зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1520591: switch gpg signing to autograph r=aki
Differential Revision: https://phabricator.services.mozilla.com/D31135 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
56a3566948
Коммит
2ae1754b27
|
@ -33,7 +33,7 @@ An example signing task payload:
|
|||
"taskType": "build"
|
||||
}, {
|
||||
"paths": ["public/build/target.tar.gz"],
|
||||
"formats": ["gpg"],
|
||||
"formats": ["autograph_gpg"],
|
||||
"taskId": "12345",
|
||||
"taskType": "build"
|
||||
}]
|
||||
|
@ -46,7 +46,7 @@ task definitions via `chain of trust`_ verification. Then it will launch
|
|||
`signingscript`_, which requests a signing token from the signing server pool.
|
||||
|
||||
Signingscript determines it wants to sign ``target.dmg`` with the ``macapp``
|
||||
format, and ``target.tar.gz`` with the ``gpg`` format. Each of the
|
||||
format, and ``target.tar.gz`` with the ``autograph_gpg`` format. Each of the
|
||||
`signing formats`_ has their own behavior. After performing any format-specific
|
||||
checks or optimizations, it calls `signtool`_ to submit the file to the signing
|
||||
servers and poll them for signed output. Once it downloads all of the signed
|
||||
|
@ -90,13 +90,8 @@ Signing formats
|
|||
The known signingscript formats are listed in the fourth column of the
|
||||
`signing password files`_.
|
||||
|
||||
The formats are specified in the ``upstreamArtifacts`` list-of-dicts. The task
|
||||
must have a superset of scopes to match. For example, a Firefox signing task
|
||||
with an ``upstreamArtifacts`` that lists both ``gpg`` and ``macapp`` formats must
|
||||
have both ``project:releng:signing:format:gpg`` and
|
||||
``project:releng:signing:format:macapp`` in its scopes.
|
||||
|
||||
``gpg`` signing results in a detached ``.asc`` signature file. Because of its
|
||||
The formats are specified in the ``upstreamArtifacts`` list-of-dicts.
|
||||
``autograph_gpg`` signing results in a detached ``.asc`` signature file. Because of its
|
||||
nature, we gpg-sign at the end if given multiple formats for a given set of
|
||||
files.
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
|
|||
from taskgraph.util.scriptworker import (
|
||||
get_signing_cert_scope,
|
||||
get_worker_type_for_scope,
|
||||
add_scope_prefix,
|
||||
)
|
||||
from taskgraph.util.treeherder import replace_group
|
||||
from taskgraph.transforms.task import task_description_schema
|
||||
|
@ -75,7 +74,7 @@ def make_checksums_signing_description(config, jobs):
|
|||
"paths": [
|
||||
"public/target.checksums",
|
||||
],
|
||||
"formats": ["gpg"]
|
||||
"formats": ["autograph_gpg"]
|
||||
}]
|
||||
|
||||
signing_cert_scope = get_signing_cert_scope(config)
|
||||
|
@ -88,7 +87,6 @@ def make_checksums_signing_description(config, jobs):
|
|||
'max-run-time': 3600},
|
||||
'scopes': [
|
||||
signing_cert_scope,
|
||||
add_scope_prefix(config, 'signing:format:gpg'),
|
||||
],
|
||||
'dependencies': dependencies,
|
||||
'attributes': attributes,
|
||||
|
|
|
@ -95,7 +95,7 @@ def _craft_upstream_artifacts(dependency_kind, build_platform):
|
|||
signing_format = 'sha2signcode'
|
||||
extension = 'zip'
|
||||
elif build_platform.startswith('linux'):
|
||||
signing_format = 'gpg'
|
||||
signing_format = 'autograph_gpg'
|
||||
extension = 'tar.gz'
|
||||
else:
|
||||
raise ValueError('Unsupported build platform "{}"'.format(build_platform))
|
||||
|
|
|
@ -64,8 +64,7 @@ def make_signing_description(config, jobs):
|
|||
scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
|
||||
formats = ['sha2signcode']
|
||||
else:
|
||||
scopes.append(add_scope_prefix(config, 'signing:format:gpg'))
|
||||
formats = ['gpg']
|
||||
formats = ['autograph_gpg']
|
||||
|
||||
rev = attributes['openh264_rev']
|
||||
upstream_artifacts = [{
|
||||
|
|
|
@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
|
|||
from taskgraph.util.scriptworker import (
|
||||
get_signing_cert_scope,
|
||||
get_worker_type_for_scope,
|
||||
add_scope_prefix,
|
||||
)
|
||||
from taskgraph.util.taskcluster import get_artifact_path
