mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1724247 - Post: Make test publisher subject more than CN; use `universal_newlines=True`. r=firefox-build-system-reviewers,mhentges 

This commit does three things:

1. It makes thes MSIX test publisher subject "CN=..., OU=...".  This
   is more like the actual Firefox signing certificates".

2. It moves to use `universal_newlines=True` rather than decoding manually.

3. It fixes an oversight where a particular Powershell invocation
   would fail when a certificate was missing.

Differential Revision: https://phabricator.services.mozilla.com/D121902
This commit is contained in:
Nick Alexander 2021-08-05 18:42:19 +00:00
Родитель 554bc76540
Коммит 8299caa95c
2 изменённых файлов: 13 добавлений и 10 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
python/mozbuild/mozbuild/mach_commands.py
Просмотреть файл

@ -2177,7 +2177,7 @@ class Repackage(MachCommandBase):
type=str,
# This default is baked into enough places under `browser/` that we need
# not extract a constant.
default="CN=Mozilla Corporation",
default="CN=Mozilla Corporation, OU=MSIX Packaging",
required=False,
help="The Publisher string to use in the App Manifest."
+ " It must match the subject on the certificate used for signing",

21
python/mozbuild/mozbuild/repackaging/msix.py
Просмотреть файл

@ -421,14 +421,16 @@ def sign_msix(output, force=False, log=None, verbose=False):
if not powershell_exe:
raise ValueError("powershell is required; " "set POWERSHELL or PATH")
def powershell(argstring):
def powershell(argstring, check=True):
"Invoke `powershell.exe`. Arguments are given as a string to allow consumer to quote."
args = [powershell_exe, "-c", argstring]
joined = " ".join(shlex_quote(arg) for arg in args)
log(
logging.INFO, "msix", {"args": args, "joined": joined}, "Invoking: {joined}"
)
return subprocess.check_output(args)
return subprocess.run(
args, check=check, universal_newlines=True, capture_output=True
).stdout
signtool = find_sdk_tool("signtool.exe", log=log)
if not signtool:
@ -442,7 +444,7 @@ def sign_msix(output, force=False, log=None, verbose=False):
# These are baked into enough places under `browser/` that we need not
# extract constants.
vendor = "Mozilla"
publisher = "CN=Mozilla Corporation"
publisher = "CN=Mozilla Corporation, OU=MSIX Packaging"
friendly_name = "Mozilla Corporation MSIX Packaging Test Certificate"
# The convention is $MOZBUILD_STATE_PATH/cache/$FEATURE.
@ -470,7 +472,7 @@ def sign_msix(output, force=False, log=None, verbose=False):
)
thumbprints = [
thumbprint.decode("utf-8").strip()
thumbprint.strip()
for thumbprint in powershell(
(
"Get-ChildItem -Path Cert:\CurrentUser\My"
@ -551,7 +553,7 @@ def sign_msix(output, force=False, log=None, verbose=False):
)
thumbprints = [
thumbprint.decode("utf-8").strip()
thumbprint.strip()
for thumbprint in powershell(
'Get-PfxCertificate -FilePath "{}" | Select-Object -ExpandProperty Thumbprint'.format(
crt_path
@ -585,13 +587,13 @@ def sign_msix(output, force=False, log=None, verbose=False):
output,
]
if not verbose:
subprocess.check_call(args)
subprocess.check_call(args, universal_newlines=True)
else:
# Suppress output unless we fail.
try:
subprocess.check_output(args)
subprocess.check_output(args, universal_newlines=True)
except subprocess.CalledProcessError as e:
sys.stderr.write(e.output.decode("utf-8"))
sys.stderr.write(e.output)
raise
# As a convenience to the user, tell how to use this certificate if it's not
@ -601,7 +603,8 @@ def sign_msix(output, force=False, log=None, verbose=False):
root_thumbprint.strip()
for root_thumbprint in powershell(
"Get-ChildItem -Path Cert:\LocalMachine\Root\{} "
"| Select-Object -ExpandProperty Thumbprint".format(thumbprint)
"| Select-Object -ExpandProperty Thumbprint".format(thumbprint),
check=False,
).splitlines()
]
if thumbprint not in root_thumbprints: