Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signingscript: autograph gcp migration step 2: test against gcp prod #1099

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

signingscript: autograph gcp migration step 2: test against gcp prod #1099

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7945f42
signingscript: autograph gcp migration step 2: test against gcp prod
bhearsum Dec 3, 2024
2d5d7b8
update hardcoded formats to work with new 'gcp_prod_' prefix
bhearsum Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 150 additions & 0 deletions signingscript/docker.d/passwords.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,56 @@ in:
"dummyapp_android",
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
"authenticode_dep_sha256"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_MAR_USERNAME"},
{"$eval": "AUTOGRAPH_MAR_PASSWORD"},
["gcp_prod_autograph_hash_only_mar384"],
"firefox_dep1",
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
{"$eval": "AUTOGRAPH_GPG_PASSWORD"},
["gcp_prod_autograph_gpg"],
"release_at_mozilla_rel_pgp_dep"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_WIDEVINE_USERNAME"},
{"$eval": "AUTOGRAPH_WIDEVINE_PASSWORD"},
["gcp_prod_autograph_widevine"],
"widevine_dep1"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_OMNIJA_USERNAME"},
{"$eval": "AUTOGRAPH_OMNIJA_PASSWORD"},
["gcp_prod_autograph_omnija"],
"systemaddon_rsa_dep"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_LANGPACK_USERNAME"},
{"$eval": "AUTOGRAPH_LANGPACK_PASSWORD"},
["gcp_prod_autograph_langpack"],
"webextensions_rsa_dep_202402"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_FOCUS_USERNAME"},
{"$eval": "AUTOGRAPH_FOCUS_PASSWORD"},
["gcp_prod_autograph_focus"],
"focus_dep_apk"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_FENIX_USERNAME"},
{"$eval": "AUTOGRAPH_FENIX_PASSWORD"},
["gcp_prod_autograph_apk", "gcp_prod_autograph_apk_mozillaonline"],
"fenix_dep_apk"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
Expand Down Expand Up @@ -140,6 +190,21 @@ in:
"dummyapp_android"
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"},
{"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"},
["gcp_prod_autograph_apk"],
"geckoview_reference_browser_dep_apk"
]

- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"},
{"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"},
["gcp_prod_autograph_aab"],
"geckoview_reference_browser_dep_apk_v3"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"},
Expand All @@ -158,6 +223,14 @@ in:
"dummy_gpg2"
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
{"$eval": "AUTOGRAPH_GPG_PASSWORD"},
["gcp_prod_autograph_gpg"],
"release_at_mozilla_rel_pgp_dep"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
Expand All @@ -176,6 +249,14 @@ in:
"dummy_gpg2"
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
{"$eval": "AUTOGRAPH_GPG_PASSWORD"},
["gcp_prod_autograph_gpg"],
"release_at_mozilla_rel_pgp_dep"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
Expand All @@ -200,6 +281,20 @@ in:
"cas_new_systemaddon_rsa"
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
{"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"},
["gcp_prod_privileged_webextension"],
"extension_rsa_dep_202402"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
{"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"},
["gcp_prod_system_addon"],
"systemaddon_rsa_dep_202402"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"},
Expand Down Expand Up @@ -234,6 +329,26 @@ in:
"authenticode_dep_sha256",
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
["gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
"authenticode_dep_sha256"
]
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_MOZILLAVPN_USERNAME"},
{"$eval": "AUTOGRAPH_MOZILLAVPN_PASSWORD"},
["gcp_prod_autograph_apk"],
"geckoview_reference_browser_dep_apk"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME"},
{"$eval": "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD"},
["gcp_prod_autograph_rsa"],
"vpn_addons_dep_2022"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
Expand Down Expand Up @@ -284,6 +399,41 @@ in:
"dummyapp_android"
]

