From 61facf8230f4dec7dc7d7af1cdebdf0493542850 Mon Sep 17 00:00:00 2001 From: Ben Hearsum Date: Tue, 3 Dec 2024 12:46:00 -0500 Subject: [PATCH] signingscript: autograph gcp migration step 2: test against gcp prod This patch adds another set of new formats that point at Autograph GCP prod. These entries contain equivalents for all current production formats, and use the exact same credentials the existing production formats. Where they differ are: * Different formats (so we can opt into them) * Different autograph URL * Ensure we use explicit keyids everywhere --- signingscript/docker.d/passwords.yml | 141 +++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) diff --git a/signingscript/docker.d/passwords.yml b/signingscript/docker.d/passwords.yml index 4917fe279..ddf7dae59 100644 --- a/signingscript/docker.d/passwords.yml +++ b/signingscript/docker.d/passwords.yml @@ -81,6 +81,56 @@ in: "dummyapp_android", ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, + ["gcp_prod_autograph_hash_only_mar384"], + "firefox_dep1", + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_WIDEVINE_USERNAME"}, + {"$eval": "AUTOGRAPH_WIDEVINE_PASSWORD"}, + ["gcp_prod_autograph_widevine"], + "widevine_dep1" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_OMNIJA_USERNAME"}, + {"$eval": "AUTOGRAPH_OMNIJA_PASSWORD"}, + ["gcp_prod_autograph_omnija"], + "systemaddon_rsa_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_LANGPACK_USERNAME"}, + {"$eval": "AUTOGRAPH_LANGPACK_PASSWORD"}, + ["gcp_prod_autograph_langpack"], + "webextensions_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FOCUS_USERNAME"}, + {"$eval": "AUTOGRAPH_FOCUS_PASSWORD"}, + ["gcp_prod_autograph_focus"], + "focus_dep_apk" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_FENIX_PASSWORD"}, + ["gcp_prod_autograph_apk", "gcp_prod_autograph_apk_mozillaonline"], + "fenix_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, @@ -139,6 +189,14 @@ in: "dummyapp_android" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"}, + {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"}, + ["gcp_prod_autograph_apk"], + "geckoview_reference_browser_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"}, @@ -157,6 +215,14 @@ in: "dummy_gpg2" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, @@ -175,6 +241,14 @@ in: "dummy_gpg2" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, @@ -199,6 +273,20 @@ in: "cas_new_systemaddon_rsa" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"}, + ["gcp_prod_privileged_webextension"], + "extension_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"}, + ["gcp_prod_system_addon"], + "systemaddon_rsa_dep_202402" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, @@ -239,6 +327,26 @@ in: "authenticode_dep_sha256", ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_USERNAME"}, + {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD"}, + ["gcp_prod_autograph_debsign"], + "release_at_mozilla_debsign_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME"}, + {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD"}, + ["gcp_prod_autograph_rsa"], + "vpn_addons_dep_2022" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, @@ -295,6 +403,39 @@ in: "dummyapp_android" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_ev", + "gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, + ["gcp_prod_autograph_hash_only_mar384"], + "firefox_dep1" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PASSWORD"}, + ["gcp_prod_autograph_xpi", "gcp_prod_autograph_xpi_sha1_es256_es384", "gcp_prod_autograph_xpi_sha1_es256_ps256", "gcp_prod_autograph_xpi_sha1_es256", "gcp_prod_autograph_xpi_sha1_ps256"], + "webextensions_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_FENIX_PASSWORD"}, + ["gcp_prod_autograph_apk"], + "fenix_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},