feat: avoid hardcoding omnija signing format

iscript/src/iscript/autograph.py

@@ -361,7 +361,7 @@ def _get_omnija_signing_files(file_list):
     return files
 
 
-async def sign_omnija_with_autograph(config, sign_config, app_path):
+async def sign_omnija_with_autograph(config, sign_config, app_path, fmt):
     """Sign the omnija file specified using autograph.
 
     This function overwrites from_
@@ -393,7 +393,7 @@ async def sign_omnija_with_autograph(config, sign_config, app_path):
         await sign_file_with_autograph(
             sign_config,
             from_,
-            "autograph_omnija",
+            fmt,
             to=signed_out,
             keyid=OMNIJA_AUTOGRAPH_KEY_ID[sign_config.get("release_type", "dep")],
             extension_id="[email protected]",

iscript/src/iscript/hardened_sign.py

@@ -177,8 +177,9 @@ async def sign_hardened_behavior(config, task, create_pkg=False, **kwargs):
     # sign omni.ja
     futures = []
     for app in all_apps:
-        if {"autograph_omnija", "omnija"} & set(app.formats):
-            futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path)))
+        fmt = next((f for f in app.formats if "omnija" in f), None)
+        if fmt:
+            futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path, fmt)))
     await raise_future_exceptions(futures)
 
     # sign widevine

iscript/src/iscript/mac.py

@@ -642,8 +642,9 @@ async def sign_all_apps(config, sign_config, entitlements_path, all_paths, provi
     # sign omni.ja
     futures = []
     for app in all_paths:
-        if {"autograph_omnija", "omnija"} & set(app.formats):
-            futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path)))
+        fmt = next((f for f in app.formats if "omnija" in f), None)
+        if fmt:
+            futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path, fmt)))
     await raise_future_exceptions(futures)
     # sign widevine
     futures = []

iscript/tests/test_autograph.py

@@ -31,20 +31,29 @@ def sign_config():
         "langpack_url": "https://autograph-hsm.dev.mozaws.net/langpack",
         "langpack_user": "langpack_user",
         "langpack_pass": "langpack_pass",
+        "omnija_url": "https://autograph-hsm.dev.mozaws.net/omnija",
+        "omnija_user": "omnija_user",
+        "omnija_pass": "omnija_pass",
         "stage_widevine_url": "https://autograph-stage.dev.mozaws.net",
         "stage_widevine_user": "widevine_user",
         "stage_widevine_pass": "widevine_pass",
         "stage_widevine_cert": "widevine_cert",
         "stage_langpack_url": "https://autograph-stage.dev.mozaws.net/langpack",
         "stage_langpack_user": "langpack_user",
         "stage_langpack_pass": "langpack_pass",
+        "stage_omnija_url": "https://autograph-stage.dev.mozaws.net/omnija",
+        "stage_omnija_user": "omnija_user",
+        "stage_omnija_pass": "omnija_pass",
         "gcp_prod_widevine_url": "https://autograph-gcp.dev.mozaws.net",
         "gcp_prod_widevine_user": "widevine_user",
         "gcp_prod_widevine_pass": "widevine_pass",
         "gcp_prod_widevine_cert": "widevine_cert",
         "gcp_prod_langpack_url": "https://autograph-gcp.dev.mozaws.net/langpack",
         "gcp_prod_langpack_user": "langpack_user",
         "gcp_prod_langpack_pass": "langpack_pass",
+        "gcp_prod_omnija_url": "https://autograph-gcp.dev.mozaws.net/omnija",
+        "gcp_prod_omnija_user": "omnija_user",
+        "gcp_prod_omnija_pass": "omnija_pass",
     }
 
 
@@ -292,8 +301,45 @@ async def fake_call(url, *args, **kwargs):
 
 
 @pytest.mark.asyncio
-async def test_no_widevine(mocker, tmp_path):
-    async def fake_call(*args, **kwargs):
+@pytest.mark.parametrize(
+    "fmt,expected_url",
+    (
+        ("autograph_omnija", "https://autograph-hsm.dev.mozaws.net"),
+        ("autograph_omnija", "https://autograph-hsm.dev.mozaws.net"),
+        ("stage_autograph_omnija", "https://autograph-stage.dev.mozaws.net"),
+        ("gcp_prod_autograph_omnija", "https://autograph-gcp.dev.mozaws.net"),
+    ),
+)
+async def test_omnija_autograph(mocker, tmp_path, sign_config, fmt, expected_url):
+    orig = tmp_path / "omni.ja"
+    with open(orig, "w+") as f:
+        f.write("")
+
+    merge = mocker.patch("iscript.autograph.merge_omnija_files")
+    merge.side_effect = lambda orig,signed,to: shutil.copy(signed, to)
+
+    async def fake_call(url, *args, **kwargs):
+        assert expected_url in url
+        return [{"signed_file": base64.b64encode(b"sigomnijasig")}]
+
+    mocker.patch.object(autograph, "call_autograph", fake_call)
+
+    config = {"work_dir": tmp_path}
+    await autograph.sign_omnija_with_autograph(config, sign_config, tmp_path, fmt)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "fmt,expected_url",
+    (
+        ("autograph_widevine", "https://autograph-hsm.dev.mozaws.net"),
+        ("stage_autograph_widevine", "https://autograph-stage.dev.mozaws.net"),
+        ("gcp_prod_autograph_widevine", "https://autograph-gcp.dev.mozaws.net"),
+    ),
+)
+async def test_no_widevine(mocker, tmp_path, fmt, expected_url):
+    async def fake_call(url, *args, **kwargs):
+        assert expected_url in url
         return [{"signature": b"sigautographsig"}]
 
     mocker.patch.object(autograph, "call_autograph", fake_call)
@@ -359,7 +405,7 @@ async def mocked_autograph(sign_config, from_, fmt, to, keyid, extension_id):
         shutil.copyfile(os.path.join(TEST_DATA_DIR, signed), to)
 
     mocker.patch.object(autograph, "sign_file_with_autograph", mocked_autograph)
-    await autograph.sign_omnija_with_autograph(config, sign_config, tmpdir)
+    await autograph.sign_omnija_with_autograph(config, sign_config, tmpdir, "autograph_omnija")
     sha256_actual = sha256(open(copy_from, "rb").read()).hexdigest()
     assert sha256_actual == sha256_expected