# GCP Autograph prod
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
["gcp_prod_autograph_authenticode_ev",
"gcp_prod_autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404_stub"],
"authenticode_dep_sha256"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_MAR_USERNAME"},
{"$eval": "AUTOGRAPH_MAR_PASSWORD"},
["gcp_prod_autograph_hash_only_mar384"],
"firefox_dep1"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_GPG_USERNAME"},
{"$eval": "AUTOGRAPH_GPG_PASSWORD"},
["gcp_prod_autograph_gpg"],
"release_at_mozilla_rel_pgp_dep"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_XPI_USERNAME"},
{"$eval": "AUTOGRAPH_XPI_PASSWORD"},
["gcp_prod_autograph_xpi", "gcp_prod_autograph_xpi_sha1_es256_es384",
"gcp_prod_autograph_xpi_sha1_es256_ps256", "gcp_prod_autograph_xpi_sha1_es256",
"gcp_prod_autograph_xpi_sha1_ps256"],
"webextensions_rsa_dep_202402"
]
- ["https://prod.autograph.prod.webservices.mozgcp.net",
{"$eval": "AUTOGRAPH_FENIX_USERNAME"},
{"$eval": "AUTOGRAPH_FENIX_PASSWORD"},
["gcp_prod_autograph_apk"],
"fenix_dep_apk"
]

# AWS Autograph; to be removed when production is switched over to GCP by default.
- ["https://autograph-external.prod.autograph.services.mozaws.net",
{"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
Expand Down
6 changes: 3 additions & 3 deletions signingscript/src/signingscript/script.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ async def async_main(context):
work_dir = context.config["work_dir"]
async with aiohttp.ClientSession() as session:
all_signing_formats = task_signing_formats(context)
if {"autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats):
if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats):
if not context.config.get("gpg_pubkey"):
raise Exception("GPG format is enabled but gpg_pubkey is not defined")
if not os.path.exists(context.config["gpg_pubkey"]):
raise Exception("gpg_pubkey ({}) doesn't exist!".format(context.config["gpg_pubkey"]))

if {"autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats):
if {"autograph_widevine", "gcp_prod_autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats):
if not context.config.get("widevine_cert"):
raise Exception("Widevine format is enabled, but widevine_cert is not defined")

Expand Down Expand Up @@ -61,7 +61,7 @@ async def async_main(context):
for source in output_files:
source = os.path.relpath(source, work_dir)
copy_to_dir(os.path.join(work_dir, source), context.config["artifact_dir"], target=source)
if {"autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])):
if {"autograph_gpg", "gcp_prod_autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])):
copy_to_dir(context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY")

# notarization_stacked is a special format that takes in all files at once instead of sequentially like other formats
Expand Down
27 changes: 22 additions & 5 deletions signingscript/src/signingscript/sign.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,12 @@
"nightly-signing": "nightly_aurora_level3_primary.pem",
"dep-signing": "dep1.pem",
},
"gcp_prod_autograph_stage_mar384": {"dep-signing": "autograph_stage.pem"},
"gcp_prod_autograph_hash_only_mar384": {
"release-signing": "release_primary.pem",
"nightly-signing": "nightly_aurora_level3_primary.pem",
"dep-signing": "dep1.pem",
},
}

# Langpacks expect the following re to match for addon id
Expand Down Expand Up @@ -875,9 +881,16 @@ def b64encode(input_bytes):
def _is_xpi_format(fmt):
if "omnija" in fmt or "langpack" in fmt:
return True
if fmt in ("privileged_webextension", "system_addon", "stage_privileged_webextension", "stage_system_addon"):
if fmt in (
"privileged_webextension",
"system_addon",
"gcp_prod_privileged_webextension",
"gcp_prod_system_addon",
"stage_privileged_webextension",
"stage_system_addon",
):
return True
if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")):
if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")):
return True
return False

Expand Down Expand Up @@ -1348,10 +1361,10 @@ async def signer(digest, digest_algo):
cafile_key = "authenticode_ca"
cert_key = "authenticode_cert"

if fmt in ("autograph_authenticode_ev", "stage_autograph_authenticode_ev"):
if fmt in ("autograph_authenticode_ev", "gcp_prod_autograph_authenticode_ev", "stage_autograph_authenticode_ev"):
cafile_key = f"{cafile_key}_ev"
cert_key = f"{cert_key}_ev"
elif fmt.startswith(("autograph_authenticode_202404", "stage_autograph_authenticode_202404")):
elif fmt.startswith(("autograph_authenticode_202404", "gcp_prod_autograph_authenticode_202404", "stage_autograph_authenticode_202404")):
cafile_key += "_202404"
cert_key += "_202404"

