From 0ba2d4b55c9a8019116c1aeb26ecd9633dbdff09 Mon Sep 17 00:00:00 2001 From: Heitor Neiva Date: Tue, 21 Nov 2023 15:57:58 -0800 Subject: [PATCH] DO NOT MERGE - Test signingscript rcodesign --- signing-manifests/test-mac-hardened-sign.yml | 4 ++-- taskcluster/adhoc_taskgraph/signing_manifest.py | 3 ++- taskcluster/adhoc_taskgraph/transforms/signing.py | 3 ++- taskcluster/adhoc_taskgraph/worker_types.py | 6 ++++-- taskcluster/ci/config.yml | 2 +- taskcluster/ci/dep-signing/kind.yml | 9 ++++++--- 6 files changed, 17 insertions(+), 10 deletions(-) diff --git a/signing-manifests/test-mac-hardened-sign.yml b/signing-manifests/test-mac-hardened-sign.yml index 11a60c4..bb732d9 100644 --- a/signing-manifests/test-mac-hardened-sign.yml +++ b/signing-manifests/test-mac-hardened-sign.yml @@ -4,12 +4,12 @@ sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7 filesize: 80945464 private-artifact: false signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] -requestor: Haik Aftandilian +requestor: Heitor Neiva reason: Firefox hardened signing per-process entitlements product: firefox artifact-name: target.dmg -mac-behavior: mac_sign_and_pkg_hardened signingscript-notarization: true +sign-tool: rcodesign hardened-sign-config: - deep: false runtime: true diff --git a/taskcluster/adhoc_taskgraph/signing_manifest.py b/taskcluster/adhoc_taskgraph/signing_manifest.py index 55b74d5..2f526d8 100644 --- a/taskcluster/adhoc_taskgraph/signing_manifest.py +++ b/taskcluster/adhoc_taskgraph/signing_manifest.py @@ -28,7 +28,7 @@ "autograph_hash_only_mar384", "macapp", "mac_single_file", - "autograph_widevine", + "autograph_widevine", "autograph_omnija", ) @@ -61,6 +61,7 @@ }, ), Required("manifest_name"): str, + Optional("sign-tool"): str, Optional("mac-behavior"): str, Optional("signingscript-notarization"): bool, Optional("hardened-sign-config"): [{str: object}], diff --git a/taskcluster/adhoc_taskgraph/transforms/signing.py b/taskcluster/adhoc_taskgraph/transforms/signing.py index 1ec5e5b..5196b04 100644 --- a/taskcluster/adhoc_taskgraph/transforms/signing.py +++ b/taskcluster/adhoc_taskgraph/transforms/signing.py @@ -32,6 +32,7 @@ def define_signing_flags(config, tasks): for f in ("macapp", "mac_single_file"): if f in task["attributes"]["manifest"]["signing-formats"]: format_ = f + sign_tool = task["attributes"]["manifest"].get("sign-tool") for key in ("worker-type", "worker.signing-type", "index.type"): resolve_keyed_by( @@ -39,7 +40,7 @@ def define_signing_flags(config, tasks): key, item_name=task["name"], level=config.params["level"], - format=format_, + **{"format": format_, "sign-tool": sign_tool}, ) yield task diff --git a/taskcluster/adhoc_taskgraph/worker_types.py b/taskcluster/adhoc_taskgraph/worker_types.py index cb503d0..57b2cc9 100644 --- a/taskcluster/adhoc_taskgraph/worker_types.py +++ b/taskcluster/adhoc_taskgraph/worker_types.py @@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def): } ], Optional("product"): str, + Optional("hardened-sign-config"): [{str: object}], }, ) def build_scriptworker_signing_payload(config, task, task_def): @@ -58,8 +59,9 @@ def build_scriptworker_signing_payload(config, task, task_def): "upstreamArtifacts": worker["upstream-artifacts"], } - if "product" in worker: - task_def["payload"]["product"] = worker["product"] + for key in ("product", "hardened-sign-config"): + if key in worker: + task_def["payload"][key] = worker[key] _set_task_scopes(config, worker, task_def) diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml index eb04b7b..660a3da 100644 --- a/taskcluster/ci/config.yml +++ b/taskcluster/ci/config.yml @@ -41,7 +41,7 @@ workers: provisioner: scriptworker-k8s implementation: scriptworker-signing os: scriptworker - worker-type: adhoc-t-signing + worker-type: adhoc-t-signing-dev signing: provisioner: scriptworker-k8s implementation: scriptworker-signing diff --git a/taskcluster/ci/dep-signing/kind.yml b/taskcluster/ci/dep-signing/kind.yml index 4f3e4e7..8076663 100644 --- a/taskcluster/ci/dep-signing/kind.yml +++ b/taskcluster/ci/dep-signing/kind.yml @@ -19,9 +19,12 @@ task-template: index: type: dep-signing worker-type: - by-format: - mac.*: mac-signing - default: dep-signing + by-sign-tool: + rcodesign: dep-signing + default: + by-format: + mac.*: mac-signing + default: dep-signing worker: signing-type: dep-signing max-run-time: 3600