From 2ae1754b27a4cc7a80de4c6d54723f67af235874 Mon Sep 17 00:00:00 2001 From: Chris AtLee Date: Wed, 15 May 2019 13:17:26 +0000 Subject: [PATCH] Bug 1520591: switch gpg signing to autograph r=aki Differential Revision: https://phabricator.services.mozilla.com/D31135 --HG-- extra : moz-landing-system : lando --- taskcluster/docs/signing.rst | 13 ++++--------- .../taskgraph/transforms/checksums_signing.py | 4 +--- .../taskgraph/transforms/geckodriver_signing.py | 2 +- .../taskgraph/transforms/openh264_signing.py | 3 +-- .../release_generate_checksums_signing.py | 4 +--- .../transforms/repackage_signing_partner.py | 8 ++++---- .../transforms/source_checksums_signing.py | 4 +--- taskcluster/taskgraph/util/signed_artifacts.py | 6 +++--- 8 files changed, 16 insertions(+), 28 deletions(-) diff --git a/taskcluster/docs/signing.rst b/taskcluster/docs/signing.rst index 625903c0e159..3a21848fa7e1 100644 --- a/taskcluster/docs/signing.rst +++ b/taskcluster/docs/signing.rst @@ -33,7 +33,7 @@ An example signing task payload: "taskType": "build" }, { "paths": ["public/build/target.tar.gz"], - "formats": ["gpg"], + "formats": ["autograph_gpg"], "taskId": "12345", "taskType": "build" }] @@ -46,7 +46,7 @@ task definitions via `chain of trust`_ verification. Then it will launch `signingscript`_, which requests a signing token from the signing server pool. Signingscript determines it wants to sign ``target.dmg`` with the ``macapp`` -format, and ``target.tar.gz`` with the ``gpg`` format. Each of the +format, and ``target.tar.gz`` with the ``autograph_gpg`` format. Each of the `signing formats`_ has their own behavior. After performing any format-specific checks or optimizations, it calls `signtool`_ to submit the file to the signing servers and poll them for signed output. Once it downloads all of the signed @@ -90,13 +90,8 @@ Signing formats The known signingscript formats are listed in the fourth column of the `signing password files`_. -The formats are specified in the ``upstreamArtifacts`` list-of-dicts. The task -must have a superset of scopes to match. For example, a Firefox signing task -with an ``upstreamArtifacts`` that lists both ``gpg`` and ``macapp`` formats must -have both ``project:releng:signing:format:gpg`` and -``project:releng:signing:format:macapp`` in its scopes. - -``gpg`` signing results in a detached ``.asc`` signature file. Because of its +The formats are specified in the ``upstreamArtifacts`` list-of-dicts. +``autograph_gpg`` signing results in a detached ``.asc`` signature file. Because of its nature, we gpg-sign at the end if given multiple formats for a given set of files. diff --git a/taskcluster/taskgraph/transforms/checksums_signing.py b/taskcluster/taskgraph/transforms/checksums_signing.py index bc7f09808d9a..5db07afe02f3 100644 --- a/taskcluster/taskgraph/transforms/checksums_signing.py +++ b/taskcluster/taskgraph/transforms/checksums_signing.py @@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job from taskgraph.util.scriptworker import ( get_signing_cert_scope, get_worker_type_for_scope, - add_scope_prefix, ) from taskgraph.util.treeherder import replace_group from taskgraph.transforms.task import task_description_schema @@ -75,7 +74,7 @@ def make_checksums_signing_description(config, jobs): "paths": [ "public/target.checksums", ], - "formats": ["gpg"] + "formats": ["autograph_gpg"] }] signing_cert_scope = get_signing_cert_scope(config) @@ -88,7 +87,6 @@ def make_checksums_signing_description(config, jobs): 'max-run-time': 3600}, 'scopes': [ signing_cert_scope, - add_scope_prefix(config, 'signing:format:gpg'), ], 'dependencies': dependencies, 'attributes': attributes, diff --git a/taskcluster/taskgraph/transforms/geckodriver_signing.py b/taskcluster/taskgraph/transforms/geckodriver_signing.py index 1276b1a936d0..cc271921e7aa 100644 --- a/taskcluster/taskgraph/transforms/geckodriver_signing.py +++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py @@ -95,7 +95,7 @@ def _craft_upstream_artifacts(dependency_kind, build_platform): signing_format = 'sha2signcode' extension = 'zip' elif build_platform.startswith('linux'): - signing_format = 'gpg' + signing_format = 'autograph_gpg' extension = 'tar.gz' else: raise ValueError('Unsupported build platform "{}"'.format(build_platform)) diff --git a/taskcluster/taskgraph/transforms/openh264_signing.py b/taskcluster/taskgraph/transforms/openh264_signing.py index 1fbd94e0b5e2..6475f6f9cdc2 100644 --- a/taskcluster/taskgraph/transforms/openh264_signing.py +++ b/taskcluster/taskgraph/transforms/openh264_signing.py @@ -64,8 +64,7 @@ def make_signing_description(config, jobs): scopes.append(add_scope_prefix(config, "signing:format:sha2signcode")) formats = ['sha2signcode'] else: - scopes.append(add_scope_prefix(config, 'signing:format:gpg')) - formats = ['gpg'] + formats = ['autograph_gpg'] rev = attributes['openh264_rev'] upstream_artifacts = [{ diff --git a/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py b/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py index 395f3e86cc59..7f31276962d3 100644 --- a/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py +++ b/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py @@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job from taskgraph.util.scriptworker import ( get_signing_cert_scope, get_worker_type_for_scope, - add_scope_prefix, ) from taskgraph.util.taskcluster import get_artifact_path from taskgraph.transforms.task import task_description_schema @@ -61,7 +60,7 @@ def make_release_generate_checksums_signing_description(config, jobs): get_artifact_path(dep_job, "SHA256SUMS"), get_artifact_path(dep_job, "SHA512SUMS"), ], - "formats": ["gpg"] + "formats": ["autograph_gpg"] }] signing_cert_scope = get_signing_cert_scope(config) @@ -75,7 +74,6 @@ def make_release_generate_checksums_signing_description(config, jobs): 'max-run-time': 3600}, 'scopes': [ signing_cert_scope, - add_scope_prefix(config, 'signing:format:gpg'), ], 'dependencies': dependencies, 'attributes': attributes, diff --git a/taskcluster/taskgraph/transforms/repackage_signing_partner.py b/taskcluster/taskgraph/transforms/repackage_signing_partner.py index d78a03fb0cd4..a88a4900f204 100644 --- a/taskcluster/taskgraph/transforms/repackage_signing_partner.py +++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py @@ -72,7 +72,7 @@ def make_repackage_signing_description(config, jobs): signing_cert_scope = get_signing_cert_scope_per_platform( build_platform, is_nightly, config ) - scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:gpg')] + scopes = [signing_cert_scope] if 'win' in build_platform: upstream_artifacts = [{ @@ -81,7 +81,7 @@ def make_repackage_signing_description(config, jobs): "paths": [ get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)), ], - "formats": ["sha2signcode", "gpg"] + "formats": ["sha2signcode", "autograph_gpg"] }] scopes.append(add_scope_prefix(config, "signing:format:sha2signcode")) elif 'mac' in build_platform: @@ -91,7 +91,7 @@ def make_repackage_signing_description(config, jobs): "paths": [ get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)), ], - "formats": ["gpg"] + "formats": ["autograph_gpg"] }] elif 'linux' in build_platform: upstream_artifacts = [{ @@ -100,7 +100,7 @@ def make_repackage_signing_description(config, jobs): "paths": [ get_artifact_path(dep_job, "{}/target.tar.bz2".format(repack_id)), ], - "formats": ["gpg"] + "formats": ["autograph_gpg"] }] task = { diff --git a/taskcluster/taskgraph/transforms/source_checksums_signing.py b/taskcluster/taskgraph/transforms/source_checksums_signing.py index 2cc3e1ee36aa..fc235ec1527c 100644 --- a/taskcluster/taskgraph/transforms/source_checksums_signing.py +++ b/taskcluster/taskgraph/transforms/source_checksums_signing.py @@ -13,7 +13,6 @@ from taskgraph.util.attributes import copy_attributes_from_dependent_job from taskgraph.util.scriptworker import ( get_signing_cert_scope, get_worker_type_for_scope, - add_scope_prefix, ) from taskgraph.transforms.task import task_description_schema from voluptuous import Required, Optional @@ -57,7 +56,7 @@ def make_checksums_signing_description(config, jobs): "paths": [ "public/target-source.checksums", ], - "formats": ["gpg"] + "formats": ["autograph_gpg"] }] signing_cert_scope = get_signing_cert_scope(config) @@ -71,7 +70,6 @@ def make_checksums_signing_description(config, jobs): 'max-run-time': 3600}, 'scopes': [ signing_cert_scope, - add_scope_prefix(config, 'signing:format:gpg'), ], 'dependencies': dependencies, 'attributes': attributes, diff --git a/taskcluster/taskgraph/util/signed_artifacts.py b/taskcluster/taskgraph/util/signed_artifacts.py index f4076e9778b1..93d118b73786 100644 --- a/taskcluster/taskgraph/util/signed_artifacts.py +++ b/taskcluster/taskgraph/util/signed_artifacts.py @@ -24,7 +24,7 @@ def generate_specifications_of_artifacts_to_sign( 'artifacts': [ get_artifact_path(task, 'source.tar.xz') ], - 'formats': ['gpg'], + 'formats': ['autograph_gpg'], }] elif 'android' in build_platform: artifacts_specifications = [{ @@ -64,7 +64,7 @@ def generate_specifications_of_artifacts_to_sign( elif 'linux' in build_platform: artifacts_specifications = [{ 'artifacts': [get_artifact_path(task, '{locale}/target.tar.bz2')], - 'formats': ['gpg', 'widevine'], + 'formats': ['autograph_gpg', 'widevine'], }] else: raise Exception("Platform not implemented for signing") @@ -108,7 +108,7 @@ def get_signed_artifacts(input, formats): artifacts.add(input.replace('.dmg', '.tar.gz')) else: artifacts.add(input) - if 'gpg' in formats: + if 'autograph_gpg' in formats: artifacts.add('{}.asc'.format(input)) return artifacts