1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
"""
Defines artifacts to sign before repackage.
"""
from taskgraph.util.taskcluster import get_artifact_path
from gecko_taskgraph.util.declarative_artifacts import get_geckoview_upstream_artifacts
LANGPACK_SIGN_PLATFORMS = { # set
"linux64-shippable",
"linux64-devedition",
"macosx64-shippable",
"macosx64-devedition",
}
def is_partner_kind(kind):
if kind and kind.startswith(("release-partner", "release-eme-free")):
return True
def is_notarization_kind(kind):
if kind and "notarization" in kind:
return True
def is_mac_signing_king(kind):
return kind and "mac-signing" in kind
def generate_specifications_of_artifacts_to_sign(
config, job, keep_locale_template=True, kind=None, dep_kind=None
):
build_platform = job["attributes"].get("build_platform")
use_stub = job["attributes"].get("stub-installer")
# Get locales to know if we want to sign ja-JP-mac langpack
locales = job["attributes"].get("chunk_locales", [])
if kind == "release-source-signing":
artifacts_specifications = [
{
"artifacts": [get_artifact_path(job, "source.tar.xz")],
"formats": ["gcp_prod_autograph_gpg"],
}
]
elif "android" in build_platform:
artifacts_specifications = [
{
"artifacts": get_geckoview_artifacts_to_sign(config, job),
"formats": ["gcp_prod_autograph_gpg"],
}
]
# XXX: Mars aren't signed here (on any platform) because internals will be
# signed at after this stage of the release
elif "macosx" in build_platform:
langpack_formats = []
if is_notarization_kind(config.kind):
formats = ["apple_notarization_stacked"]
artifacts_specifications = [
{
"artifacts": [
get_artifact_path(job, "{locale}/target.tar.gz"),
get_artifact_path(job, "{locale}/target.pkg"),
],
"formats": formats,
}
]
else:
# This task is mac-signing
if is_partner_kind(kind):
extension = "tar.gz"
else:
extension = "dmg"
artifacts_specifications = [
{
"artifacts": [
get_artifact_path(job, f"{{locale}}/target.{extension}")
],
"formats": ["macapp", "gcp_prod_autograph_widevine"],
}
]
langpack_formats = ["gcp_prod_autograph_langpack"]
if "ja-JP-mac" in locales and build_platform in LANGPACK_SIGN_PLATFORMS:
artifacts_specifications += [
{
"artifacts": [
get_artifact_path(job, "ja-JP-mac/target.langpack.xpi")
],
"formats": langpack_formats,
}
]
elif "win" in build_platform:
artifacts_specifications = [
{
"artifacts": [
get_artifact_path(job, "{locale}/setup.exe"),
],
"formats": ["gcp_prod_autograph_authenticode_202412"],
},
{
"artifacts": [
get_artifact_path(job, "{locale}/target.zip"),
],
"formats": [
"gcp_prod_autograph_authenticode_202412",
"gcp_prod_autograph_widevine",
],
},
]
if use_stub:
artifacts_specifications[0]["artifacts"] += [
get_artifact_path(job, "{locale}/setup-stub.exe")
]
elif "linux" in build_platform:
artifacts_specifications = [
{
"artifacts": [get_artifact_path(job, "{locale}/target.tar.xz")],
"formats": ["gcp_prod_autograph_gpg", "gcp_prod_autograph_widevine"],
}
]
dep_job = config.kind_dependencies_tasks[job["dependencies"][dep_kind]]
if build_platform in LANGPACK_SIGN_PLATFORMS and not dep_job.attributes.get(
"artifact-build"
):
artifacts_specifications += [
{
"artifacts": [
get_artifact_path(job, "{locale}/target.langpack.xpi")
],
"formats": ["gcp_prod_autograph_langpack"],
}
]
else:
raise Exception("Platform not implemented for signing")
if not keep_locale_template:
artifacts_specifications = _strip_locale_template(artifacts_specifications)
if is_partner_kind(kind):
artifacts_specifications = _strip_widevine_for_partners(
artifacts_specifications
)
return artifacts_specifications
def _strip_locale_template(artifacts_without_locales):
for spec in artifacts_without_locales:
for index, artifact in enumerate(spec["artifacts"]):
stripped_artifact = artifact.format(locale="")
stripped_artifact = stripped_artifact.replace("//", "/")
spec["artifacts"][index] = stripped_artifact
return artifacts_without_locales
def _strip_widevine_for_partners(artifacts_specifications):
"""Partner repacks should not resign that's previously signed for fear of breaking partial
updates
"""
for spec in artifacts_specifications:
if "gcp_prod_autograph_widevine" in spec["formats"]:
spec["formats"].remove("gcp_prod_autograph_widevine")
return artifacts_specifications
def get_geckoview_artifacts_to_sign(config, job):
upstream_artifacts = []
for package in job["attributes"]["maven_packages"]:
upstream_artifacts += get_geckoview_upstream_artifacts(config, job, package)
return [
path
for upstream_artifact in upstream_artifacts
for path in upstream_artifact["paths"]
if not path.endswith(".md5") and not path.endswith(".sha1")
]
|
