diff --git a/signingscript/docker.d/init_worker.sh b/signingscript/docker.d/init_worker.sh index 4f92aa60d..eeb209ef1 100755 --- a/signingscript/docker.d/init_worker.sh +++ b/signingscript/docker.d/init_worker.sh @@ -81,57 +81,83 @@ case $ENV in dev|fake-prod) case $COT_PRODUCT in firefox|thunderbird) - test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD' - test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME' test_var_set 'AUTHENTICODE_CERT_PATH' test_var_set 'AUTHENTICODE_CA_PATH' test_var_set 'AUTHENTICODE_CA_TIMESTAMP_PATH' test_var_set 'AUTHENTICODE_CROSS_CERT_PATH' test_var_set 'AUTHENTICODE_TIMESTAMP_STYLE' + test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD' + test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME' test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' test_var_set 'AUTOGRAPH_LANGPACK_PASSWORD' test_var_set 'AUTOGRAPH_LANGPACK_USERNAME' test_var_set 'AUTOGRAPH_MAR_PASSWORD' test_var_set 'AUTOGRAPH_MAR_USERNAME' - test_var_set 'AUTOGRAPH_STAGE_MAR_PASSWORD' - test_var_set 'AUTOGRAPH_STAGE_MAR_USERNAME' test_var_set 'AUTOGRAPH_OMNIJA_PASSWORD' test_var_set 'AUTOGRAPH_OMNIJA_USERNAME' test_var_set 'AUTOGRAPH_WIDEVINE_PASSWORD' test_var_set 'AUTOGRAPH_WIDEVINE_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_GPG_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_GPG_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_LANGPACK_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_LANGPACK_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_MAR_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_MAR_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_OMNIJA_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_OMNIJA_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_WIDEVINE_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_WIDEVINE_USERNAME' if [ "$COT_PRODUCT" = "firefox" ]; then test_var_set 'AUTOGRAPH_FENIX_PASSWORD' test_var_set 'AUTOGRAPH_FENIX_USERNAME' test_var_set 'AUTOGRAPH_FOCUS_PASSWORD' test_var_set 'AUTOGRAPH_FOCUS_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_FENIX_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_FENIX_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_FOCUS_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_FOCUS_PASSWORD' fi ;; mobile) - test_var_set 'AUTOGRAPH_GPG_PASSWORD' - test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' test_var_set 'AUTOGRAPH_REFERENCE_BROWSER_PASSWORD' test_var_set 'AUTOGRAPH_REFERENCE_BROWSER_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD' ;; app-services) test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' + test_var_set 'AUTOGRAPH_STAGE_GPG_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_GPG_PASSWORD' ;; glean) test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' + test_var_set 'AUTOGRAPH_STAGE_GPG_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_GPG_PASSWORD' ;; xpi) test_var_set 'AUTOGRAPH_XPI_PRIVILEGED_PASSWORD' test_var_set 'AUTOGRAPH_XPI_PRIVILEGED_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_XPI_PRIVILEGED_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_XPI_PRIVILEGED_PASSWORD' ;; mozillavpn) test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD' test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME' + test_var_set 'AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD' + test_var_set 'AUTOGRAPH_MOZILLAVPN_DEBSIGN_USERNAME' + test_var_set 'AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD' + test_var_set 'AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_USERNAME' test_var_set 'AUTHENTICODE_CERT_PATH' test_var_set 'AUTHENTICODE_CA_PATH' test_var_set 'AUTHENTICODE_CA_TIMESTAMP_PATH' @@ -143,15 +169,22 @@ case $ENV in test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME' test_var_set 'AUTOGRAPH_MAR_PASSWORD' test_var_set 'AUTOGRAPH_MAR_USERNAME' - test_var_set 'AUTOGRAPH_STAGE_MAR_PASSWORD' - test_var_set 'AUTOGRAPH_STAGE_MAR_USERNAME' test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' test_var_set 'AUTOGRAPH_XPI_PASSWORD' test_var_set 'AUTOGRAPH_XPI_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' test_var_set 'AUTOGRAPH_FENIX_PASSWORD' test_var_set 'AUTOGRAPH_FENIX_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_MAR_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_MAR_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_GPG_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_GPG_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_XPI_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_XPI_USERNAME' + test_var_set 'AUTOGRAPH_STAGE_FENIX_PASSWORD' + test_var_set 'AUTOGRAPH_STAGE_FENIX_USERNAME' ;; esac ;; @@ -167,7 +200,6 @@ case $ENV in test_var_set 'AUTHENTICODE_TIMESTAMP_STYLE' test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' test_var_set 'AUTOGRAPH_LANGPACK_PASSWORD' test_var_set 'AUTOGRAPH_LANGPACK_USERNAME' test_var_set 'AUTOGRAPH_MAR_NIGHTLY_PASSWORD' @@ -192,7 +224,6 @@ case $ENV in mobile) test_var_set 'AUTOGRAPH_GPG_PASSWORD' test_var_set 'AUTOGRAPH_GPG_USERNAME' - test_var_set 'GPG_PUBKEY_PATH' test_var_set 'AUTOGRAPH_REFERENCE_BROWSER_PASSWORD' test_var_set 'AUTOGRAPH_REFERENCE_BROWSER_USERNAME' test_var_set 'AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD' @@ -201,12 +232,10 @@ case $ENV in app-services) test_var_set 'AUTOGRAPH_GPG_USERNAME' test_var_set 'AUTOGRAPH_GPG_PASSWORD' - test_var_set 'GPG_PUBKEY_PATH' ;; glean) test_var_set 'AUTOGRAPH_GPG_USERNAME' test_var_set 'AUTOGRAPH_GPG_PASSWORD' - test_var_set 'GPG_PUBKEY_PATH' ;; xpi) test_var_set 'AUTOGRAPH_XPI_PRIVILEGED_PASSWORD' diff --git a/signingscript/docker.d/passwords.yml b/signingscript/docker.d/passwords.yml index 63c6cd4b9..4917fe279 100644 --- a/signingscript/docker.d/passwords.yml +++ b/signingscript/docker.d/passwords.yml @@ -12,12 +12,76 @@ in: $merge: $match: - # dep-passwords.json - # XXX fake-prod, aka dep, shouldn't point at autograph-external.stage - # for anything but autograph_stage_mar384!! + # We strive to: + # Configure `prod` environments exclusively with production Autograph entries. + # + # Configure `dev` and `fake-prod` environments with entries for production + # Autograph (which is what code in project repositories should be using + # by default), but also have entries for Autograph stage that can be + # opted into by tasks. + # + # The latter is to allow for easy testing of notable changes to Autograph. + # These entries do _not_ need to be exactly the same as the production versions, + # but we should be able to test each type of signature, and have a `stage_` version + # of each format (to make project repo changes simpler). Many of these formats + # will end up sharing credentials and keyids, because Autograph stage does not + # strive to keep a 1:1 mapping between hawkids or signers with production. + # This is OK; as long as we can sign with the same type of signer as production + # it's good enough for stage testing. '(ENV == "dev" || ENV == "fake-prod") && (COT_PRODUCT == "firefox" || COT_PRODUCT == "thunderbird")': $let: firefox_and_thunderbird_nonprod_autograph: + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD"}, + ["stage_autograph_authenticode_202404", "stage_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_MAR_PASSWORD"}, + ["stage_autograph_hash_only_mar384"], + "mar_202411", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_GPG_PASSWORD"}, + ["stage_autograph_gpg"], + "dummy_gpg2", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_WIDEVINE_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_WIDEVINE_PASSWORD"}, + ["stage_autograph_widevine"], + "widevine_dummy", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_OMNIJA_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_OMNIJA_PASSWORD"}, + ["stage_autograph_omnija"], + "cas_new_systemaddon_rsa", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_LANGPACK_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_LANGPACK_PASSWORD"}, + ["stage_autograph_langpack"], + "cas_new_webextensions_rsa" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_FOCUS_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_FOCUS_PASSWORD"}, + ["stage_autograph_focus"], + "dummyapp_android", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_FENIX_PASSWORD"}, + ["stage_autograph_apk", "stage_autograph_apk_mozillaonline"], + "dummyapp_android", + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, @@ -28,11 +92,6 @@ in: {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, ["autograph_hash_only_mar384"] ] - - ["https://autograph-external.stage.autograph.services.mozaws.net", - {"$eval": "AUTOGRAPH_STAGE_MAR_USERNAME"}, - {"$eval": "AUTOGRAPH_STAGE_MAR_PASSWORD"}, - ["autograph_stage_mar384"] - ] - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, @@ -72,6 +131,15 @@ in: # dep-passwords-mobile.json '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "mobile"': project:mobile:reference-browser:releng:signing:cert:dep-signing: + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD"}, + ["stage_autograph_apk"], + "dummyapp_android" + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_USERNAME"}, {"$eval": "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD"}, @@ -81,6 +149,15 @@ in: # dep-passwords-appsv.json 'ENV == "fake-prod" && COT_PRODUCT == "app-services"': '${scope_prefix[0]}cert:dep-signing': + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_GPG_PASSWORD"}, + ["stage_autograph_gpg"], + "dummy_gpg2" + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, @@ -90,6 +167,15 @@ in: # dep-passwords-glean.json 'ENV == "fake-prod" && COT_PRODUCT == "glean"': '${scope_prefix[0]}cert:dep-signing': + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_GPG_PASSWORD"}, + ["stage_autograph_gpg"], + "dummy_gpg2" + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, @@ -99,6 +185,21 @@ in: # dep-passwords-xpi.json '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "xpi"': '${scope_prefix[0]}cert:dep-signing': + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_XPI_PRIVILEGED_PASSWORD"}, + ["stage_privileged_webextension"], + "cas_new_extension_rsa" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_XPI_PRIVILEGED_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_XPI_PRIVILEGED_PASSWORD"}, + ["stage_system_addon"], + "cas_new_systemaddon_rsa" + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_USERNAME"}, {"$eval": "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD"}, @@ -115,6 +216,30 @@ in: # dep-passwords-mozillavpn.json '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "mozillavpn"': '${scope_prefix[0]}cert:dep-signing': + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD"}, + ["stage_autograph_authenticode_202404", "stage_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_PASSWORD"}, + ["stage_autograph_debsign"], + "dummy_gpg2_pgpsubkey_debsign", + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_PASSWORD"}, + ["stage_autograph_rsa"], + # We use authenticode_dep_sha256 for stage because all we care about is testing + # that signing works with a certificate with similar properties to the production + # one; stage does not have a specific vpn addon signing certificate though. + "authenticode_dep_sha256", + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, @@ -135,6 +260,42 @@ in: # dep-passwords-adhoc.json '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "adhoc"': '${scope_prefix[0]}cert:dep-signing': + # GCP Autograph stage + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD"}, + ["stage_autograph_authenticode_ev", "stage_autograph_authenticode_202404", + "stage_autograph_authenticode_202404_stub"], + "authenticode_dep_sha256" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_MAR_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_MAR_PASSWORD"}, + ["stage_autograph_mar384", "stage_autograph_hash_only_mar384"], + "mar_202411" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_GPG_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_GPG_PASSWORD"}, + ["stage_autograph_gpg"], + "dummy_gpg2" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_XPI_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_XPI_PASSWORD"}, + ["stage_autograph_xpi", "stage_autograph_xpi_sha1_es256_es384", + "stage_autograph_xpi_sha1_es256_ps256", "stage_autograph_xpi_sha1_es256", + "stage_autograph_xpi_sha1_ps256"], + "cas_new_webextensions_rsa" + ] + - ["https://stage.autograph.nonprod.webservices.mozgcp.net", + {"$eval": "AUTOGRAPH_STAGE_FENIX_USERNAME"}, + {"$eval": "AUTOGRAPH_STAGE_FENIX_PASSWORD"}, + ["stage_autograph_apk"], + "dummyapp_android" + ] + + # AWS Autograph; to be removed when production is switched over to GCP by default. - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"}, {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"}, @@ -146,11 +307,6 @@ in: {"$eval": "AUTOGRAPH_MAR_PASSWORD"}, ["autograph_hash_only_mar384"] ] - - ["https://autograph-external.stage.autograph.services.mozaws.net", - {"$eval": "AUTOGRAPH_STAGE_MAR_USERNAME"}, - {"$eval": "AUTOGRAPH_STAGE_MAR_PASSWORD"}, - ["autograph_stage_mar384"] - ] - ["https://autograph-external.prod.autograph.services.mozaws.net", {"$eval": "AUTOGRAPH_GPG_USERNAME"}, {"$eval": "AUTOGRAPH_GPG_PASSWORD"}, diff --git a/signingscript/src/signingscript/script.py b/signingscript/src/signingscript/script.py index d0ebea2be..03e4ec84f 100755 --- a/signingscript/src/signingscript/script.py +++ b/signingscript/src/signingscript/script.py @@ -27,13 +27,13 @@ async def async_main(context): work_dir = context.config["work_dir"] async with aiohttp.ClientSession() as session: all_signing_formats = task_signing_formats(context) - if "autograph_gpg" in all_signing_formats: + if {"autograph_gpg", "stage_autograph_gpg"}.intersection(all_signing_formats): if not context.config.get("gpg_pubkey"): raise Exception("GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config["gpg_pubkey"]): raise Exception("gpg_pubkey ({}) doesn't exist!".format(context.config["gpg_pubkey"])) - if "autograph_widevine" in all_signing_formats: + if {"autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats): if not context.config.get("widevine_cert"): raise Exception("Widevine format is enabled, but widevine_cert is not defined") @@ -61,7 +61,7 @@ async def async_main(context): for source in output_files: source = os.path.relpath(source, work_dir) copy_to_dir(os.path.join(work_dir, source), context.config["artifact_dir"], target=source) - if "autograph_gpg" in path_dict["formats"]: + if {"autograph_gpg", "stage_autograph_gpg"}.intersection(set(path_dict["formats"])): copy_to_dir(context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY") # notarization_stacked is a special format that takes in all files at once instead of sequentially like other formats diff --git a/signingscript/src/signingscript/sign.py b/signingscript/src/signingscript/sign.py index 83992268d..7cb3897dd 100644 --- a/signingscript/src/signingscript/sign.py +++ b/signingscript/src/signingscript/sign.py @@ -84,6 +84,12 @@ _DEFAULT_MAR_VERIFY_KEYS = { "autograph_stage_mar384": {"dep-signing": "autograph_stage.pem"}, "autograph_hash_only_mar384": {"release-signing": "release_primary.pem", "nightly-signing": "nightly_aurora_level3_primary.pem", "dep-signing": "dep1.pem"}, + "stage_autograph_stage_mar384": {"dep-signing": "autograph_stage.pem"}, + "stage_autograph_hash_only_mar384": { + "release-signing": "release_primary.pem", + "nightly-signing": "nightly_aurora_level3_primary.pem", + "dep-signing": "dep1.pem", + }, } # Langpacks expect the following re to match for addon id @@ -296,10 +302,10 @@ async def sign_widevine_zip(context, orig_path, fmt): all_files = await _extract_zipfile(context, orig_path, tmp_dir=tmp_dir) tasks = [] # Sign the appropriate inner files - for from_, fmt in files_to_sign.items(): + for from_, blessed in files_to_sign.items(): from_ = os.path.join(tmp_dir, from_) to = f"{from_}.sig" - tasks.append(asyncio.ensure_future(sign_widevine_with_autograph(context, from_, "blessed" in fmt, to=to))) + tasks.append(asyncio.ensure_future(sign_widevine_with_autograph(context, from_, blessed, fmt, to=to))) all_files.append(to) await raise_future_exceptions(tasks) remove_extra_files(tmp_dir, all_files) @@ -347,7 +353,7 @@ async def sign_widevine_tar(context, orig_path, fmt): all_files = await _extract_tarfile(context, orig_path, compression, tmp_dir=tmp_dir) tasks = [] # Sign the appropriate inner files - for from_, fmt in files_to_sign.items(): + for from_, blessed in files_to_sign.items(): from_ = os.path.join(tmp_dir, from_) # Don't try to sign directories if not os.path.isfile(from_): @@ -356,7 +362,7 @@ async def sign_widevine_tar(context, orig_path, fmt): to = _get_mac_sigpath(from_) log.debug("Adding %s to the sigfile paths...", to) makedirs(os.path.dirname(to)) - tasks.append(asyncio.ensure_future(sign_widevine_with_autograph(context, from_, "blessed" in fmt, to=to))) + tasks.append(asyncio.ensure_future(sign_widevine_with_autograph(context, from_, blessed, fmt, to=to))) all_files.append(to) await raise_future_exceptions(tasks) remove_extra_files(tmp_dir, all_files) @@ -430,9 +436,9 @@ async def sign_omnija_zip(context, orig_path, fmt): all_files = await _extract_zipfile(context, orig_path, tmp_dir=tmp_dir) tasks = [] # Sign the appropriate inner files - for from_, fmt in files_to_sign.items(): + for from_, _ in files_to_sign.items(): from_ = os.path.join(tmp_dir, from_) - tasks.append(asyncio.ensure_future(sign_omnija_with_autograph(context, from_))) + tasks.append(asyncio.ensure_future(sign_omnija_with_autograph(context, from_, fmt))) await raise_future_exceptions(tasks) await _create_zipfile(context, orig_path, all_files, mode="w", tmp_dir=tmp_dir) return orig_path @@ -471,12 +477,12 @@ async def sign_omnija_tar(context, orig_path, fmt): all_files = await _extract_tarfile(context, orig_path, compression, tmp_dir=tmp_dir) tasks = [] # Sign the appropriate inner files - for from_, fmt in files_to_sign.items(): + for from_, _ in files_to_sign.items(): from_ = os.path.join(tmp_dir, from_) # Don't try to sign directories if not os.path.isfile(from_): continue - tasks.append(asyncio.ensure_future(sign_omnija_with_autograph(context, from_))) + tasks.append(asyncio.ensure_future(sign_omnija_with_autograph(context, from_, fmt))) await raise_future_exceptions(tasks) await _create_tarfile(context, orig_path, all_files, compression, tmp_dir=tmp_dir) return orig_path @@ -535,22 +541,25 @@ def _get_mac_sigpath(from_): # _get_widevine_signing_files {{{1 def _get_widevine_signing_files(file_list): - """Return a dict of path:signing_format for each path to be signed.""" + """Return a dict of path:is_blessed for each path to be signed.""" files = {} for filename in file_list: - fmt = None base_filename = os.path.basename(filename) + if base_filename not in _WIDEVINE_BLESSED_FILENAMES and base_filename not in _WIDEVINE_NONBLESSED_FILENAMES: + continue + + blessed = False if base_filename in _WIDEVINE_BLESSED_FILENAMES: - fmt = "widevine_blessed" - elif base_filename in _WIDEVINE_NONBLESSED_FILENAMES: - fmt = "widevine" - if fmt: - log.debug("Found {} to sign {}".format(filename, fmt)) - sigpath = _get_mac_sigpath(filename) - if sigpath not in file_list: - files[filename] = fmt - else: - log.debug("{} is already signed! Skipping...".format(filename)) + log.debug("_get_widevine_signing_file: Signing {} as blessed".format(filename)) + blessed = True + else: + log.debug("_get_widevine_signing_file: Signing {} as not blessed".format(filename)) + + sigpath = _get_mac_sigpath(filename) + if sigpath not in file_list: + files[filename] = blessed + else: + log.debug("{} is already signed! Skipping...".format(filename)) return files @@ -924,9 +933,9 @@ def b64encode(input_bytes): def _is_xpi_format(fmt): if "omnija" in fmt or "langpack" in fmt: return True - if fmt in ("privileged_webextension", "system_addon"): + if fmt in ("privileged_webextension", "system_addon", "stage_privileged_webextension", "stage_system_addon"): return True - if fmt.startswith("autograph_xpi"): + if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")): return True return False @@ -1010,6 +1019,7 @@ async def sign_with_autograph(session, server, input_file, fmt, autograph_method url = f"{server.url}/sign/{autograph_method}" + log.debug(f"sign_with_autograph: url: {url}, keyid: {keyid}, client_id: {server.client_id}") sign_resp = await retry_async( call_autograph, args=(session, url, server.client_id, server.access_key, sign_req), attempts=3, sleeptime_kwargs={"delay_factor": 2.0} ) @@ -1043,7 +1053,9 @@ async def sign_file_with_autograph(context, from_, fmt, to=None, extension_id=No """ cert_type = task.task_cert_type(context) + log.debug(f"sign_file_with_autograph: cert_type: {cert_type}, fmt: {fmt}") a = get_autograph_config(context.autograph_configs, cert_type, [fmt], raise_on_empty=True) + log.debug(f"got autograph config: url: {a.url}, id: {a.client_id}, formats: {a.formats}, key_id: {a.key_id}") to = to or from_ input_file = open(from_, "rb") signed_bytes = base64.b64decode(await sign_with_autograph(context.session, a, input_file, fmt, "file", extension_id=extension_id)) @@ -1252,7 +1264,7 @@ async def sign_mar384_with_autograph_hash(context, from_, fmt, to=None, **kwargs @time_async_function -async def sign_widevine_with_autograph(context, from_, blessed, to=None): +async def sign_widevine_with_autograph(context, from_, blessed, fmt, to=None): """Create a widevine signature using autograph as a backend. Args: @@ -1274,9 +1286,10 @@ async def sign_widevine_with_autograph(context, from_, blessed, to=None): if not widevine: raise ImportError("widevine module not available") + log.debug(f"sign_widevine_with_autograph: blessed is {blessed}") + log.debug(f"sign_widevine_with_autograph: fmt is {fmt}") to = to or f"{from_}.sig" flags = 1 if blessed else 0 - fmt = "autograph_widevine" h = widevine.generate_widevine_hash(from_, flags) @@ -1290,7 +1303,7 @@ async def sign_widevine_with_autograph(context, from_, blessed, to=None): @time_async_function -async def sign_omnija_with_autograph(context, from_): +async def sign_omnija_with_autograph(context, from_, fmt): """Sign the omnija file specified using autograph. This function overwrites from_ @@ -1312,7 +1325,7 @@ async def sign_omnija_with_autograph(context, from_): signed_out = tempfile.mkstemp(prefix="oj_signed", suffix=".ja", dir=context.config["work_dir"])[1] merged_out = tempfile.mkstemp(prefix="oj_merged", suffix=".ja", dir=context.config["work_dir"])[1] - await sign_file_with_autograph(context, from_, "autograph_omnija", to=signed_out, extension_id="omni.ja@mozilla.org") + await sign_file_with_autograph(context, from_, fmt, to=signed_out, extension_id="omni.ja@mozilla.org") await merge_omnija_files(orig=from_, signed=signed_out, to=merged_out) with open(from_, "wb") as fout: with open(merged_out, "rb") as fin: @@ -1400,10 +1413,10 @@ async def signer(digest, digest_algo): cafile_key = "authenticode_ca" cert_key = "authenticode_cert" - if fmt == "autograph_authenticode_ev": + if fmt in ("autograph_authenticode_ev", "stage_autograph_authenticode_ev"): cafile_key = f"{cafile_key}_ev" cert_key = f"{cert_key}_ev" - elif fmt.startswith("autograph_authenticode_202404"): + elif fmt.startswith(("autograph_authenticode_202404", "stage_autograph_authenticode_202404")): cafile_key += "_202404" cert_key += "_202404" @@ -1418,8 +1431,8 @@ async def signer(digest, digest_algo): certs = load_pem_certs(open(context.config[cert_key], "rb").read()) url = context.config["authenticode_url"] - if fmt == "autograph_authenticode_sha2_rfc3161_stub": - fmt = "autograph_authenticode_sha2_stub" + if fmt in ("autograph_authenticode_sha2_rfc3161_stub", "stage_autograph_authenticode_sha2_rfc3161_stub"): + fmt = fmt.removesuffix("_rfc3161_stub") timestamp_style = "rfc3161" else: timestamp_style = context.config["authenticode_timestamp_style"] diff --git a/signingscript/src/signingscript/task.py b/signingscript/src/signingscript/task.py index 8c40aca18..a5e413c43 100644 --- a/signingscript/src/signingscript/task.py +++ b/signingscript/src/signingscript/task.py @@ -30,6 +30,7 @@ sign_widevine, sign_xpi, ) +from signingscript.utils import split_autograph_format log = logging.getLogger(__name__) @@ -39,8 +40,6 @@ "autograph_hash_only_mar384": sign_mar384_with_autograph_hash, "autograph_stage_mar384": sign_mar384_with_autograph_hash, "autograph_gpg": sign_gpg_with_autograph, - "macapp": sign_macapp, - "widevine": sign_widevine, "autograph_debsign": sign_debian_pkg, "autograph_widevine": sign_widevine, "autograph_omnija": sign_omnija, @@ -54,8 +53,10 @@ "privileged_webextension": sign_xpi, "system_addon": sign_xpi, "autograph_rsa": sign_file_detached, + "widevine": sign_widevine, "apple_notarization": apple_notarize, "apple_notarization_geckodriver": apple_notarize_geckodriver, + "macapp": sign_macapp, # This format is handled in script.py # Should be refactored in https://github.com/mozilla-releng/scriptworker-scripts/issues/980 # "apple_notarization_stacked": apple_notarize_stacked, @@ -163,10 +164,17 @@ async def sign(context, path, signing_formats, **kwargs): return output -def _get_signing_function_from_format(fmt): - if fmt.startswith("autograph_xpi"): +def _get_signing_function_from_format(fmt_and_key_id): + fmt, _ = split_autograph_format(fmt_and_key_id) + + if fmt.startswith(("autograph_xpi", "stage_autograph_xpi")): return sign_xpi - return FORMAT_TO_SIGNING_FUNCTION.get(fmt.split(":")[0], FORMAT_TO_SIGNING_FUNCTION["default"]) + if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt): + return fn + if fn := FORMAT_TO_SIGNING_FUNCTION.get(fmt.removeprefix("stage_")): + return fn + + return FORMAT_TO_SIGNING_FUNCTION["default"] # _sort_formats {{{1 @@ -185,7 +193,18 @@ def _sort_formats(formats): """ # Widevine formats must be after other formats other than macapp; GPG must # be last. - for fmt in ("widevine", "autograph_widevine", "autograph_omnija", "macapp", "autograph_rsa", "autograph_gpg"): + for fmt in ( + "widevine", + "autograph_widevine", + "stage_autograph_widevine", + "autograph_omnija", + "stage_autograph_omnija", + "macapp", + "autograph_rsa", + "stage_autograph_rsa", + "autograph_gpg", + "stage_autograph_gpg", + ): if fmt in formats: formats.remove(fmt) formats.append(fmt) diff --git a/signingscript/src/signingscript/utils.py b/signingscript/src/signingscript/utils.py index ad25bc535..760b77503 100644 --- a/signingscript/src/signingscript/utils.py +++ b/signingscript/src/signingscript/utils.py @@ -211,7 +211,11 @@ def is_apk_autograph_signing_format(format_): """ # TODO Remove autograph_focus once format is migrated - return format_ and format_.startswith("autograph_apk_") or format_ in ("autograph_focus", "autograph_stage_aab", "autograph_aab") + return ( + format_ + and format_.startswith(("autograph_apk_", "stage_autograph_apk_")) + or format_ in ("autograph_focus", "autograph_stage_aab", "autograph_aab", "stage_autograph_focus", "stage_autograph_aab") + ) def is_sha1_apk_autograph_signing_format(format_): diff --git a/signingscript/tests/test_config.py b/signingscript/tests/test_config.py index 6ce0148e6..853d7c143 100644 --- a/signingscript/tests/test_config.py +++ b/signingscript/tests/test_config.py @@ -58,12 +58,10 @@ def test_firefox_dev(): context = { "COT_PRODUCT": "firefox", "ENV": "dev", - "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "", "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "", + "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "", "AUTOGRAPH_MAR_USERNAME": "", "AUTOGRAPH_MAR_PASSWORD": "", - "AUTOGRAPH_STAGE_MAR_USERNAME": "", - "AUTOGRAPH_STAGE_MAR_PASSWORD": "", "AUTOGRAPH_GPG_USERNAME": "", "AUTOGRAPH_GPG_PASSWORD": "", "AUTOGRAPH_WIDEVINE_USERNAME": "", @@ -76,6 +74,22 @@ def test_firefox_dev(): "AUTOGRAPH_FOCUS_PASSWORD": "", "AUTOGRAPH_FENIX_USERNAME": "", "AUTOGRAPH_FENIX_PASSWORD": "", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME": "", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD": "", + "AUTOGRAPH_STAGE_MAR_USERNAME": "", + "AUTOGRAPH_STAGE_MAR_PASSWORD": "", + "AUTOGRAPH_STAGE_GPG_USERNAME": "", + "AUTOGRAPH_STAGE_GPG_PASSWORD": "", + "AUTOGRAPH_STAGE_OMNIJA_USERNAME": "", + "AUTOGRAPH_STAGE_OMNIJA_PASSWORD": "", + "AUTOGRAPH_STAGE_WIDEVINE_USERNAME": "", + "AUTOGRAPH_STAGE_WIDEVINE_PASSWORD": "", + "AUTOGRAPH_STAGE_LANGPACK_USERNAME": "", + "AUTOGRAPH_STAGE_LANGPACK_PASSWORD": "", + "AUTOGRAPH_STAGE_FOCUS_USERNAME": "", + "AUTOGRAPH_STAGE_FOCUS_PASSWORD": "", + "AUTOGRAPH_STAGE_FENIX_USERNAME": "", + "AUTOGRAPH_STAGE_FENIX_PASSWORD": "", } _validate_config(context) @@ -88,8 +102,6 @@ def test_thunderbird_fake_prod(): "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "", "AUTOGRAPH_MAR_USERNAME": "", "AUTOGRAPH_MAR_PASSWORD": "", - "AUTOGRAPH_STAGE_MAR_USERNAME": "", - "AUTOGRAPH_STAGE_MAR_PASSWORD": "", "AUTOGRAPH_GPG_USERNAME": "", "AUTOGRAPH_GPG_PASSWORD": "", "AUTOGRAPH_WIDEVINE_USERNAME": "", @@ -102,6 +114,22 @@ def test_thunderbird_fake_prod(): "AUTOGRAPH_FOCUS_PASSWORD": "", "AUTOGRAPH_FENIX_USERNAME": "", "AUTOGRAPH_FENIX_PASSWORD": "", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME": "", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD": "", + "AUTOGRAPH_STAGE_MAR_USERNAME": "", + "AUTOGRAPH_STAGE_MAR_PASSWORD": "", + "AUTOGRAPH_STAGE_GPG_USERNAME": "", + "AUTOGRAPH_STAGE_GPG_PASSWORD": "", + "AUTOGRAPH_STAGE_OMNIJA_USERNAME": "", + "AUTOGRAPH_STAGE_OMNIJA_PASSWORD": "", + "AUTOGRAPH_STAGE_WIDEVINE_USERNAME": "", + "AUTOGRAPH_STAGE_WIDEVINE_PASSWORD": "", + "AUTOGRAPH_STAGE_LANGPACK_USERNAME": "", + "AUTOGRAPH_STAGE_LANGPACK_PASSWORD": "", + "AUTOGRAPH_STAGE_FOCUS_USERNAME": "", + "AUTOGRAPH_STAGE_FOCUS_PASSWORD": "", + "AUTOGRAPH_STAGE_FENIX_USERNAME": "", + "AUTOGRAPH_STAGE_FENIX_PASSWORD": "", } _validate_config(context) @@ -110,30 +138,23 @@ def test_mobile_fake_prod(): context = { "COT_PRODUCT": "mobile", "ENV": "fake-prod", - "AUTOGRAPH_FOCUS_USERNAME": "", - "AUTOGRAPH_FOCUS_PASSWORD": "", - "AUTOGRAPH_STAGE_FOCUS_USERNAME": "", - "AUTOGRAPH_STAGE_FOCUS_PASSWORD": "", - "AUTOGRAPH_STAGE_FOCUS_V3_USERNAME": "", - "AUTOGRAPH_STAGE_FOCUS_V3_PASSWORD": "", - "AUTOGRAPH_FENIX_USERNAME": "", - "AUTOGRAPH_FENIX_PASSWORD": "", - "AUTOGRAPH_STAGE_FENIX_USERNAME": "", - "AUTOGRAPH_STAGE_FENIX_PASSWORD": "", - "AUTOGRAPH_STAGE_FENIX_V3_USERNAME": "", - "AUTOGRAPH_STAGE_FENIX_V3_PASSWORD": "", - "AUTOGRAPH_FENIX_MOZILLA_ONLINE_USERNAME": "", - "AUTOGRAPH_FENIX_MOZILLA_ONLINE_PASSWORD": "", "AUTOGRAPH_REFERENCE_BROWSER_USERNAME": "", "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD": "", - "AUTOGRAPH_GPG_USERNAME": "", - "AUTOGRAPH_GPG_PASSWORD": "", + "AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME": "", + "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD": "", } _validate_config(context) def test_application_services_fake_prod(): - context = {"COT_PRODUCT": "app-services", "ENV": "fake-prod", "AUTOGRAPH_GPG_USERNAME": "", "AUTOGRAPH_GPG_PASSWORD": ""} + context = { + "COT_PRODUCT": "app-services", + "ENV": "fake-prod", + "AUTOGRAPH_GPG_USERNAME": "", + "AUTOGRAPH_GPG_PASSWORD": "", + "AUTOGRAPH_STAGE_GPG_USERNAME": "", + "AUTOGRAPH_STAGE_GPG_PASSWORD": "", + } _validate_config(context) diff --git a/signingscript/tests/test_dockerd.py b/signingscript/tests/test_dockerd.py index d318144a4..f96db846c 100644 --- a/signingscript/tests/test_dockerd.py +++ b/signingscript/tests/test_dockerd.py @@ -17,18 +17,10 @@ "AUTOGRAPH_FENIX_MOZILLA_ONLINE_USERNAME", "AUTOGRAPH_FENIX_PASSWORD", "AUTOGRAPH_FENIX_USERNAME", - "AUTOGRAPH_STAGE_FENIX_PASSWORD", - "AUTOGRAPH_STAGE_FENIX_USERNAME", - "AUTOGRAPH_STAGE_FENIX_V3_PASSWORD", - "AUTOGRAPH_STAGE_FENIX_V3_USERNAME", "AUTOGRAPH_FENNEC_RELEASE_PASSWORD", "AUTOGRAPH_FENNEC_RELEASE_USERNAME", "AUTOGRAPH_FOCUS_PASSWORD", "AUTOGRAPH_FOCUS_USERNAME", - "AUTOGRAPH_STAGE_FOCUS_PASSWORD", - "AUTOGRAPH_STAGE_FOCUS_USERNAME", - "AUTOGRAPH_STAGE_FOCUS_V3_PASSWORD", - "AUTOGRAPH_STAGE_FOCUS_V3_USERNAME", "AUTOGRAPH_GPG_PASSWORD", "AUTOGRAPH_GPG_USERNAME", "AUTOGRAPH_LANGPACK_PASSWORD", @@ -39,8 +31,6 @@ "AUTOGRAPH_MAR_USERNAME", "AUTOGRAPH_MAR_RELEASE_PASSWORD", "AUTOGRAPH_MAR_RELEASE_USERNAME", - "AUTOGRAPH_STAGE_MAR_PASSWORD", - "AUTOGRAPH_STAGE_MAR_USERNAME", "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD", "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME", "AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD", @@ -51,14 +41,50 @@ "AUTOGRAPH_OMNIJA_USERNAME", "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD", "AUTOGRAPH_REFERENCE_BROWSER_USERNAME", - "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD", - "AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME", "AUTOGRAPH_WIDEVINE_PASSWORD", "AUTOGRAPH_WIDEVINE_USERNAME", "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD", "AUTOGRAPH_XPI_PRIVILEGED_USERNAME", "AUTOGRAPH_XPI_PASSWORD", "AUTOGRAPH_XPI_USERNAME", + "AUTOGRAPH_STAGE_AUTHENTICODE_EV_USERNAME", + "AUTOGRAPH_STAGE_AUTHENTICODE_EV_PASSWORD", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD", + "AUTOGRAPH_STAGE_FENIX_MOZILLA_ONLINE_USERNAME", + "AUTOGRAPH_STAGE_FENIX_MOZILLA_ONLINE_PASSWORD", + "AUTOGRAPH_STAGE_FENIX_USERNAME", + "AUTOGRAPH_STAGE_FENIX_PASSWORD", + "AUTOGRAPH_STAGE_FENNEC_RELEASE_USERNAME", + "AUTOGRAPH_STAGE_FENNEC_RELEASE_PASSWORD", + "AUTOGRAPH_STAGE_FOCUS_USERNAME", + "AUTOGRAPH_STAGE_FOCUS_PASSWORD", + "AUTOGRAPH_STAGE_GPG_USERNAME", + "AUTOGRAPH_STAGE_GPG_PASSWORD", + "AUTOGRAPH_STAGE_LANGPACK_USERNAME", + "AUTOGRAPH_STAGE_LANGPACK_PASSWORD", + "AUTOGRAPH_STAGE_MAR_NIGHTLY_USERNAME", + "AUTOGRAPH_STAGE_MAR_NIGHTLY_PASSWORD", + "AUTOGRAPH_STAGE_MAR_USERNAME", + "AUTOGRAPH_STAGE_MAR_PASSWORD", + "AUTOGRAPH_STAGE_MAR_RELEASE_USERNAME", + "AUTOGRAPH_STAGE_MAR_RELEASE_PASSWORD", + "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_USERNAME", + "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_PASSWORD", + "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_USERNAME", + "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_PASSWORD", + "AUTOGRAPH_STAGE_MOZILLAVPN_USERNAME", + "AUTOGRAPH_STAGE_MOZILLAVPN_PASSWORD", + "AUTOGRAPH_STAGE_OMNIJA_USERNAME", + "AUTOGRAPH_STAGE_OMNIJA_PASSWORD", + "AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME", + "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD", + "AUTOGRAPH_STAGE_WIDEVINE_USERNAME", + "AUTOGRAPH_STAGE_WIDEVINE_PASSWORD", + "AUTOGRAPH_STAGE_XPI_PRIVILEGED_USERNAME", + "AUTOGRAPH_STAGE_XPI_PRIVILEGED_PASSWORD", + "AUTOGRAPH_STAGE_XPI_USERNAME", + "AUTOGRAPH_STAGE_XPI_PASSWORD", ) } diff --git a/signingscript/tests/test_sign.py b/signingscript/tests/test_sign.py index 076623ef9..e6bbe5a65 100644 --- a/signingscript/tests/test_sign.py +++ b/signingscript/tests/test_sign.py @@ -547,35 +547,6 @@ def test_should_sign_windows(filenames, expected): assert sign._should_sign_windows(f) == expected -# _get_widevine_signing_files {{{1 -@pytest.mark.parametrize( - "filenames,expected", - ( - (["firefox.dll", "XUL.so", "firefox.bin", "blah"], {}), - ( - ("firefox", "blah/XUL", "foo/bar/libclearkey.dylib", "baz/plugin-container", "ignore"), - {"firefox": "widevine", "blah/XUL": "widevine", "foo/bar/libclearkey.dylib": "widevine", "baz/plugin-container": "widevine_blessed"}, - ), - ( - # Test for existing signature files - ( - "firefox", - "blah/XUL", - "blah/XUL.sig", - "foo/bar/libclearkey.dylib", - "foo/bar/libclearkey.dylib.sig", - "plugin-container", - "plugin-container.sig", - "ignore", - ), - {"firefox": "widevine"}, - ), - ), -) -def test_get_widevine_signing_files(filenames, expected): - assert sign._get_widevine_signing_files(filenames) == expected - - # _run_generate_precomplete {{{1 @pytest.mark.parametrize("num_precomplete,raises", ((1, False), (0, True), (2, True))) def test_run_generate_precomplete(context, num_precomplete, raises, mocker): @@ -824,7 +795,7 @@ async def fake_sign_hash(context, h, fmt): context.config["widevine_cert"] = cert to = tmp_path / "signed.sig" - to = await sign.sign_widevine_with_autograph(context, "from", blessed, to=to) + to = await sign.sign_widevine_with_autograph(context, "from", blessed, "autograph_widevine", to=to) assert b"sigwidevinesig" == to.read_bytes() assert called_format == "autograph_widevine" @@ -839,7 +810,7 @@ async def fake_sign_hash(*args, **kwargs): with pytest.raises(ImportError): to = tmp_path / "signed.sig" - to = await sign.sign_widevine_with_autograph(context, "from", True, to=to) + to = await sign.sign_widevine_with_autograph(context, "from", True, "autograph_widevine", to=to) @pytest.mark.asyncio @@ -968,7 +939,7 @@ async def mocked_autograph(context, from_, fmt, to, extension_id): shutil.copyfile(os.path.join(TEST_DATA_DIR, signed), to) mocker.patch.object(sign, "sign_file_with_autograph", mocked_autograph) - await