DO NOT MERGE - Test signingscript rcodesign

signing-manifests/test-mac-hardened-sign.yml

@@ -3,51 +3,56 @@ bug: 0000000
 sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7
 filesize: 80945464
 private-artifact: false
-signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"]
-requestor: Haik Aftandilian <haftandilian@mozilla.com>
+signing-formats: ["apple_hardened_signing"]
+requestor: Heitor Neiva <hneiva@mozilla.com>
 reason: Firefox hardened signing per-process entitlements
 product: firefox
 artifact-name: target.dmg
-mac-behavior: mac_sign_and_pkg_hardened
 signingscript-notarization: true
+sign-tool: rcodesign
 hardened-sign-config:
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/plugin-container.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/plugin-container.xml
     globs:
       - "/Contents/MacOS/plugin-container.app"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
     globs:
       - "/Contents/MacOS/media-plugin-helper.app"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/default.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/utility.xml
     globs:
       - "/Contents/MacOS/crashreporter.app"
       - "/Contents/MacOS/updater.app"
       - "/Contents/Library/LaunchServices/org.mozilla.updater"
-      - "/Contents/MacOS/XUL"
       - "/Contents/MacOS/pingsender"
       - "/Contents/MacOS/minidump-analyzer"
+
+  - deep: false
+    runtime: true
+    force: true
+    globs:
+      - "/Contents/MacOS/XUL"
       - "/Contents/MacOS/*.dylib"
       - "/Contents/Resources/gmp-clearkey/*/*.dylib"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/browser.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/browser.xml
     globs:
       - "/Contents/MacOS/firefox-bin"
       - "/"
 
 fetch:
   type: static-url
   # mozilla-release OS X AArch64 Cross Compiled Shippable
-  url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/LjKBrB4WTiOpm_2A0ljKDQ/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg
+  url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Jcl-M-6qTJmXINrG3fykRw/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg

taskcluster/adhoc_taskgraph/signing_manifest.py

@@ -27,8 +27,9 @@
     "autograph_authenticode_sha2_rfc3161_stub",
     "autograph_hash_only_mar384",
     "macapp",
+    "apple_hardened_signing",
     "mac_single_file",
-    "autograph_widevine", 
+    "autograph_widevine",
     "autograph_omnija",
 )
 
@@ -61,6 +62,7 @@
             },
         ),
         Required("manifest_name"): str,
+        Optional("sign-tool"): str,
         Optional("mac-behavior"): str,
         Optional("signingscript-notarization"): bool,
         Optional("hardened-sign-config"): [{str: object}],

taskcluster/adhoc_taskgraph/transforms/signing.py

@@ -29,17 +29,18 @@ def define_signing_flags(config, tasks):
 
         # XXX: hack alert, we're taking a list and turning into a single item
         format_ = ""
-        for f in ("macapp", "mac_single_file"):
+        for f in ("macapp", "mac_single_file", "apple_hardened_signing"):
             if f in task["attributes"]["manifest"]["signing-formats"]:
                 format_ = f
+        sign_tool = task["attributes"]["manifest"].get("sign-tool")
 
         for key in ("worker-type", "worker.signing-type", "index.type"):
             resolve_keyed_by(
                 task,
                 key,
                 item_name=task["name"],
                 level=config.params["level"],
-                format=format_,
+                **{"format": format_, "sign-tool": sign_tool},
             )
         yield task
 

taskcluster/adhoc_taskgraph/worker_types.py

@@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def):
             }
         ],
         Optional("product"): str,
+        Optional("hardened-sign-config"): [{str: object}],
     },
 )
 def build_scriptworker_signing_payload(config, task, task_def):
@@ -58,8 +59,9 @@ def build_scriptworker_signing_payload(config, task, task_def):
         "upstreamArtifacts": worker["upstream-artifacts"],
     }
 
-    if "product" in worker:
-        task_def["payload"]["product"] = worker["product"]
+    for key in ("product", "hardened-sign-config"):
+        if key in worker:
+            task_def["payload"][key] = worker[key]
 
     _set_task_scopes(config, worker, task_def)
 

taskcluster/ci/config.yml

@@ -41,7 +41,7 @@ workers:
             provisioner: scriptworker-k8s
             implementation: scriptworker-signing
             os: scriptworker
-            worker-type: adhoc-t-signing
+            worker-type: adhoc-t-signing-dev
         signing:
             provisioner: scriptworker-k8s
             implementation: scriptworker-signing

taskcluster/ci/dep-signing/kind.yml

@@ -19,9 +19,12 @@ task-template:
     index:
         type: dep-signing
     worker-type:
-        by-format:
-            mac.*: mac-signing
-            default: dep-signing
+        by-sign-tool:
+            rcodesign: dep-signing
+            default:
+                by-format:
+                    mac.*: mac-signing
+                    default: dep-signing
     worker:
         signing-type: dep-signing
         max-run-time: 3600