Bug 1409091 - Signing servers: Support focus-jar r=aki
authorJohan Lorenzo <jlorenzo@mozilla.com>
Mon, 23 Apr 2018 16:37:09 +0200
changeset 8408 366c73410d4e
parent 8407 1016b124ae26
child 8409 99d439f85098
push id6138
push userjlorenzo@mozilla.com
push dateThu, 17 May 2018 09:38:29 +0000
reviewersaki
bugs1409091
Bug 1409091 - Signing servers: Support focus-jar r=aki MozReview-Commit-ID: 9sGeUhxRNJk
release/signing/signing.ini.template
release/signing/signscript.py
release/signing/signtool.py
--- a/release/signing/signing.ini.template
+++ b/release/signing/signing.ini.template
@@ -54,17 +54,17 @@ max_token_age = 3600
 [paths]
 # Where we store signed files
 signed_dir = signed-files
 # Where we store unsigned files
 unsigned_dir = unsigned-files
 
 [signing]
 # What signing formats we support
-formats = mar,mar_sha384,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher,widevine,widevine_blessed
+formats = mar,mar_sha384,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher,widevine,widevine_blessed,jar,focus-jar
 # Which script to run to sign files
 signscript = python ./signscript.py -c signing.ini
 # How many files to sign at once
 concurrency = 4
 # Test files for the various signing formats
 # signscript will be run on each of these on startup to test that passphrases
 # have been entered correctly
 testfile_signcode = test.exe
@@ -81,16 +81,24 @@ testfile_widevine_blessed = test.exe
 [signscript]
 # Various settings for signscript. signing-server.py doesn't look in here
 # Where are MozAuthenticode.{pvk,spc} located
 signcode_keydir = /path/to/keys
 osslsigncode_keydir = /path/to/keys
 sha2signcode_keydir = /path/to/keys
 # Where is the gpg directory with our private key
 gpg_homedir = /path/to/.gpg
+jar_keystore = /path/to/jar/keystore
+jar_keyname = some-name
+jar_digestalg = SHA1
+jar_sigalg = SHA1withRSA
+focus_jar_keystore = /path/to/jar/keystore
+focus_jar_keyname = some-name
+focus_jar_digestalg = SHA-256
+focus_jar_sigalg = SHA256withRSA
 # Where is the eme voucher private key
 emevoucher_key = /path/to/cert.pem
 emevoucher_chain = /path/to/chain.pem
 # How to run mar
 mar_cmd = /path/to/signmar -d /path/to/nsscerts -n keyname -s
 mar_sha384_cmd = /path/to/signmar-sha384 -d /path/to/nsscerts -n keyname -s
 # widevine info
 widevine_key = /path/to/key.pem
--- a/release/signing/signscript.py
+++ b/release/signing/signscript.py
@@ -27,16 +27,20 @@ if __name__ == '__main__':
         configfile=None,
         mar_cmd=None,
         mar_sha384_cmd=None,
         signcode_timestamp=None,
         jar_keystore=None,
         jar_keyname=None,
         jar_sigalg=None,
         jar_digestalg=None,
+        focus_jar_keystore=None,
+        focus_jar_keyname=None,
+        focus_jar_sigalg=None,
+        focus_jar_digestalg=None,
         emevoucher_key=None,
         emevoucher_chain=None,
         widevine_key=None,
         widevine_cert=None,
         widevine_cmd=None,
     )
     parser.add_option("--keydir", dest="signcode_keydir",
                       help="where MozAuthenticode.spc, MozAuthenticode.spk can be found")
@@ -55,16 +59,24 @@ if __name__ == '__main__':
     parser.add_option("--jar_keystore", dest="jar_keystore",
                       help="keystore for signing jar_")
     parser.add_option("--jar_keyname", dest="jar_keyname",
                       help="which key to use from jar_keystore")
     parser.add_option("--jar_digestalg", dest="jar_digestalg",
                       help="which digest algorithm to use for signing jar files")
     parser.add_option("--jar_sigalg", dest="jar_sigalg",
                       help="which signature algorithm to use for signing jar files")
+    parser.add_option("--focus_jar_keystore", dest="focus_jar_keystore",
+                      help="keystore for signing Firefox Focus")
+    parser.add_option("--focus_jar_keyname", dest="focus_jar_keyname",
+                      help="which key to use from focus_jar_keystore")
