_checksums_signing_description(config, jobs):
'max-run-time': 3600},
'scopes': [
signing_cert_scope,
add_scope_prefix(config, 'signing:format:gpg'),
],
'dependencies': dependencies,
'attributes': attributes,

2
taskcluster/taskgraph/transforms/geckodriver_signing.py
Просмотреть файл

@ -95,7 +95,7 @@ def _craft_upstream_artifacts(dependency_kind, build_platform):
signing_format = 'sha2signcode'
extension = 'zip'
elif build_platform.startswith('linux'):
signing_format = 'gpg'
signing_format = 'autograph_gpg'
extension = 'tar.gz'
else:
raise ValueError('Unsupported build platform "{}"'.format(build_platform))

3
taskcluster/taskgraph/transforms/openh264_signing.py
Просмотреть файл

@ -64,8 +64,7 @@ def make_signing_description(config, jobs):
scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
formats = ['sha2signcode']
else:
scopes.append(add_scope_prefix(config, 'signing:format:gpg'))
formats = ['gpg']
formats = ['autograph_gpg']
rev = attributes['openh264_rev']
upstream_artifacts = [{

4
taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
Просмотреть файл

@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
from taskgraph.util.scriptworker import (
get_signing_cert_scope,
get_worker_type_for_scope,
add_scope_prefix,
)
from taskgraph.util.taskcluster import get_artifact_path
from taskgraph.transforms.task import task_description_schema
@ -61,7 +60,7 @@ def make_release_generate_checksums_signing_description(config, jobs):
get_artifact_path(dep_job, "SHA256SUMS"),
get_artifact_path(dep_job, "SHA512SUMS"),
],
"formats": ["gpg"]
"formats": ["autograph_gpg"]
}]
signing_cert_scope = get_signing_cert_scope(config)
@ -75,7 +74,6 @@ def make_release_generate_checksums_signing_description(config, jobs):
'max-run-time': 3600},
'scopes': [
signing_cert_scope,
add_scope_prefix(config, 'signing:format:gpg'),
],
'dependencies': dependencies,
'attributes': attributes,

8
taskcluster/taskgraph/transforms/repackage_signing_partner.py
Просмотреть файл

@ -72,7 +72,7 @@ def make_repackage_signing_description(config, jobs):
signing_cert_scope = get_signing_cert_scope_per_platform(
build_platform, is_nightly, config
)
scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:gpg')]
scopes = [signing_cert_scope]
if 'win' in build_platform:
upstream_artifacts = [{
@ -81,7 +81,7 @@ def make_repackage_signing_description(config, jobs):
"paths": [
get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
],
"formats": ["sha2signcode", "gpg"]
"formats": ["sha2signcode", "autograph_gpg"]
}]
scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
elif 'mac' in build_platform:
@ -91,7 +91,7 @@ def make_repackage_signing_description(config, jobs):
"paths": [
get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
],
"formats": ["gpg"]
"formats": ["autograph_gpg"]
}]
elif 'linux' in build_platform:
upstream_artifacts = [{
@ -100,7 +100,7 @@ def make_repackage_signing_description(config, jobs):
"paths": [
get_artifact_path(dep_job, "{}/target.tar.bz2".format(repack_id)),
],
"formats": ["gpg"]
"formats": ["autograph_gpg"]
}]
task = {

4
taskcluster/taskgraph/transforms/source_checksums_signing.py
Просмотреть файл

@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
from taskgraph.util.scriptworker import (
get_signing_cert_scope,
get_worker_type_for_scope,
add_scope_prefix,
)
from taskgraph.transforms.task import task_description_schema
from voluptuous import Required, Optional
@ -57,7 +56,7 @@ def make_checksums_signing_description(config, jobs):
"paths": [
"public/target-source.checksums",
],
"formats": ["gpg"]
"formats": ["autograph_gpg"]
}]
signing_cert_scope = get_signing_cert_scope(config)
@ -71,7 +70,6 @@ def make_checksums_signing_description(config, jobs):
'max-run-time': 3600},
'scopes': [
signing_cert_scope,
add_scope_prefix(config, 'signing:format:gpg'),
],
'dependencies': dependencies,
'attributes': attributes,

6
taskcluster/taskgraph/util/signed_artifacts.py
Просмотреть файл

@ -24,7 +24,7 @@ def generate_specifications_of_artifacts_to_sign(
'artifacts': [
get_artifact_path(task, 'source.tar.xz')
],
'formats': ['gpg'],
'formats': ['autograph_gpg'],
}]
elif 'android' in build_platform:
artifacts_specifications = [{
@ -64,7 +64,7 @@ def generate_specifications_of_artifacts_to_sign(
elif 'linux' in build_platform:
artifacts_specifications = [{
'artifacts': [get_artifact_path(task, '{locale}/target.tar.bz2')],
'formats': ['gpg', 'widevine'],
'formats': ['autograph_gpg', 'widevine'],
}]
else:
raise Exception("Platform not implemented for signing")
@ -108,7 +108,7 @@ def get_signed_artifacts(input, formats):
artifacts.add(input.replace('.dmg', '.tar.gz'))
else:
artifacts.add(input)
if 'gpg' in formats:
if 'autograph_gpg' in formats:
artifacts.add('{}.asc'.format(input))
return artifacts