diff --git a/signingscript/src/signingscript/script.py b/signingscript/src/signingscript/script.py index 03e4ec84f..23958846f 100755 --- a/signingscript/src/signingscript/script.py +++ b/signingscript/src/signingscript/script.py @@ -27,13 +27,13 @@ async def async_main(context): work_dir = context.config["work_dir"] async with aiohttp.ClientSession() as session: all_signing_formats = task_signing_formats(context) - if {"autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats): + if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats): if not context.config.get("gpg_pubkey"): raise Exception("GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config["gpg_pubkey"]): raise Exception("gpg_pubkey ({}) doesn't exist!".format(context.config["gpg_pubkey"])) - if {"autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats): + if {"autograph_widevine", "gcp_prod_autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats): if not context.config.get("widevine_cert"): raise Exception("Widevine format is enabled, but widevine_cert is not defined") @@ -61,7 +61,7 @@ async def async_main(context): for source in output_files: source = os.path.relpath(source, work_dir) copy_to_dir(os.path.join(work_dir, source), context.config["artifact_dir"], target=source) - if {"autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])): + if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])): copy_to_dir(context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY") # notarization_stacked is a special format that takes in all files at once instead of sequentially like other formats diff --git a/signingscript/src/signingscript/sign.py b/signingscript/src/signingscript/sign.py index 7cb3897dd..655a46f9a 100644 --- a/signingscript/src/signingscript/sign.py +++ b/signingscript/src/signingscript/sign.py @@ -90,6 +90,12 @@ "nightly-signing": "nightly_aurora_level3_primary.pem", "dep-signing": "dep1.pem", }, + "gcp_prod_autograph_stage_mar384": {"dep-signing": "autograph_stage.pem"}, + "gcp_prod_autograph_hash_only_mar384": { + "release-signing": "release_primary.pem", + "nightly-signing": "nightly_aurora_level3_primary.pem", + "dep-signing": "dep1.pem", + }, } # Langpacks expect the following re to match for addon id @@ -933,9 +939,16 @@ def b64encode(input_bytes): def _is_xpi_format(fmt): if "omnija" in fmt or "langpack" in fmt: return True - if fmt in ("privileged_webextension", "system_addon", "stage_privileged_webextension", "stage_system_addon"): + if fmt in ( + "privileged_webextension", + "system_addon", + "gcp_prod_privileged_webextension", + "gcp_prod_system_addon", + "stage_privileged_webextension", + "stage_system_addon", + ): return True - if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")): + if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")): return True return False @@ -1413,10 +1426,10 @@ async def signer(digest, digest_algo): cafile_key = "authenticode_ca" cert_key = "authenticode_cert" - if fmt in ("autograph_authenticode_ev", "stage_autograph_authenticode_ev"): + if fmt in ("autograph_authenticode_ev", "gcp_prod_autograph_authenticode_ev", "stage_autograph_authenticode_ev"): cafile_key = f"{cafile_key}_ev" cert_key = f"{cert_key}_ev" - elif fmt.startswith(("autograph_authenticode_202404", "stage_autograph_authenticode_202404")): + elif fmt.startswith(("autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404", "stage_autograph_authenticode_202404")): cafile_key += "_202404" cert_key += "_202404" @@ -1431,7 +1444,11 @@ async def signer(digest, digest_algo): certs = load_pem_certs(open(context.config[cert_key], "rb").read()) url = context.config["authenticode_url"] - if fmt in ("autograph_authenticode_sha2_rfc3161_stub", "stage_autograph_authenticode_sha2_rfc3161_stub"): + if fmt in ( + "autograph_authenticode_sha2_rfc3161_stub", + "gcp_prod_autograph_authenticode_sha2_rfc3161_stub", + "stage_autograph_authenticode_sha2_rfc3161_stub", + ): fmt = fmt.removesuffix("_rfc3161_stub") timestamp_style = "rfc3161" else: diff --git a/signingscript/src/signingscript/task.py b/signingscript/src/signingscript/task.py index a5e413c43..9548ea453 100644 --- a/signingscript/src/signingscript/task.py +++ b/signingscript/src/signingscript/task.py @@ -167,11 +167,11 @@ async def sign(context, path, signing_formats, **kwargs): def _get_signing_function_from_format(fmt_and_key_id): fmt, _ = split_autograph_format(fmt_and_key_id) - if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")): + if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")): return sign_xpi if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt): return fn - if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_")): + if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_").removeprefix("gcp_prod_")): return fn return FORMAT_TO_SIGNING_FUNCTION["default"] @@ -196,13 +196,17 @@ def _sort_formats(formats): for fmt in ( "widevine", "autograph_widevine", + "gcp_prod_autograph_widevine", "stage_autograph_widevine", "autograph_omnija", + "gcp_prod_autograph_omnija", "stage_autograph_omnija", "macapp", "autograph_rsa", + "gcp_prod_autograph_rsa", "stage_autograph_rsa", "autograph_gpg", + "gcp_prod_autograph_gpg", "stage_autograph_gpg", ): if fmt in formats: diff --git a/signingscript/src/signingscript/utils.py b/signingscript/src/signingscript/utils.py index 760b77503..cddfca415 100644 --- a/signingscript/src/signingscript/utils.py +++ b/signingscript/src/signingscript/utils.py @@ -213,8 +213,17 @@ def is_apk_autograph_signing_format(format_): # TODO Remove autograph_focus once format is migrated return ( format_ - and format_.startswith(("autograph_apk_", "stage_autograph_apk_")) - or format_ in ("autograph_focus", "autograph_stage_aab", "autograph_aab", "stage_autograph_focus", "stage_autograph_aab") + and format_.startswith(("autograph_apk_", "gcp_prod_autograph_apk_", "stage_autograph_apk_")) + or format_ + in ( + "autograph_focus", + "autograph_stage_aab", + "autograph_aab", + "gcp_prod_autograph_focus", + "gcp_prod_autograph_aab", + "stage_autograph_focus", + "stage_autograph_aab", + ) ) diff --git a/signingscript/tests/test_task.py b/signingscript/tests/test_task.py index bff573ad7..fcad4d2e4 100644 --- a/signingscript/tests/test_task.py +++ b/signingscript/tests/test_task.py @@ -152,7 +152,18 @@ def fake_log(context, new_files, *args): ("autograph_authenticode_sha2_stub", stask.sign_authenticode), ("apple_notarization", stask.apple_notarize), ("default", stask.sign_file), - # Stage-prefixed cases + # GCP prod + ("gcp_prod_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash), + ("gcp_prod_autograph_gpg", stask.sign_gpg_with_autograph), + ("gcp_prod_macapp", stask.sign_macapp), + ("gcp_prod_widevine", stask.sign_widevine), + ("gcp_prod_autograph_authenticode_sha2", stask.sign_authenticode), + ("gcp_prod_autograph_authenticode_sha2_stub", stask.sign_authenticode), + ("gcp_prod_apple_notarization", stask.apple_notarize), + ("gcp_prod_autograph_xpi", stask.sign_xpi), + ("gcp_prod_autograph_xpi_sha256_es256", stask.sign_xpi), + ("gcp_prod_autograph_xpi_foobar", stask.sign_xpi), + # GCP stage ("stage_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash), ("stage_autograph_gpg", stask.sign_gpg_with_autograph), ("stage_macapp", stask.sign_macapp),