зеркало из https://github.com/mozilla/gecko-dev.git
168 строки
6.1 KiB
Python
168 строки
6.1 KiB
Python
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
"""
|
|
Defines artifacts to sign before repackage.
|
|
"""
|
|
|
|
from __future__ import absolute_import, print_function, unicode_literals
|
|
from taskgraph.util.taskcluster import get_artifact_path
|
|
from taskgraph.util.declarative_artifacts import get_geckoview_upstream_artifacts
|
|
|
|
|
|
LANGPACK_SIGN_PLATFORMS = { # set
|
|
'linux64-shippable', 'linux64-devedition',
|
|
'macosx64-shippable', 'macosx64-devedition',
|
|
}
|
|
|
|
|
|
def is_partner_kind(kind):
|
|
if kind and kind.startswith(('release-partner', 'release-eme-free')):
|
|
return True
|
|
|
|
|
|
def is_notarization_kind(kind):
|
|
if kind and 'notarization' in kind:
|
|
return True
|
|
|
|
|
|
def generate_specifications_of_artifacts_to_sign(
|
|
config, job, keep_locale_template=True, kind=None, dep_kind=None
|
|
):
|
|
build_platform = job['attributes'].get('build_platform')
|
|
use_stub = job['attributes'].get('stub-installer')
|
|
# Get locales to know if we want to sign ja-JP-mac langpack
|
|
locales = job["attributes"].get('chunk_locales', [])
|
|
if kind == 'release-source-signing':
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, 'source.tar.xz')
|
|
],
|
|
'formats': ['autograph_gpg'],
|
|
}]
|
|
elif 'android' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': get_geckoview_artifacts_to_sign(config, job),
|
|
'formats': ['autograph_gpg'],
|
|
}]
|
|
# XXX: Mars aren't signed here (on any platform) because internals will be
|
|
# signed at after this stage of the release
|
|
elif 'macosx' in build_platform:
|
|
if is_notarization_kind(dep_kind):
|
|
# This task is notarization part 3: download signed bits,
|
|
# and staple notarization.
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/target.tar.gz'),
|
|
get_artifact_path(job, '{locale}/target.pkg'),
|
|
],
|
|
'formats': [],
|
|
}]
|
|
langpack_formats = []
|
|
else:
|
|
# This task is either depsigning, or notarization part 1:
|
|
# download unsigned bits, and sign. If notarization part 1,
|
|
# submit for notarization and create a uuid_manifest.json
|
|
if is_partner_kind(kind):
|
|
extension = 'tar.gz'
|
|
else:
|
|
extension = 'dmg'
|
|
artifacts_specifications = [{
|
|
'artifacts': [get_artifact_path(job, '{{locale}}/target.{}'.format(extension))],
|
|
'formats': ['macapp', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
langpack_formats = ['autograph_langpack']
|
|
|
|
if 'ja-JP-mac' in locales and build_platform in LANGPACK_SIGN_PLATFORMS:
|
|
artifacts_specifications += [{
|
|
'artifacts': [get_artifact_path(job, 'ja-JP-mac/target.langpack.xpi')],
|
|
'formats': langpack_formats,
|
|
}]
|
|
elif 'win' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/setup.exe'),
|
|
],
|
|
'formats': ['autograph_authenticode'],
|
|
}, {
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/target.zip'),
|
|
],
|
|
'formats': ['autograph_authenticode', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
|
|
if use_stub:
|
|
artifacts_specifications[0]['artifacts'] += [
|
|
get_artifact_path(job, '{locale}/setup-stub.exe')
|
|
]
|
|
elif 'linux' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': [get_artifact_path(job, '{locale}/target.tar.bz2')],
|
|
'formats': ['autograph_gpg', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
if build_platform in LANGPACK_SIGN_PLATFORMS:
|
|
artifacts_specifications += [{
|
|
'artifacts': [get_artifact_path(job, '{locale}/target.langpack.xpi')],
|
|
'formats': ['autograph_langpack'],
|
|
}]
|
|
else:
|
|
raise Exception("Platform not implemented for signing")
|
|
|
|
if not keep_locale_template:
|
|
artifacts_specifications = _strip_locale_template(artifacts_specifications)
|
|
|
|
if is_partner_kind(kind):
|
|
artifacts_specifications = _strip_widevine_for_partners(artifacts_specifications)
|
|
|
|
return artifacts_specifications
|
|
|
|
|
|
def _strip_locale_template(artifacts_without_locales):
|
|
for spec in artifacts_without_locales:
|
|
for index, artifact in enumerate(spec['artifacts']):
|
|
stripped_artifact = artifact.format(locale='')
|
|
stripped_artifact = stripped_artifact.replace('//', '/')
|
|
spec['artifacts'][index] = stripped_artifact
|
|
|
|
return artifacts_without_locales
|
|
|
|
|
|
def _strip_widevine_for_partners(artifacts_specifications):
|
|
""" Partner repacks should not resign that's previously signed for fear of breaking partial
|
|
updates
|
|
"""
|
|
for spec in artifacts_specifications:
|
|
if 'autograph_widevine' in spec['formats']:
|
|
spec['formats'].remove('autograph_widevine')
|
|
if 'autograph_omnija' in spec['formats']:
|
|
spec['formats'].remove('autograph_omnija')
|
|
|
|
return artifacts_specifications
|
|
|
|
|
|
def get_signed_artifacts(input, formats, behavior=None):
|
|
"""
|
|
Get the list of signed artifacts for the given input and formats.
|
|
"""
|
|
artifacts = set()
|
|
if input.endswith('.dmg'):
|
|
artifacts.add(input.replace('.dmg', '.tar.gz'))
|
|
if behavior and behavior != "mac_sign":
|
|
artifacts.add(input.replace('.dmg', '.pkg'))
|
|
else:
|
|
artifacts.add(input)
|
|
if 'autograph_gpg' in formats:
|
|
artifacts.add('{}.asc'.format(input))
|
|
|
|
return artifacts
|
|
|
|
|
|
def get_geckoview_artifacts_to_sign(config, job):
|
|
upstream_artifacts = get_geckoview_upstream_artifacts(config, job)
|
|
return [
|
|
path
|
|
for upstream_artifact in upstream_artifacts
|
|
for path in upstream_artifact['paths']
|
|
if not path.endswith('.md5') and not path.endswith('.sha1')
|
|
]
|