signingscript: autograph gcp migration step 2: test against gcp prod

This patch adds another set of new formats that point at Autograph GCP prod. These entries contain equivalents for all current production formats, and use the exact same credentials the existing production formats. Where they differ are: * Different formats (so we can opt into them) * Different autograph URL * Ensure we use explicit keyids everywhere
mozilla-releng · Dec 3, 2024 · 61facf8 · 61facf8
1 parent 9ada102
commit 61facf8
Showing 1 changed file with 141 additions and 0 deletions.
diff --git a/signingscript/docker.d/passwords.yml b/signingscript/docker.d/passwords.yml
@@ -81,6 +81,56 @@ in:
                "dummyapp_android",
             ]
 
+            # GCP Autograph prod
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
+               {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
+               ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
+               "authenticode_dep_sha256"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_MAR_USERNAME"},
+               {"$eval": "AUTOGRAPH_MAR_PASSWORD"},
+               ["gcp_prod_autograph_hash_only_mar384"],
+               "firefox_dep1",
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_GPG_USERNAME"},
+               {"$eval": "AUTOGRAPH_GPG_PASSWORD"},
+               ["gcp_prod_autograph_gpg"],
+               "release_at_mozilla_rel_pgp_dep"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_WIDEVINE_USERNAME"},
+               {"$eval": "AUTOGRAPH_WIDEVINE_PASSWORD"},
+               ["gcp_prod_autograph_widevine"],
+               "widevine_dep1"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_OMNIJA_USERNAME"},
+               {"$eval": "AUTOGRAPH_OMNIJA_PASSWORD"},
+               ["gcp_prod_autograph_omnija"],
+               "systemaddon_rsa_dep"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_LANGPACK_USERNAME"},
+               {"$eval": "AUTOGRAPH_LANGPACK_PASSWORD"},
+               ["gcp_prod_autograph_langpack"],
+               "webextensions_rsa_dep_202402"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_FOCUS_USERNAME"},
+               {"$eval": "AUTOGRAPH_FOCUS_PASSWORD"},
+               ["gcp_prod_autograph_focus"],
+               "focus_dep_apk"
+            ]
+            - ["https://prod.autograph.prod.webservices.mozgcp.net",
+               {"$eval": "AUTOGRAPH_FENIX_USERNAME"},
+               {"$eval": "AUTOGRAPH_FENIX_PASSWORD"},
+               ["gcp_prod_autograph_apk", "gcp_prod_autograph_apk_mozillaonline"],
+               "fenix_dep_apk"
+            ]
+
             # AWS Autograph; to be removed when production is switched over to GCP by default.
             - ["https://autograph-external.prod.autograph.services.mozaws.net",
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
@@ -139,6 +189,14 @@ in:
              "dummyapp_android"
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"},
+             {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"},
+             ["gcp_prod_autograph_apk"],
+             "geckoview_reference_browser_dep_apk"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"},
@@ -157,6 +215,14 @@ in:
              "dummy_gpg2"
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_GPG_USERNAME"},
+             {"$eval": "AUTOGRAPH_GPG_PASSWORD"},
+             ["gcp_prod_autograph_gpg"],
+             "release_at_mozilla_rel_pgp_dep"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_GPG_USERNAME"},
@@ -175,6 +241,14 @@ in:
              "dummy_gpg2"
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_GPG_USERNAME"},
+             {"$eval": "AUTOGRAPH_GPG_PASSWORD"},
+             ["gcp_prod_autograph_gpg"],
+             "release_at_mozilla_rel_pgp_dep"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_GPG_USERNAME"},
@@ -199,6 +273,20 @@ in:
              "cas_new_systemaddon_rsa"
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
+             {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"},
+             ["gcp_prod_privileged_webextension"],
+             "extension_rsa_dep_202402"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
+             {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"},
+             ["gcp_prod_system_addon"],
+             "systemaddon_rsa_dep_202402"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
@@ -239,6 +327,26 @@ in:
              "authenticode_dep_sha256",
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
+             {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
+             ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
+             "authenticode_dep_sha256"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_USERNAME"},
+             {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD"},
+             ["gcp_prod_autograph_debsign"],
+             "release_at_mozilla_debsign_dep"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME"},
+             {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD"},
+             ["gcp_prod_autograph_rsa"],
+             "vpn_addons_dep_2022"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
@@ -295,6 +403,39 @@ in:
              "dummyapp_android"
           ]
 
+          # GCP Autograph prod
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
+             {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
+             ["gcp_prod_autograph_authenticode_ev",
+              "gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
+             "authenticode_dep_sha256"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_MAR_USERNAME"},
+             {"$eval": "AUTOGRAPH_MAR_PASSWORD"},
+             ["gcp_prod_autograph_hash_only_mar384"],
+             "firefox_dep1"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_GPG_USERNAME"},
+             {"$eval": "AUTOGRAPH_GPG_PASSWORD"},
+             ["gcp_prod_autograph_gpg"],
+             "release_at_mozilla_rel_pgp_dep"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_XPI_USERNAME"},
+             {"$eval": "AUTOGRAPH_XPI_PASSWORD"},
+             ["gcp_prod_autograph_xpi", "gcp_prod_autograph_xpi_sha1_es256_es384", "gcp_prod_autograph_xpi_sha1_es256_ps256", "gcp_prod_autograph_xpi_sha1_es256", "gcp_prod_autograph_xpi_sha1_ps256"],
+             "webextensions_rsa_dep_202402"
+          ]
+          - ["https://prod.autograph.prod.webservices.mozgcp.net",
+             {"$eval": "AUTOGRAPH_FENIX_USERNAME"},
+             {"$eval": "AUTOGRAPH_FENIX_PASSWORD"},
+             ["gcp_prod_autograph_apk"],
+             "fenix_dep_apk"
+          ]
+
           # AWS Autograph; to be removed when production is switched over to GCP by default.
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},