diff --git a/signing-manifests/2023-new-gpg-subkey-test.yml b/signing-manifests/2023-new-gpg-subkey-test.yml deleted file mode 100644 index 360f777..0000000 --- a/signing-manifests/2023-new-gpg-subkey-test.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 6666666666 -sha256: 570d80410aa9333a3749bd538041a0456bf78e83ad27b485aa89f19c07d03890 -filesize: 79666542 -private-artifact: false -signing-formats: [ "autograph_gpg" ] -requestor: bhearsum -reason: test new gpg signing key -artifact-name: firefox-113.0.tar.bz2 -fetch: - type: static-url - url: https://archive.mozilla.org/pub/firefox/releases/113.0/linux-x86_64/en-US/firefox-113.0.tar.bz2 diff --git a/signing-manifests/bug1751450-nsis-core-ansi.yml b/signing-manifests/bug1751450-nsis-core-ansi.yml deleted file mode 100644 index a438631..0000000 --- a/signing-manifests/bug1751450-nsis-core-ansi.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1751450 -sha256: 0400b1359925b559cb19499fbbb60e99ddde1029595677e81140ab1093757fe6 -filesize: 92466 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2"] -requestor: Ben Hearsum -reason: One-off signing of core NSIS ansi plugins that we ship -artifact-name: core-ansi-signed.zip -fetch: - type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/nsis/core-ansi.zip diff --git a/signing-manifests/bug1751450-nsis-core-unicode.yml b/signing-manifests/bug1751450-nsis-core-unicode.yml deleted file mode 100644 index 5dfa350..0000000 --- a/signing-manifests/bug1751450-nsis-core-unicode.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1751450 -sha256: 32cb3ef3bf600e65678b1f2cc0de723c9acebe3245084336add1bed0a182ccce -filesize: 94571 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2"] -requestor: Ben Hearsum -reason: One-off signing of core NSIS unicode plugins that we ship -artifact-name: core-unicode-signed.zip -fetch: - type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/nsis/core-unicode.zip diff --git a/signing-manifests/bug1751450.yml b/signing-manifests/bug1751450.yml deleted file mode 100644 index f54e1e8..0000000 --- a/signing-manifests/bug1751450.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1751450 -sha256: 04e3aea11f60315a991e8794517a45d86c9b8f2b2f76a339f2ac8e0c9af90184 -filesize: 147680 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2"] -requestor: Ben Hearsum -reason: One-off signing of NSIS plugins that we ship -artifact-name: nsis-plugins-signed.zip -fetch: - type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/nsis/nsis-plugins-unsigned.zip diff --git a/signing-manifests/bug1763427b.yml b/signing-manifests/bug1763427b.yml deleted file mode 100644 index 67c35a5..0000000 --- a/signing-manifests/bug1763427b.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1763427 -sha256: 6a4948d88ee074414f5f4e7bcfb778d4814e8341ca54925f7d604dc75e4a18ea -filesize: 775441 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2_rfc3161_stub"] -requestor: Geoff Brown -reason: Test sha2 stub installer with rfc3161 timestamp, again -artifact-name: setup.exe -fetch: - type: static-url - url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/HPY1rLUwQDS2vHyQ22ueUQ/runs/0/artifacts/public/build/setup.exe diff --git a/signing-manifests/bug1769081.yml b/signing-manifests/bug1769081.yml deleted file mode 100644 index d7f7897..0000000 --- a/signing-manifests/bug1769081.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -bug: 1769081 -sha256: 9d7fda0112e9bbde7e8ac9084f2fed35702550e2548b06a8eb19477b99410c23 -filesize: 55748280 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2"] -requestor: Julien Cristau -reason: Test signing with extra digicert cross-certificate -artifact-name: target.installer.exe -fetch: - url: https://firefoxci.taskcluster-artifacts.net/XHJ33DgkRgOTufmw2vTamA/0/public/build/target.installer.exe diff --git a/signing-manifests/bug1774221-2.yml b/signing-manifests/bug1774221-2.yml deleted file mode 100644 index 02ff1a1..0000000 --- a/signing-manifests/bug1774221-2.