Bug 1562412 - add build-notarization-part-1 kind. r=Callek

Differential Revision: https://phabricator.services.mozilla.com/D57736 --HG-- extra : moz-landing-system : lando
2020-02-25 15:40:04 +00:00 · 2020-02-25 15:40:04 +00:00 · eefbf69511
--- a/taskcluster/ci/build-notarization-part-1/kind.yml
+++ b/taskcluster/ci/build-notarization-part-1/kind.yml
@ -0,0 +1,27 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+    - taskgraph.transforms.name_sanity:transforms
+    - taskgraph.transforms.build_signing:transforms
+    - taskgraph.transforms.signing:transforms
+    - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build
+
+only-for-attributes:
+    - shippable
+    - nightly
+
+only-for-build-platforms:
+    - macosx64-shippable/opt
+    - macosx64-devedition/opt
+
+job-template:
+    treeherder:
+        symbol: BN
+    enable-signing-routes: false
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@ -34,6 +34,13 @@ Many builds must be signed. The build-signing task takes the unsigned `build`
 kind artifacts and passes them through signingscriptworker to a signing server
 and returns signed results.

+For mac notarization, we download the signed bits that have been notarized by Apple, and we staple the notarization to the app and pkg.
+
+build-notarization-part-1
+-------------------------
+
+We switched to a 3-part mac notarization workflow in bug 1562412. This is the first task, which signs the files and submits them for notarization.
+
 artifact-build
 --------------

--- a/taskcluster/taskgraph/transforms/build_signing.py
+++ b/taskcluster/taskgraph/transforms/build_signing.py
@ -22,9 +22,10 @@ def add_signed_routes(config, jobs):

    for job in jobs:
        dep_job = job['primary-dependency']
+        enable_signing_routes = job.pop('enable-signing-routes', True)

        job['routes'] = []
-        if dep_job.attributes.get('shippable'):
+        if dep_job.attributes.get('shippable') and enable_signing_routes:
            for dep_route in dep_job.task.get('routes', []):
                if not dep_route.startswith('index.gecko.v2'):
                    continue
@ -32,7 +33,7 @@ def add_signed_routes(config, jobs):
                rest = ".".join(dep_route.split(".")[4:])
                job['routes'].append(
                    'index.gecko.v2.{}.signed.{}'.format(branch, rest))
-        if dep_job.attributes.get('nightly'):
+        if dep_job.attributes.get('nightly') and enable_signing_routes:
            for dep_route in dep_job.task.get('routes', []):
                if not dep_route.startswith('index.gecko.v2'):
                    continue