sign.sign_omnija_with_autograph(context, copy_from) + await sign.sign_omnija_with_autograph(context, copy_from, "autograph_omnija") sha256_actual = sha256(open(copy_from, "rb").read()).hexdigest() assert sha256_actual == sha256_expected diff --git a/signingscript/tests/test_task.py b/signingscript/tests/test_task.py index ca0f911b9..bff573ad7 100644 --- a/signingscript/tests/test_task.py +++ b/signingscript/tests/test_task.py @@ -152,6 +152,17 @@ def fake_log(context, new_files, *args): ("autograph_authenticode_sha2_stub", stask.sign_authenticode), ("apple_notarization", stask.apple_notarize), ("default", stask.sign_file), + # Stage-prefixed cases + ("stage_autograph_hash_only_mar384", stask.sign_mar384_with_autograph_hash), + ("stage_autograph_gpg", stask.sign_gpg_with_autograph), + ("stage_macapp", stask.sign_macapp), + ("stage_widevine", stask.sign_widevine), + ("stage_autograph_authenticode_sha2", stask.sign_authenticode), + ("stage_autograph_authenticode_sha2_stub", stask.sign_authenticode), + ("stage_apple_notarization", stask.apple_notarize), + ("stage_autograph_xpi", stask.sign_xpi), + ("stage_autograph_xpi_sha256_es256", stask.sign_xpi), + ("stage_autograph_xpi_foobar", stask.sign_xpi), # Key id cases ("autograph_hash_only_mar384:firefox_20190321_dev", stask.sign_mar384_with_autograph_hash), ("autograph_authenticode_sha2:202404", stask.sign_authenticode), diff --git a/tests/test_init.py b/tests/test_init.py index 47eb366fc..edd357f62 100644 --- a/tests/test_init.py +++ b/tests/test_init.py @@ -83,54 +83,70 @@ }, re.compile(r"signing:.*"): { "WIDEVINE_CERT": "Zm9vYmFyCg==", - "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "1", - "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "1", "AUTOGRAPH_AUTHENTICODE_EV_PASSWORD": "1", "AUTOGRAPH_AUTHENTICODE_EV_USERNAME": "1", - "AUTOGRAPH_FENIX_PASSWORD": "1", - "AUTOGRAPH_FENIX_USERNAME": "1", - "AUTOGRAPH_STAGE_FENIX_PASSWORD": "1", - "AUTOGRAPH_STAGE_FENIX_USERNAME": "1", - "AUTOGRAPH_STAGE_FENIX_V3_PASSWORD": "1", - "AUTOGRAPH_STAGE_FENIX_V3_USERNAME": "1", + "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "1", + "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "1", "AUTOGRAPH_FENIX_MOZILLA_ONLINE_PASSWORD": "1", "AUTOGRAPH_FENIX_MOZILLA_ONLINE_USERNAME": "1", + "AUTOGRAPH_FENIX_PASSWORD": "1", + "AUTOGRAPH_FENIX_USERNAME": "1", "AUTOGRAPH_FENNEC_RELEASE_PASSWORD": "1", "AUTOGRAPH_FENNEC_RELEASE_USERNAME": "1", "AUTOGRAPH_FOCUS_PASSWORD": "1", "AUTOGRAPH_FOCUS_USERNAME": "1", - "AUTOGRAPH_STAGE_FOCUS_PASSWORD": "1", - "AUTOGRAPH_STAGE_FOCUS_USERNAME": "1", - "AUTOGRAPH_STAGE_FOCUS_V3_PASSWORD": "1", - "AUTOGRAPH_STAGE_FOCUS_V3_USERNAME": "1", "AUTOGRAPH_GPG_PASSWORD": "1", "AUTOGRAPH_GPG_USERNAME": "1", "AUTOGRAPH_LANGPACK_PASSWORD": "1", "AUTOGRAPH_LANGPACK_USERNAME": "1", - "AUTOGRAPH_MAR_PASSWORD": "1", - "AUTOGRAPH_MAR_USERNAME": "1", - "AUTOGRAPH_STAGE_MAR_PASSWORD": "1", - "AUTOGRAPH_STAGE_MAR_USERNAME": "1", "AUTOGRAPH_MAR_NIGHTLY_PASSWORD": "1", "AUTOGRAPH_MAR_NIGHTLY_USERNAME": "1", + "AUTOGRAPH_MAR_PASSWORD": "1", "AUTOGRAPH_MAR_RELEASE_PASSWORD": "1", "AUTOGRAPH_MAR_RELEASE_USERNAME": "1", - "AUTOGRAPH_MOZILLAVPN_PASSWORD": "1", - "AUTOGRAPH_MOZILLAVPN_USERNAME": "1", + "AUTOGRAPH_MAR_USERNAME": "1", "AUTOGRAPH_MOZILLAVPN_ADDONS_PASSWORD": "1", "AUTOGRAPH_MOZILLAVPN_ADDONS_USERNAME": "1", "AUTOGRAPH_MOZILLAVPN_DEBSIGN_PASSWORD": "1", "AUTOGRAPH_MOZILLAVPN_DEBSIGN_USERNAME": "1", + "AUTOGRAPH_MOZILLAVPN_PASSWORD": "1", + "AUTOGRAPH_MOZILLAVPN_USERNAME": "1", "AUTOGRAPH_OMNIJA_PASSWORD": "1", "AUTOGRAPH_OMNIJA_USERNAME": "1", "AUTOGRAPH_REFERENCE_BROWSER_PASSWORD": "1", "AUTOGRAPH_REFERENCE_BROWSER_USERNAME": "1", - "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD": "1", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_USERNAME": "1", + "AUTOGRAPH_STAGE_AUTHENTICODE_SHA2_PASSWORD": "1", + "AUTOGRAPH_STAGE_FENIX_PASSWORD": "1", + "AUTOGRAPH_STAGE_FENIX_USERNAME": "1", + "AUTOGRAPH_STAGE_FOCUS_PASSWORD": "1", + "AUTOGRAPH_STAGE_FOCUS_USERNAME": "1", + "AUTOGRAPH_STAGE_GPG_PASSWORD": "1", + "AUTOGRAPH_STAGE_GPG_USERNAME": "1", + "AUTOGRAPH_STAGE_LANGPACK_PASSWORD": "1", + "AUTOGRAPH_STAGE_LANGPACK_USERNAME": "1", + "AUTOGRAPH_STAGE_MAR_PASSWORD": "1", + "AUTOGRAPH_STAGE_MAR_USERNAME": "1", + "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_PASSWORD": "1", + "AUTOGRAPH_STAGE_MOZILLAVPN_ADDONS_USERNAME": "1", + "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_PASSWORD": "1", + "AUTOGRAPH_STAGE_MOZILLAVPN_DEBSIGN_USERNAME": "1", + "AUTOGRAPH_STAGE_OMNIJA_PASSWORD": "1", + "AUTOGRAPH_STAGE_OMNIJA_USERNAME": "1", "AUTOGRAPH_STAGE_REFERENCE_BROWSER_USERNAME": "1", + "AUTOGRAPH_STAGE_REFERENCE_BROWSER_PASSWORD": "1", + "AUTOGRAPH_STAGE_WIDEVINE_PASSWORD": "1", + "AUTOGRAPH_STAGE_WIDEVINE_USERNAME": "1", + "AUTOGRAPH_STAGE_XPI_PASSWORD": "1", + "AUTOGRAPH_STAGE_XPI_USERNAME": "1", + "AUTOGRAPH_STAGE_XPI_PRIVILEGED_PASSWORD": "1", + "AUTOGRAPH_STAGE_XPI_PRIVILEGED_USERNAME": "1", "AUTOGRAPH_WIDEVINE_PASSWORD": "1", "AUTOGRAPH_WIDEVINE_USERNAME": "1", "AUTOGRAPH_XPI_PRIVILEGED_PASSWORD": "1", "AUTOGRAPH_XPI_PRIVILEGED_USERNAME": "1", + "AUTOGRAPH_XPI_PASSWORD": "1", + "AUTOGRAPH_XPI_USERNAME": "1", }, re.compile(r"signing:adhoc:(dev|fake-prod)"): { "AUTOGRAPH_XPI_PASSWORD": "1",