diff --git a/signing-manifests/test-mac-hardened-sign.yml b/signing-manifests/test-mac-hardened-sign.yml index 11a60c4..b644e3d 100644 --- a/signing-manifests/test-mac-hardened-sign.yml +++ b/signing-manifests/test-mac-hardened-sign.yml @@ -3,13 +3,13 @@ bug: 0000000 sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7 filesize: 80945464 private-artifact: false -signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"] -requestor: Haik Aftandilian +signing-formats: ["apple_hardened_signing"] +requestor: Heitor Neiva reason: Firefox hardened signing per-process entitlements product: firefox artifact-name: target.dmg -mac-behavior: mac_sign_and_pkg_hardened signingscript-notarization: true +sign-tool: rcodesign hardened-sign-config: - deep: false runtime: true diff --git a/taskcluster/adhoc_taskgraph/signing_manifest.py b/taskcluster/adhoc_taskgraph/signing_manifest.py index 55b74d5..9a2a231 100644 --- a/taskcluster/adhoc_taskgraph/signing_manifest.py +++ b/taskcluster/adhoc_taskgraph/signing_manifest.py @@ -27,8 +27,9 @@ "autograph_authenticode_sha2_rfc3161_stub", "autograph_hash_only_mar384", "macapp", + "apple_hardened_signing", "mac_single_file", - "autograph_widevine", + "autograph_widevine", "autograph_omnija", ) @@ -61,6 +62,7 @@ }, ), Required("manifest_name"): str, + Optional("sign-tool"): str, Optional("mac-behavior"): str, Optional("signingscript-notarization"): bool, Optional("hardened-sign-config"): [{str: object}], diff --git a/taskcluster/adhoc_taskgraph/transforms/signing.py b/taskcluster/adhoc_taskgraph/transforms/signing.py index 1ec5e5b..a788365 100644 --- a/taskcluster/adhoc_taskgraph/transforms/signing.py +++ b/taskcluster/adhoc_taskgraph/transforms/signing.py @@ -29,9 +29,10 @@ def define_signing_flags(config, tasks): # XXX: hack alert, we're taking a list and turning into a single item format_ = "" - for f in ("macapp", "mac_single_file"): + for f in ("macapp", "mac_single_file", "apple_hardened_signing"): if f in task["attributes"]["manifest"]["signing-formats"]: format_ = f + sign_tool = task["attributes"]["manifest"].get("sign-tool") for key in ("worker-type", "worker.signing-type", "index.type"): resolve_keyed_by( @@ -39,7 +40,7 @@ def define_signing_flags(config, tasks): key, item_name=task["name"], level=config.params["level"], - format=format_, + **{"format": format_, "sign-tool": sign_tool}, ) yield task diff --git a/taskcluster/adhoc_taskgraph/worker_types.py b/taskcluster/adhoc_taskgraph/worker_types.py index cb503d0..57b2cc9 100644 --- a/taskcluster/adhoc_taskgraph/worker_types.py +++ b/taskcluster/adhoc_taskgraph/worker_types.py @@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def): } ], Optional("product"): str, + Optional("hardened-sign-config"): [{str: object}], }, ) def build_scriptworker_signing_payload(config, task, task_def): @@ -58,8 +59,9 @@ def build_scriptworker_signing_payload(config, task, task_def): "upstreamArtifacts": worker["upstream-artifacts"], } - if "product" in worker: - task_def["payload"]["product"] = worker["product"] + for key in ("product", "hardened-sign-config"): + if key in worker: + task_def["payload"][key] = worker[key] _set_task_scopes(config, worker, task_def) diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml index eb04b7b..660a3da 100644 --- a/taskcluster/ci/config.yml +++ b/taskcluster/ci/config.yml @@ -41,7 +41,7 @@ workers: provisioner: scriptworker-k8s implementation: scriptworker-signing os: scriptworker - worker-type: adhoc-t-signing + worker-type: adhoc-t-signing-dev signing: provisioner: scriptworker-k8s implementation: scriptworker-signing diff --git a/taskcluster/ci/dep-signing/kind.yml b/taskcluster/ci/dep-signing/kind.yml index 4f3e4e7..8076663 100644 --- a/taskcluster/ci/dep-signing/kind.yml +++ b/taskcluster/ci/dep-signing/kind.yml @@ -19,9 +19,12 @@ task-template: index: type: dep-signing worker-type: - by-format: - mac.*: mac-signing - default: dep-signing + by-sign-tool: + rcodesign: dep-signing + default: + by-format: + mac.*: mac-signing + default: dep-signing worker: signing-type: dep-signing max-run-time: 3600