|
||||
from taskgraph.transforms.task import task_description_schema
|
||||
|
@ -61,7 +60,7 @@ def make_release_generate_checksums_signing_description(config, jobs):
|
|||
get_artifact_path(dep_job, "SHA256SUMS"),
|
||||
get_artifact_path(dep_job, "SHA512SUMS"),
|
||||
],
|
||||
"formats": ["gpg"]
|
||||
"formats": ["autograph_gpg"]
|
||||
}]
|
||||
|
||||
signing_cert_scope = get_signing_cert_scope(config)
|
||||
|
@ -75,7 +74,6 @@ def make_release_generate_checksums_signing_description(config, jobs):
|
|||
'max-run-time': 3600},
|
||||
'scopes': [
|
||||
signing_cert_scope,
|
||||
add_scope_prefix(config, 'signing:format:gpg'),
|
||||
],
|
||||
'dependencies': dependencies,
|
||||
'attributes': attributes,
|
||||
|
|
|
@ -72,7 +72,7 @@ def make_repackage_signing_description(config, jobs):
|
|||
signing_cert_scope = get_signing_cert_scope_per_platform(
|
||||
build_platform, is_nightly, config
|
||||
)
|
||||
scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:gpg')]
|
||||
scopes = [signing_cert_scope]
|
||||
|
||||
if 'win' in build_platform:
|
||||
upstream_artifacts = [{
|
||||
|
@ -81,7 +81,7 @@ def make_repackage_signing_description(config, jobs):
|
|||
"paths": [
|
||||
get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
|
||||
],
|
||||
"formats": ["sha2signcode", "gpg"]
|
||||
"formats": ["sha2signcode", "autograph_gpg"]
|
||||
}]
|
||||
scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
|
||||
elif 'mac' in build_platform:
|
||||
|
@ -91,7 +91,7 @@ def make_repackage_signing_description(config, jobs):
|
|||
"paths": [
|
||||
get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
|
||||
],
|
||||
"formats": ["gpg"]
|
||||
"formats": ["autograph_gpg"]
|
||||
}]
|
||||
elif 'linux' in build_platform:
|
||||
upstream_artifacts = [{
|
||||
|
@ -100,7 +100,7 @@ def make_repackage_signing_description(config, jobs):
|
|||
"paths": [
|
||||
get_artifact_path(dep_job, "{}/target.tar.bz2".format(repack_id)),
|
||||
],
|
||||
"formats": ["gpg"]
|
||||
"formats": ["autograph_gpg"]
|
||||
}]
|
||||
|
||||
task = {
|
||||
|
|
|
@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job
|
|||
from taskgraph.util.scriptworker import (
|
||||
get_signing_cert_scope,
|
||||
get_worker_type_for_scope,
|
||||
add_scope_prefix,
|
||||
)
|
||||
from taskgraph.transforms.task import task_description_schema
|
||||
from voluptuous import Required, Optional
|
||||
|
@ -57,7 +56,7 @@ def make_checksums_signing_description(config, jobs):
|
|||
"paths": [
|
||||
"public/target-source.checksums",
|
||||
],
|
||||
"formats": ["gpg"]
|
||||
"formats": ["autograph_gpg"]
|
||||
}]
|
||||
|
||||
signing_cert_scope = get_signing_cert_scope(config)
|
||||
|
@ -71,7 +70,6 @@ def make_checksums_signing_description(config, jobs):
|
|||
'max-run-time': 3600},
|
||||
'scopes': [
|
||||
signing_cert_scope,
|
||||
add_scope_prefix(config, 'signing:format:gpg'),
|
||||
],
|
||||
'dependencies': dependencies,
|
||||
'attributes': attributes,
|
||||
|
|
|
@ -24,7 +24,7 @@ def generate_specifications_of_artifacts_to_sign(
|
|||
'artifacts': [
|
||||
get_artifact_path(task, 'source.tar.xz')
|
||||
],
|
||||
'formats': ['gpg'],
|
||||
'formats': ['autograph_gpg'],
|
||||
}]
|
||||
elif 'android' in build_platform:
|
||||
artifacts_specifications = [{
|
||||
|
@ -64,7 +64,7 @@ def generate_specifications_of_artifacts_to_sign(
|
|||
elif 'linux' in build_platform:
|
||||
artifacts_specifications = [{
|
||||
'artifacts': [get_artifact_path(task, '{locale}/target.tar.bz2')],
|
||||
'formats': ['gpg', 'widevine'],
|
||||
'formats': ['autograph_gpg', 'widevine'],
|
||||
}]
|
||||
else:
|
||||
raise Exception("Platform not implemented for signing")
|
||||
|
@ -108,7 +108,7 @@ def get_signed_artifacts(input, formats):
|
|||
artifacts.add(input.replace('.dmg', '.tar.gz'))
|
||||
else:
|
||||
artifacts.add(input)
|
||||
if 'gpg' in formats:
|
||||
if 'autograph_gpg' in formats:
|
||||
artifacts.add('{}.asc'.format(input))
|
||||
|
||||
return artifacts
|
||||
|
|
Загрузка…
Ссылка в новой задаче