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1774221 -sha256: 5d98cad3d4c0dc3095a81afb442b6e766cadbf7cba299e09a0050d43d465f99e -filesize: 488639 -private-artifact: false -signing-formats: ["autograph_gpg"] -requestor: Aki Sasaki -reason: GPG sign mac x64 zip -artifact-name: openh264-macosx64-2e1774ab6dc6c43debb0b5b628bdf122a391d521-2.zip -fetch: - type: bmo-attachment - attachment-id: 9281456 diff --git a/signing-manifests/bug1774221-3.yml b/signing-manifests/bug1774221-3.yml deleted file mode 100644 index 16e3e3d..0000000 --- a/signing-manifests/bug1774221-3.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1774221 -sha256: b36e091ad9c4b3cd315b6bee0110c706b8f54a7b2bdf9ca292c6431e19fdb6c3 -filesize: 395414 -private-artifact: false -signing-formats: ["autograph_gpg"] -requestor: Aki Sasaki -reason: GPG sign mac arm zip -artifact-name: openh264-macosx64-aarch64-2e1774ab6dc6c43debb0b5b628bdf122a391d521-2.zip -fetch: - type: bmo-attachment - attachment-id: 9281466 diff --git a/signing-manifests/bug1774221.yml b/signing-manifests/bug1774221.yml deleted file mode 100644 index c6530ba..0000000 --- a/signing-manifests/bug1774221.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -bug: 1774221 -sha256: ac6cdb77e49c420b7fd7a942813d75ad14513101693642127711b68c58fe931f -filesize: 466258 -private-artifact: false -signing-formats: ["mac_single_file"] -requestor: Aki Sasaki -reason: signed dylib for mac openh264 -artifact-name: openh264-macos64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip -mac-behavior: mac_single_file -product: firefox -fetch: - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/5008f4fbfd531baba51b187834a14dd53c1320bf/openh264-macosx64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip -# Optional, only if mac-behavior is mac_single_file -single-file-globs: ["libgmpopenh264.dylib"] diff --git a/signing-manifests/bug1778996.yml b/signing-manifests/bug1778996.yml deleted file mode 100644 index 0ee01b3..0000000 --- a/signing-manifests/bug1778996.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1778996 -sha256: e18c0ab88f9c203ef1160d35015db66e5ea6a5497f9029cc25883146b3d270f2 -filesize: 1454 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: nightly-signing -requestor: Julien Cristau -reason: channel-switching from nightly-pine to nightly-pine-stable -artifact-name: switch-to-pine-stable.mar -fetch: - type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/pine/switch-to-pine-stable.mar diff --git a/signing-manifests/bug1799220.yml b/signing-manifests/bug1799220.yml deleted file mode 100644 index 8806b06..0000000 --- a/signing-manifests/bug1799220.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -bug: 1799220 -sha256: 1dac34bce851598162a1cbe03be3e3e1dd4e8d514862ada1921f6083039ec1ae -filesize: 150907746 -private-artifact: false -signing-formats: ["autograph_authenticode_sha2"] -requestor: Alex Hochheiden -reason: MozillaBuild 4.0.2 release -artifact-name: MozillaBuildSetup4.0.2rc2-unsigned.exe -fetch: - type: static-url - url: https://archive.mozilla.org/pub/mozilla/libraries/win32/MozillaBuildSetup4.0.2rc2-unsigned.exe diff --git a/signing-manifests/bug1808742-rm-distribution-mar.yml b/signing-manifests/bug1808742-rm-distribution-mar.yml deleted file mode 100644 index 4298ea6..0000000 --- a/signing-manifests/bug1808742-rm-distribution-mar.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1808742 -sha256: d700de4b4aa5eb2350a56c8b53556d9ad05bb4d15541a7710a0a614144efce02 -filesize: 294 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Andrew Halberstadt -reason: rm-distribution request -artifact-name: rm-distribution-3.mar -fetch: - type: static-url - url: https://github.com/mozilla-releng/adhoc-signing-blobs/raw/mar/rm-distribution-3.mar diff --git a/signing-manifests/bug1835022-2.yml b/signing-manifests/bug1835022-2.yml deleted file mode 100644 index f0218b9..0000000 --- a/signing-manifests/bug1835022-2.