From 6ca041875668168f408089fd1c0dc5a9291fa989 Mon Sep 17 00:00:00 2001 From: Ben Hearsum Date: Tue, 3 Dec 2024 12:46:00 -0500 Subject: [PATCH] signingscript: autograph gcp migration step 2: test against gcp prod This patch adds another set of new formats that point at Autograph GCP prod. These entries contain equivalents for all current production formats, and use the exact same credentials the existing production formats. Where they differ are: * Different formats (so we can opt into them) * Different autograph URL * Ensure we use explicit keyids everywhere --- signingscript/docker.d/passwords.yml | 143 +++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/signingscript/docker.d/passwords.yml b/signingscript/docker.d/passwords.yml index 4917fe279..8928ab6bf 100644 --- a/signingscript/docker.d/passwords.yml +++ b/signingscript/docker.d/passwords.yml @@ -81,6 +81,56 @@ in: "dummyapp_android", ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, + ["gcp_prod_autograph_hash_only_mar384"], + "firefox_dep1", + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_WIDEVINE_USERNAME"}, + {"$eval": "AUTOGRAPH_WIDEVINE_PASSWORD"}, + ["gcp_prod_autograph_widevine"], + "widevine_dep1" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_OMNIJA_USERNAME"}, + {"$eval": "AUTOGRAPH_OMNIJA_PASSWORD"}, + ["gcp_prod_autograph_omnija"], + "systemaddon_rsa_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_LANGPACK_USERNAME"}, + {"$eval": "AUTOGRAPH_LANGPACK_PASSWORD"}, + ["gcp_prod_autograph_langpack"], + "webextensions_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FOCUS_USERNAME"}, + {"$eval": "AUTOGRAPH_FOCUS_PASSWORD"}, + ["gcp_prod_autograph_focus"], + "focus_dep_apk" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_FENIX_PASSWORD"}, + ["gcp_prod_autograph_apk", "gcp_prod_autograph_apk_mozillaonline"], + "fenix_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, @@ -139,6 +189,14 @@ in: "dummyapp_android" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"}, + {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"}, + ["gcp_prod_autograph_apk"], + "geckoview_reference_browser_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"}, @@ -157,6 +215,14 @@ in: "dummy_gpg2" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, @@ -175,6 +241,14 @@ in: "dummy_gpg2" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, @@ -199,6 +273,20 @@ in: "cas_new_systemaddon_rsa" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"}, + ["gcp_prod_privileged_webextension"], + "extension_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"}, + ["gcp_prod_system_addon"], + "systemaddon_rsa_dep_202402" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, @@ -239,6 +327,26 @@ in: "authenticode_dep_sha256", ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_USERNAME"}, + {"$eval": "AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD"}, + ["gcp_prod_autograph_debsign"], + "release_at_mozilla_debsign_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME"}, + {"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD"}, + ["gcp_prod_autograph_rsa"], + "vpn_addons_dep_2022" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, @@ -295,6 +403,41 @@ in: "dummyapp_android" ] + # GCP Autograph prod + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, + ["gcp_prod_autograph_authenticode_ev", + "gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, + ["gcp_prod_autograph_hash_only_mar384"], + "firefox_dep1" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, + ["gcp_prod_autograph_gpg"], + "release_at_mozilla_rel_pgp_dep" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_XPI_USERNAME"}, + {"$eval": "AUTOGRAPH_XPI_PASSWORD"}, + ["gcp_prod_autograph_xpi", "gcp_prod_autograph_xpi_sha1_es256_es384", + "gcp_prod_autograph_xpi_sha1_es256_ps256", "gcp_prod_autograph_xpi_sha1_es256", + "gcp_prod_autograph_xpi_sha1_ps256"], + "webextensions_rsa_dep_202402" + ] + - ["https://prod.autograph.prod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_FENIX_PASSWORD"}, + ["gcp_prod_autograph_apk"], + "fenix_dep_apk" + ] + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},