From 4578c25b527d3a290edec716f8b12b79cfd2f1f3 Mon Sep 17 00:00:00 2001 From: Heitor Neiva Date: Tue, 21 Nov 2023 15:57:58 -0800 Subject: [PATCH] DO NOT MERGE - Test signingscript rcodesign --- signing-manifests/test-mac-hardened-sign.yml | 6 +++--- taskcluster/adhoc_taskgraph/signing_manifest.py | 3 ++- taskcluster/adhoc_taskgraph/transforms/signing.py | 3 ++- taskcluster/adhoc_taskgraph/worker_types.py | 1 + taskcluster/ci/config.yml | 2 +- taskcluster/ci/dep-signing/kind.yml | 9 ++++++--- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/signing-manifests/test-mac-hardened-sign.yml b/signing-manifests/test-mac-hardened-sign.yml index 11a60c4..534d138 100644 --- a/signing-manifests/test-mac-hardened-sign.yml +++ b/signing-manifests/test-mac-hardened-sign.yml @@ -3,13 +3,13 @@ bug: 0000000 sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7 filesize: 80945464 private-artifact: false -signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] -requestor: Haik Aftandilian +signing-formats: ["macapp"] +requestor: Heitor Neiva reason: Firefox hardened signing per-process entitlements product: firefox artifact-name: target.dmg -mac-behavior: mac_sign_and_pkg_hardened signingscript-notarization: true +sign-tool: rcodesign hardened-sign-config: - deep: false runtime: true diff --git a/taskcluster/adhoc_taskgraph/signing_manifest.py b/taskcluster/adhoc_taskgraph/signing_manifest.py index 55b74d5..2f526d8 100644 --- a/taskcluster/adhoc_taskgraph/signing_manifest.py +++ b/taskcluster/adhoc_taskgraph/signing_manifest.py @@ -28,7 +28,7 @@ "autograph_hash_only_mar384", "macapp", "mac_single_file", - "autograph_widevine", + "autograph_widevine", "autograph_omnija", ) @@ -61,6 +61,7 @@ }, ), Required("manifest_name"): str, + Optional("sign-tool"): str, Optional("mac-behavior"): str, Optional("signingscript-notarization"): bool, Optional("hardened-sign-config"): [{str: object}], diff --git a/taskcluster/adhoc_taskgraph/transforms/signing.py b/taskcluster/adhoc_taskgraph/transforms/signing.py index 1ec5e5b..5196b04 100644 --- a/taskcluster/adhoc_taskgraph/transforms/signing.py +++ b/taskcluster/adhoc_taskgraph/transforms/signing.py @@ -32,6 +32,7 @@ def define_signing_flags(config, tasks): for f in ("macapp", "mac_single_file"): if f in task["attributes"]["manifest"]["signing-formats"]: format_ = f + sign_tool = task["attributes"]["manifest"].get("sign-tool") for key in ("worker-type", "worker.signing-type", "index.type"): resolve_keyed_by( @@ -39,7 +40,7 @@ def define_signing_flags(config, tasks): key, item_name=task["name"], level=config.params["level"], - format=format_, + **{"format": format_, "sign-tool": sign_tool}, ) yield task diff --git a/taskcluster/adhoc_taskgraph/worker_types.py b/taskcluster/adhoc_taskgraph/worker_types.py index cb503d0..936d0ea 100644 --- a/taskcluster/adhoc_taskgraph/worker_types.py +++ b/taskcluster/adhoc_taskgraph/worker_types.py @@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def): } ], Optional("product"): str, + Optional("hardened-sign-config"): [{str: object}], }, ) def build_scriptworker_signing_payload(config, task, task_def): diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml index eb04b7b..447b69f 100644 --- a/taskcluster/ci/config.yml +++ b/taskcluster/ci/config.yml @@ -44,7 +44,7 @@ workers: worker-type: adhoc-t-signing signing: provisioner: scriptworker-k8s - implementation: scriptworker-signing + implementation: scriptworker-signing-dev os: scriptworker worker-type: by-level: diff --git a/taskcluster/ci/dep-signing/kind.yml b/taskcluster/ci/dep-signing/kind.yml index 4f3e4e7..8076663 100644 --- a/taskcluster/ci/dep-signing/kind.yml +++ b/taskcluster/ci/dep-signing/kind.yml @@ -19,9 +19,12 @@ task-template: index: type: dep-signing worker-type: - by-format: - mac.*: mac-signing - default: dep-signing + by-sign-tool: + rcodesign: dep-signing + default: + by-format: + mac.*: mac-signing + default: dep-signing worker: signing-type: dep-signing max-run-time: 3600