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1835022 -sha256: ef4e965367598ce8ab6cb479dfd02b8370f24ec430e03938e804313b8f127255 -filesize: 1925 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Geoff Brown -reason: channel-switching from mozilla-release to mozilla-esr115, dist-id mozilla-mac-eol-esr115 -artifact-name: switch-to-esr115.0-eol-mac.mar -fetch: - type: bmo-attachment - attachment-id: 9338933 diff --git a/signing-manifests/bug1835022-3.yml b/signing-manifests/bug1835022-3.yml deleted file mode 100644 index 82de542..0000000 --- a/signing-manifests/bug1835022-3.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1835022 -sha256: ff6f28066edd89a746872a1e64528c90510a1d41eb0afb36c83229e7e697046d -filesize: 1925 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Geoff Brown -reason: channel-switching from mozilla-release to mozilla-esr115, dist-id mozilla-win-eol-esr115 -artifact-name: switch-to-esr115.0-eol-win.mar -fetch: - type: bmo-attachment - attachment-id: 9338934 diff --git a/signing-manifests/bug1835022.yml b/signing-manifests/bug1835022.yml deleted file mode 100644 index 6a11ce9..0000000 --- a/signing-manifests/bug1835022.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1835022 -sha256: f2bd4983f08135a6cccb85bc45a060a76584598620698ad2ffd48e836d9e94c0 -filesize: 1422 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Geoff Brown -reason: channel-switching from mozilla-release to mozilla-esr115, no distribution id -artifact-name: switch-to-esr115.0.mar -fetch: - type: bmo-attachment - attachment-id: 9337890 diff --git a/signing-manifests/bug1843034-2.yml b/signing-manifests/bug1843034-2.yml deleted file mode 100644 index eac0328..0000000 --- a/signing-manifests/bug1843034-2.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1843034 -sha256: e41bd09b845dfafbb7216217eeb7f65d8dc47b3cbd0b08920716545914861c0b -filesize: 2157 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Julien Cristau -reason: channel-switching from mozilla-release to mozilla-esr115, dist-id mozilla-mac-eol-esr115 -artifact-name: switch-to-esr115.1-eol-mac.mar -fetch: - type: bmo-attachment - attachment-id: 9343491 diff --git a/signing-manifests/bug1843034.yml b/signing-manifests/bug1843034.yml deleted file mode 100644 index 244e260..0000000 --- a/signing-manifests/bug1843034.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -bug: 1843034 -sha256: 76e7268d24faa69d809b400caa8cf4f87f0c6c06b8274ddc98245a970139c250 -filesize: 2157 -private-artifact: false -signing-formats: ["autograph_hash_only_mar384"] -signing-cert: release-signing -requestor: Julien Cristau -reason: channel-switching from mozilla-release to mozilla-esr115, dist-id mozilla-win-eol-esr115 -artifact-name: switch-to-esr115.1-eol-win.mar -fetch: - type: bmo-attachment - attachment-id: 9343492 diff --git a/signing-manifests/mozregression-macOS.yml b/signing-manifests/mozregression-macOS.yml deleted file mode 100644 index b5b93c8..0000000 --- a/signing-manifests/mozregression-macOS.yml +++ /dev/null @@ -1,14 +0,0 @@ -artifact-name: mozregression-gui-app-bundle.tar.gz -bug: 0 -fetch: - url: https://github.com/mozilla/mozregression/releases/download/6.0.1/mozregression-gui-app-bundle.tar.gz -filesize: 87532702 -mac-behavior: mac_sign -private-artifact: false -product: mozregression -reason: Sign application bundle for mozregression 6.0.1. -requestor: Zeid Zabaneh -sha256: cc065840ca85cd3c67804856b7088c3c79ee9c88c4df6dd1748a1ef90112a4c2 -signing-formats: -- macapp -signingscript-notarization: true diff --git a/signing-manifests/mozregression-windows.yml b/signing-manifests/mozregression-windows.yml deleted file mode 100644 index 0d9298b..0000000 --- a/signing-manifests/mozregression-windows.yml +++ /dev/null @@ -1,12 +0,0 @@ -artifact-name: mozregression-gui-unsigned.exe -bug: 0 -fetch: - url: https://github.com/mozilla/mozregression/releases/download/6.0.1/mozregression-gui-unsigned.exe -filesize: 36114234 -private-artifact: false -product: mozregression -reason: Sign application bundle for mozregression 6.0.1. -requestor: Zeid Zabaneh -sha256: d91e2a490863c68be548eceac4908e573d00181c01b9edfba18eb46476e94b90 -signing-formats: -- autograph_authenticode_sha2 diff --git a/signing-manifests/test-mac-hardened-sign.yml b/signing-manifests/test-mac-hardened-sign.yml index 11a60c4..f278fd7 100644 --- a/signing-manifests/test-mac-hardened-sign.yml +++ b/signing-manifests/test-mac-hardened-sign.yml @@ -1,48 +1,53 @@ --- bug: 0000000 -sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7 -filesize: 80945464 +sha256: 68527bbca7bf226febbe0d308594740dc45175e37440566cff219b532af068db +filesize: 112748218 private-artifact: false -signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] -requestor: Haik Aftandilian +signing-formats: ["apple_hardened_signing"] +requestor: Heitor Neiva reason: Firefox hardened signing per-process entitlements product: firefox artifact-name: target.dmg -mac-behavior: mac_sign_and_pkg_hardened signingscript-notarization: true +sign-tool: rcodesign hardened-sign-config: - deep: false runtime: true force: true - entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/plugin-container.xml + entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/plugin-container.xml globs: - "/Contents/MacOS/plugin-container.app" - deep: false runtime: true force: true - entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml + entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml globs: - "/Contents/MacOS/media-plugin-helper.app" - deep: false runtime: true force: true - entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/default.xml + entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/utility.xml globs: - "/Contents/MacOS/crashreporter.app" - "/Contents/MacOS/updater.app" - "/Contents/Library/LaunchServices/org.mozilla.updater" - - "/Contents/MacOS/XUL" - "/Contents/MacOS/pingsender" - "/Contents/MacOS/minidump-analyzer" + + - deep: false + runtime: true + force: true + globs: + - "/Contents/MacOS/XUL" - "/Contents/MacOS/*.dylib" - "/Contents/Resources/gmp-clearkey/*/*.dylib" - deep: false runtime: true force: true - entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/browser.xml + entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/browser.xml globs: - "/Contents/MacOS/firefox-bin" - "/" @@ -50,4 +55,4 @@ hardened-sign-config: fetch: type: static-url # mozilla-release OS X AArch64 Cross Compiled Shippable - url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/LjKBrB4WTiOpm_2A0ljKDQ/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg + url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/W72c65ebTiua43cljitiFw/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg diff --git a/signing-manifests/test-mac.yml b/signing-manifests/test-mac.yml deleted file mode 100644 index 381ce16..0000000 --- a/signing-manifests/test-mac.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -bug: 0000000 -sha256: a0b4f2d984fa560e397a6bbcc2bef3f4f73504364e0e45b0b3edf4ecae46ed4a -filesize: 24263919 -private-artifact: false -signing-formats: ["macapp"] -requestor: Andrew Halberstadt -reason: mozillavpn 2.12.0 mac signing (with new CoT key) -product: mozillavpn -artifact-name: MozillaVPN.tar.gz -mac-behavior: mac_notarize_vpn -fetch: - type: static-url - url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/SJ_obIW2TnKWYpUjpWCSHA/runs/0/artifacts/public%2Fbuild%2FMozillaVPN.tar.gz diff --git a/signing-manifests/test-notarization-signingscript.yml b/signing-manifests/test-notarization-signingscript.yml deleted file mode 100644 index 364abdf..0000000 --- a/signing-manifests/test-notarization-signingscript.