update hardcoded formats to work with new 'gcp_prod_' prefix

signingscript/src/signingscript/script.py

@@ -27,13 +27,13 @@ async def async_main(context):
     work_dir = context.config["work_dir"]
     async with aiohttp.ClientSession() as session:
         all_signing_formats = task_signing_formats(context)
-        if {"autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats):
+        if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats):
             if not context.config.get("gpg_pubkey"):
                 raise Exception("GPG format is enabled but gpg_pubkey is not defined")
             if not os.path.exists(context.config["gpg_pubkey"]):
                 raise Exception("gpg_pubkey ({}) doesn't exist!".format(context.config["gpg_pubkey"]))
 
-        if {"autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats):
+        if {"autograph_widevine", "gcp_prod_autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats):
             if not context.config.get("widevine_cert"):
                 raise Exception("Widevine format is enabled, but widevine_cert is not defined")
 
@@ -61,7 +61,7 @@ async def async_main(context):
             for source in output_files:
                 source = os.path.relpath(source, work_dir)
                 copy_to_dir(os.path.join(work_dir, source), context.config["artifact_dir"], target=source)
-            if {"autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])):
+            if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])):
                 copy_to_dir(context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY")
 
         # notarization_stacked is a special format that takes in all files at once instead of sequentially like other formats

signingscript/src/signingscript/sign.py

@@ -90,6 +90,12 @@
         "nightly-signing": "nightly_aurora_level3_primary.pem",
         "dep-signing": "dep1.pem",
     },
+    "gcp_prod_autograph_stage_mar384": {"dep-signing": "autograph_stage.pem"},
+    "gcp_prod_autograph_hash_only_mar384": {
+        "release-signing": "release_primary.pem",
+        "nightly-signing": "nightly_aurora_level3_primary.pem",
+        "dep-signing": "dep1.pem",
+    },
 }
 
 # Langpacks expect the following re to match for addon id
@@ -933,9 +939,16 @@ def b64encode(input_bytes):
 def _is_xpi_format(fmt):
     if "omnija" in fmt or "langpack" in fmt:
         return True
-    if fmt in ("privileged_webextension", "system_addon", "stage_privileged_webextension", "stage_system_addon"):
+    if fmt in (
+        "privileged_webextension",
+        "system_addon",
+        "gcp_prod_privileged_webextension",
+        "gcp_prod_system_addon",
+        "stage_privileged_webextension",
+        "stage_system_addon",
+    ):
         return True
-    if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")):
+    if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")):
         return True
     return False
 
@@ -1413,10 +1426,10 @@ async def signer(digest, digest_algo):
     cafile_key = "authenticode_ca"
     cert_key = "authenticode_cert"
 
-    if fmt in ("autograph_authenticode_ev", "stage_autograph_authenticode_ev"):
+    if fmt in ("autograph_authenticode_ev", "gcp_prod_autograph_authenticode_ev", "stage_autograph_authenticode_ev"):
         cafile_key = f"{cafile_key}_ev"
         cert_key = f"{cert_key}_ev"
-    elif fmt.startswith(("autograph_authenticode_202404", "stage_autograph_authenticode_202404")):
+    elif fmt.startswith(("autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404", "stage_autograph_authenticode_202404")):
         cafile_key += "_202404"
         cert_key += "_202404"
 
@@ -1431,7 +1444,11 @@ async def signer(digest, digest_algo):
         certs = load_pem_certs(open(context.config[cert_key], "rb").read())
 
     url = context.config["authenticode_url"]
-    if fmt in ("autograph_authenticode_sha2_rfc3161_stub", "stage_autograph_authenticode_sha2_rfc3161_stub"):
+    if fmt in (
+        "autograph_authenticode_sha2_rfc3161_stub",
+        "gcp_prod_autograph_authenticode_sha2_rfc3161_stub",
+        "stage_autograph_authenticode_sha2_rfc3161_stub",
+    ):
         fmt = fmt.removesuffix("_rfc3161_stub")
         timestamp_style = "rfc3161"
     else:

signingscript/src/signingscript/task.py

@@ -167,11 +167,11 @@ async def sign(context, path, signing_formats, **kwargs):
 def _get_signing_function_from_format(fmt_and_key_id):
     fmt, _ = split_autograph_format(fmt_and_key_id)
 
-    if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")):
+    if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")):
         return sign_xpi
     if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt):
         return fn
-    if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_")):
+    if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_").removeprefix("gcp_prod_")):
         return fn
 
     return FORMAT_TO_SIGNING_FUNCTION["default"]
@@ -196,13 +196,17 @@ def _sort_formats(formats):
     for fmt in (
         "widevine",
         "autograph_widevine",
+        "gcp_prod_autograph_widevine",
         "stage_autograph_widevine",
         "autograph_omnija",
+        "gcp_prod_autograph_omnija",
         "stage_autograph_omnija",
         "macapp",
         "autograph_rsa",
+        "gcp_prod_autograph_rsa",
         "stage_autograph_rsa",
         "autograph_gpg",
+        "gcp_prod_autograph_gpg",
         "stage_autograph_gpg",
     ):
         if fmt in formats:

signingscript/src/signingscript/utils.py

@@ -213,8 +213,17 @@ def is_apk_autograph_signing_format(format_):
     # TODO Remove autograph_focus once format is migrated
     return (
         format_
-        and format_.startswith(("autograph_apk_", "stage_autograph_apk_"))
-        or format_ in ("autograph_focus", "autograph_stage_aab", "autograph_aab", "stage_autograph_focus", "stage_autograph_aab")
+        and format_.startswith(("autograph_apk_", "gcp_prod_autograph_apk_", "stage_autograph_apk_"))
+        or format_
+        in (
+            "autograph_focus",
+            "autograph_stage_aab",
+            "autograph_aab",
+            "gcp_prod_autograph_focus",
+            "gcp_prod_autograph_aab",
+            "stage_autograph_focus",
+            "stage_autograph_aab",
+        )
     )
 
 

signingscript/tests/test_task.py

@@ -152,7 +152,18 @@ def fake_log(context, new_files, *args):
         ("autograph_authenticode_sha2_stub", stask.sign_authenticode),
         ("apple_notarization", stask.apple_notarize),
         ("default", stask.sign_file),
-        # Stage-prefixed cases
+        # GCP prod
+        ("gcp_prod_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash),
+        ("gcp_prod_autograph_gpg", stask.sign_gpg_with_autograph),
+        ("gcp_prod_macapp", stask.sign_macapp),
+        ("gcp_prod_widevine", stask.sign_widevine),
+        ("gcp_prod_autograph_authenticode_sha2", stask.sign_authenticode),
+        ("gcp_prod_autograph_authenticode_sha2_stub", stask.sign_authenticode),
+        ("gcp_prod_apple_notarization", stask.apple_notarize),
+        ("gcp_prod_autograph_xpi", stask.sign_xpi),
+        ("gcp_prod_autograph_xpi_sha256_es256", stask.sign_xpi),
+        ("gcp_prod_autograph_xpi_foobar", stask.sign_xpi),
+        # GCP stage
         ("stage_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash),
         ("stage_autograph_gpg", stask.sign_gpg_with_autograph),
         ("stage_macapp", stask.sign_macapp),