+    parser.add_option("--focus_jar_digestalg", dest="focus_jar_digestalg",
+                      help="which digest algorithm to use for signing Firefox Focus")
+    parser.add_option("--focus_jar_sigalg", dest="focus_jar_sigalg",
+                      help="which signature algorithm to use for signing Firefox Focus")
     parser.add_option("--emevoucher_key", dest="emevoucher_key",
                       help="The certificate to use for signing the eme voucher")
     parser.add_option("--emevoucher_chain", dest="emevoucher_chain",
                       help="Certificate chain to include in EME voucher signatures")
     parser.add_option("--widevine_key", dest="widevine_key",
                       help="The key to use for signing widevine files")
     parser.add_option("--widevine_cert", dest="widevine_cert",
                       help="Certificate to use for signing widevine files")
@@ -163,25 +175,33 @@ if __name__ == '__main__':
             inputfile, tmpfile, options.mar_sha384_cmd, options.fake, passphrase)
     elif format_ == "dmg":
         if not options.dmg_keychain:
             parser.error("dmg_keychain required when format is dmg")
         if not options.mac_id:
             parser.error("mac_id required when format is dmg")
         safe_unlink(tmpfile)
         dmg_signpackage(inputfile, tmpfile, options.dmg_keychain, options.mac_id, options.mac_cert_subject_ou, options.fake, passphrase)
-    elif format_ == "jar":
-        if not options.jar_keystore:
-            parser.error("jar_keystore required when format is jar")
-        if not options.jar_keyname:
-            parser.error("jar_keyname required when format is jar")
+    elif format_ in ("jar", "focus-jar"):
+        if format_ == "jar":
+            keystore, keystore_config_name, keyname, keyname_config_name, digestalg, sigalg = (
+                options.jar_keystore, "jar_keystore", options.jar_keyname, "jar_keyname",
+                options.jar_digestalg, options.jar_sigalg
+            )
+        else:
+            keystore, keystore_config_name, keyname, keyname_config_name, digestalg, sigalg = (
+                options.focus_jar_keystore, "focus_jar_keystore", options.focus_jar_keyname, "focus_jar_keystore",
+                options.focus_jar_digestalg, options.focus_jar_sigalg
+            )
+        if not keystore:
+            parser.error("%s required when format is %s" % (keystore_config_name, format_))
+        if not keyname:
+            parser.error("%s required when format is %s" % (keyname_config_name, format_))
         copyfile(inputfile, tmpfile)
-        jar_signfile(tmpfile, options.jar_keystore,
-                     options.jar_keyname, options.jar_digestalg, options.jar_sigalg,
-                     options.fake, passphrase)
+        jar_signfile(tmpfile, keystore, keyname, digestalg, sigalg, options.fake, passphrase)
     elif format_ in ("widevine", "widevine_blessed"):
         safe_unlink(tmpfile)
         if not options.widevine_key:
             parser.error("widevine_key required when format is %s" % format_)
         blessed = "0"
         if format_ == "widevine_blessed":
             blessed = "1"
         widevine_signfile(
--- a/release/signing/signtool.py
+++ b/release/signing/signtool.py
@@ -37,17 +37,18 @@ def is_authenticode_signed(filename):
     finally:
         if p:
             p.close()
 
 
 def main():
     allowed_formats = ("sha2signcode", "sha2signcodestub", "signcode",
                        "osslsigncode", "gpg", "mar", "mar_sha384", "dmg",
-                       "dmgv2", "macapp", "jar", "emevoucher",
+                       # "jar" alone is to sign Fennec
+                       "dmgv2", "macapp", "jar", "focus-jar" "emevoucher",
                        "widevine", "widevine_blessed")
 
     from optparse import OptionParser
     import random
     parser = OptionParser(__doc__)
     parser.set_defaults(
         hosts=[],
         cert=None,