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -bug: 0000000 -sha256: b78a23a6e09a5ee0aa8a60056d430c910a3286eb1a95149f29d22ab122e26552 -filesize: 148612563 -private-artifact: false -signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] -requestor: Heitor Neiva -reason: Firefox notarization with signingscript -product: firefox -artifact-name: target.dmg -mac-behavior: mac_sign -signingscript-notarization: true -fetch: - type: static-url - # mozilla-central build-macosx64-shippable/opt - url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/AEdf8U_RR7agsBbTqYN-wA/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg diff --git a/taskcluster/adhoc_taskgraph/signing_manifest.py b/taskcluster/adhoc_taskgraph/signing_manifest.py index 55b74d5..9a2a231 100644 --- a/taskcluster/adhoc_taskgraph/signing_manifest.py +++ b/taskcluster/adhoc_taskgraph/signing_manifest.py @@ -27,8 +27,9 @@ "autograph_authenticode_sha2_rfc3161_stub", "autograph_hash_only_mar384", "macapp", + "apple_hardened_signing", "mac_single_file", - "autograph_widevine", + "autograph_widevine", "autograph_omnija", ) @@ -61,6 +62,7 @@ }, ), Required("manifest_name"): str, + Optional("sign-tool"): str, Optional("mac-behavior"): str, Optional("signingscript-notarization"): bool, Optional("hardened-sign-config"): [{str: object}], diff --git a/taskcluster/adhoc_taskgraph/transforms/signing.py b/taskcluster/adhoc_taskgraph/transforms/signing.py index 1ec5e5b..a788365 100644 --- a/taskcluster/adhoc_taskgraph/transforms/signing.py +++ b/taskcluster/adhoc_taskgraph/transforms/signing.py @@ -29,9 +29,10 @@ def define_signing_flags(config, tasks): # XXX: hack alert, we're taking a list and turning into a single item format_ = "" - for f in ("macapp", "mac_single_file"): + for f in ("macapp", "mac_single_file", "apple_hardened_signing"): if f in task["attributes"]["manifest"]["signing-formats"]: format_ = f + sign_tool = task["attributes"]["manifest"].get("sign-tool") for key in ("worker-type", "worker.signing-type", "index.type"): resolve_keyed_by( @@ -39,7 +40,7 @@ def define_signing_flags(config, tasks): key, item_name=task["name"], level=config.params["level"], - format=format_, + **{"format": format_, "sign-tool": sign_tool}, ) yield task diff --git a/taskcluster/adhoc_taskgraph/worker_types.py b/taskcluster/adhoc_taskgraph/worker_types.py index cb503d0..57b2cc9 100644 --- a/taskcluster/adhoc_taskgraph/worker_types.py +++ b/taskcluster/adhoc_taskgraph/worker_types.py @@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def): } ], Optional("product"): str, + Optional("hardened-sign-config"): [{str: object}], }, ) def build_scriptworker_signing_payload(config, task, task_def): @@ -58,8 +59,9 @@ def build_scriptworker_signing_payload(config, task, task_def): "upstreamArtifacts": worker["upstream-artifacts"], } - if "product" in worker: - task_def["payload"]["product"] = worker["product"] + for key in ("product", "hardened-sign-config"): + if key in worker: + task_def["payload"][key] = worker[key] _set_task_scopes(config, worker, task_def) diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml index eb04b7b..660a3da 100644 --- a/taskcluster/ci/config.yml +++ b/taskcluster/ci/config.yml @@ -41,7 +41,7 @@ workers: provisioner: scriptworker-k8s implementation: scriptworker-signing os: scriptworker - worker-type: adhoc-t-signing + worker-type: adhoc-t-signing-dev signing: provisioner: scriptworker-k8s implementation: scriptworker-signing diff --git a/taskcluster/ci/dep-signing/kind.yml b/taskcluster/ci/dep-signing/kind.yml index 4f3e4e7..8076663 100644 --- a/taskcluster/ci/dep-signing/kind.yml +++ b/taskcluster/ci/dep-signing/kind.yml @@ -19,9 +19,12 @@ task-template: index: type: dep-signing worker-type: - by-format: - mac.*: mac-signing - default: dep-signing + by-sign-tool: + rcodesign: dep-signing + default: + by-format: + mac.*: mac-signing + default: dep-signing worker: signing-type: dep-signing max-run-time: 3600