Expand All @@ -1366,7 +1379,11 @@ async def signer(digest, digest_algo):
certs = load_pem_certs(open(context.config[cert_key], "rb").read())

url = context.config["authenticode_url"]
if fmt in ("autograph_authenticode_sha2_rfc3161_stub", "stage_autograph_authenticode_sha2_rfc3161_stub"):
if fmt in (
"autograph_authenticode_sha2_rfc3161_stub",
"gcp_prod_autograph_authenticode_sha2_rfc3161_stub",
"stage_autograph_authenticode_sha2_rfc3161_stub",
):
fmt = fmt.removesuffix("_rfc3161_stub")
timestamp_style = "rfc3161"
else:
Expand Down
8 changes: 6 additions & 2 deletions signingscript/src/signingscript/task.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,11 @@ async def sign(context, path, signing_formats, **kwargs):
def _get_signing_function_from_format(fmt_and_key_id):
fmt, _ = split_autograph_format(fmt_and_key_id)

if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")):
if fmt.startswith(("autograph_xpi", "gcp_prod_autograph_xpi", "stage_autograph_xpi")):
return sign_xpi
if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt):
return fn
if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_")):
if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_").removeprefix("gcp_prod_")):
return fn

return FORMAT_TO_SIGNING_FUNCTION["default"]
Expand All @@ -194,13 +194,17 @@ def _sort_formats(formats):
for fmt in (
"widevine",
"autograph_widevine",
"gcp_prod_autograph_widevine",
"stage_autograph_widevine",
"autograph_omnija",
"gcp_prod_autograph_omnija",
"stage_autograph_omnija",
"macapp",
"autograph_rsa",
"gcp_prod_autograph_rsa",
"stage_autograph_rsa",
"autograph_gpg",
"gcp_prod_autograph_gpg",
"stage_autograph_gpg",
):
if fmt in formats:
Expand Down
13 changes: 11 additions & 2 deletions signingscript/src/signingscript/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,17 @@ def is_apk_autograph_signing_format(format_):
# TODO Remove autograph_focus once format is migrated
return (
format_
and format_.startswith(("autograph_apk_", "stage_autograph_apk_"))
or format_ in ("autograph_focus", "autograph_stage_aab", "autograph_aab", "stage_autograph_focus", "stage_autograph_aab")
and format_.startswith(("autograph_apk_", "gcp_prod_autograph_apk_", "stage_autograph_apk_"))
or format_
in (
"autograph_focus",
"autograph_stage_aab",
"autograph_aab",
"gcp_prod_autograph_focus",
"gcp_prod_autograph_aab",
"stage_autograph_focus",
"stage_autograph_aab",
)
)


Expand Down
13 changes: 12 additions & 1 deletion signingscript/tests/test_task.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,18 @@ def fake_log(context, new_files, *args):
("autograph_authenticode_sha2_stub", stask.sign_authenticode),
("apple_notarization", stask.apple_notarize),
("default", stask.sign_file),
# Stage-prefixed cases
# GCP prod
("gcp_prod_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash),
("gcp_prod_autograph_gpg", stask.sign_gpg_with_autograph),
("gcp_prod_macapp", stask.sign_macapp),
("gcp_prod_widevine", stask.sign_widevine),
("gcp_prod_autograph_authenticode_sha2", stask.sign_authenticode),
("gcp_prod_autograph_authenticode_sha2_stub", stask.sign_authenticode),
("gcp_prod_apple_notarization", stask.apple_notarize),
("gcp_prod_autograph_xpi", stask.sign_xpi),
("gcp_prod_autograph_xpi_sha256_es256", stask.sign_xpi),
("gcp_prod_autograph_xpi_foobar", stask.sign_xpi),
# GCP stage
("stage_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash),
("stage_autograph_gpg", stask.sign_gpg_with_autograph),
("stage_macapp", stask.sign_macapp),
Expand Down