diff --git a/iscript/src/iscript/autograph.py b/iscript/src/iscript/autograph.py index 5f8b7565b..45404ed0f 100644 --- a/iscript/src/iscript/autograph.py +++ b/iscript/src/iscript/autograph.py @@ -361,7 +361,7 @@ def _get_omnija_signing_files(file_list): return files -async def sign_omnija_with_autograph(config, sign_config, app_path): +async def sign_omnija_with_autograph(config, sign_config, app_path, fmt): """Sign the omnija file specified using autograph. This function overwrites from_ @@ -393,7 +393,7 @@ async def sign_omnija_with_autograph(config, sign_config, app_path): await sign_file_with_autograph( sign_config, from_, - "autograph_omnija", + fmt, to=signed_out, keyid=OMNIJA_AUTOGRAPH_KEY_ID[sign_config.get("release_type", "dep")], extension_id="omni.ja@mozilla.org", diff --git a/iscript/src/iscript/hardened_sign.py b/iscript/src/iscript/hardened_sign.py index 5c2f309c8..517f9d026 100644 --- a/iscript/src/iscript/hardened_sign.py +++ b/iscript/src/iscript/hardened_sign.py @@ -177,8 +177,9 @@ async def sign_hardened_behavior(config, task, create_pkg=False, **kwargs): # sign omni.ja futures = [] for app in all_apps: - if {"autograph_omnija", "omnija"} & set(app.formats): - futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path))) + fmt = next((f for f in app.formats if "omnija" in f), None) + if fmt: + futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path, fmt))) await raise_future_exceptions(futures) # sign widevine diff --git a/iscript/src/iscript/mac.py b/iscript/src/iscript/mac.py index 2d10488c1..d77f96e29 100644 --- a/iscript/src/iscript/mac.py +++ b/iscript/src/iscript/mac.py @@ -642,8 +642,9 @@ async def sign_all_apps(config, sign_config, entitlements_path, all_paths, provi # sign omni.ja futures = [] for app in all_paths: - if {"autograph_omnija", "omnija"} & set(app.formats): - futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path))) + fmt = next((f for f in app.formats if "omnija" in f), None) + if fmt: + futures.append(asyncio.ensure_future(sign_omnija_with_autograph(config, sign_config, app.app_path, fmt))) await raise_future_exceptions(futures) # sign widevine futures = [] diff --git a/iscript/tests/test_autograph.py b/iscript/tests/test_autograph.py index 6def21a9c..8af01159f 100644 --- a/iscript/tests/test_autograph.py +++ b/iscript/tests/test_autograph.py @@ -31,6 +31,9 @@ def sign_config(): "langpack_url": "https://autograph-hsm.dev.mozaws.net/langpack", "langpack_user": "langpack_user", "langpack_pass": "langpack_pass", + "omnija_url": "https://autograph-hsm.dev.mozaws.net/omnija", + "omnija_user": "omnija_user", + "omnija_pass": "omnija_pass", "stage_widevine_url": "https://autograph-stage.dev.mozaws.net", "stage_widevine_user": "widevine_user", "stage_widevine_pass": "widevine_pass", @@ -38,6 +41,9 @@ def sign_config(): "stage_langpack_url": "https://autograph-stage.dev.mozaws.net/langpack", "stage_langpack_user": "langpack_user", "stage_langpack_pass": "langpack_pass", + "stage_omnija_url": "https://autograph-stage.dev.mozaws.net/omnija", + "stage_omnija_user": "omnija_user", + "stage_omnija_pass": "omnija_pass", "gcp_prod_widevine_url": "https://autograph-gcp.dev.mozaws.net", "gcp_prod_widevine_user": "widevine_user", "gcp_prod_widevine_pass": "widevine_pass", @@ -45,6 +51,9 @@ def sign_config(): "gcp_prod_langpack_url": "https://autograph-gcp.dev.mozaws.net/langpack", "gcp_prod_langpack_user": "langpack_user", "gcp_prod_langpack_pass": "langpack_pass", + "gcp_prod_omnija_url": "https://autograph-gcp.dev.mozaws.net/omnija", + "gcp_prod_omnija_user": "omnija_user", + "gcp_prod_omnija_pass": "omnija_pass", } @@ -292,8 +301,45 @@ async def fake_call(url, *args, **kwargs): @pytest.mark.asyncio -async def test_no_widevine(mocker, tmp_path): - async def fake_call(*args, **kwargs): +@pytest.mark.parametrize( + "fmt,expected_url", + ( + ("autograph_omnija", "https://autograph-hsm.dev.mozaws.net"), + ("autograph_omnija", "https://autograph-hsm.dev.mozaws.net"), + ("stage_autograph_omnija", "https://autograph-stage.dev.mozaws.net"), + ("gcp_prod_autograph_omnija", "https://autograph-gcp.dev.mozaws.net"), + ), +) +async def test_omnija_autograph(mocker, tmp_path, sign_config, fmt, expected_url): + orig = tmp_path / "omni.ja" + with open(orig, "w+") as f: + f.write("") + + merge = mocker.patch("iscript.autograph.merge_omnija_files") + merge.side_effect = lambda orig,signed,to: shutil.copy(signed, to) + + async def fake_call(url, *args, **kwargs): + assert expected_url in url + return [{"signed_file": base64.b64encode(b"sigomnijasig")}] + + mocker.patch.object(autograph, "call_autograph", fake_call) + + config = {"work_dir": tmp_path} + await autograph.sign_omnija_with_autograph(config, sign_config, tmp_path, fmt) + + +@pytest.mark.asyncio +@pytest.mark.parametrize( + "fmt,expected_url", + ( + ("autograph_widevine", "https://autograph-hsm.dev.mozaws.net"), + ("stage_autograph_widevine", "https://autograph-stage.dev.mozaws.net"), + ("gcp_prod_autograph_widevine", "https://autograph-gcp.dev.mozaws.net"), + ), +) +async def test_no_widevine(mocker, tmp_path, fmt, expected_url): + async def fake_call(url, *args, **kwargs): + assert expected_url in url return [{"signature": b"sigautographsig"}] mocker.patch.object(autograph, "call_autograph", fake_call) @@ -359,7 +405,7 @@ async def mocked_autograph(sign_config, from_, fmt, to, keyid, extension_id): shutil.copyfile(os.path.join(TEST_DATA_DIR, signed), to) mocker.patch.object(autograph, "sign_file_with_autograph", mocked_autograph) - await autograph.sign_omnija_with_autograph(config, sign_config, tmpdir) + await autograph.sign_omnija_with_autograph(config, sign_config, tmpdir, "autograph_omnija") sha256_actual = sha256(open(copy_from, "rb").read()).hexdigest() assert sha256_actual == sha256_expected