Bug 1324502 - Support SHA384 MAR signing on signing servers r=nthomas
authorRail Aliiev <rail@mozilla.com>
Tue, 10 Jan 2017 09:08:40 -0500
changeset 7245 591dd2cb8e26a788d16750df6efaf064b949cd98
parent 7244 7e2526c8dfc78a03ed3ed99b429aeeedbbb0d94b
child 7246 2b83e278e973e7f3ab3e1d677bb2e75e3426b369
push id5397
push userraliiev@mozilla.com
push dateThu, 12 Jan 2017 18:18:28 +0000
reviewersnthomas
bugs1324502
Bug 1324502 - Support SHA384 MAR signing on signing servers r=nthomas MozReview-Commit-ID: IlJo0oTs4lx
release/signing/signing.ini.template
release/signing/signscript.py
release/signing/signtool.py
--- a/release/signing/signing.ini.template
+++ b/release/signing/signing.ini.template
@@ -21,16 +21,17 @@ allowed_ips = 0.0.0.0/0
 # of regular expressions
 allowed_filenames = .*
 # Minimum filesize that we'll sign
 min_filesize = 10
 # Maximum filesize, per format. 52428800 = 50MB, 524288000 = 500MB
 max_filesize_gpg = 524288000
 max_filesize_dmg = 52428800
 max_filesize_mar = 52428800
+max_filesize_mar_sha384 = 52428800
 max_filesize_signcode = 52428800
 max_filesize_osslsigncode = 52428800
 max_filesize_sha2signcode = 52428800
 max_filesize_sha2signcodestub = 52428800
 max_filesize_emevoucher = 52428800
 # Secret for signing tokens. This should be kept private!
 # It should also be the same on all equivalent signing servers.
 token_secret = secretstring
@@ -51,37 +52,39 @@ max_token_age = 3600
 [paths]
 # Where we store signed files
 signed_dir = signed-files
 # Where we store unsigned files
 unsigned_dir = unsigned-files
 
 [signing]
 # What signing formats we support
-formats = mar,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher
+formats = mar,mar_sha384,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher
 # Which script to run to sign files
 signscript = python ./signscript.py -c signing.ini
 # How many files to sign at once
 concurrency = 4
 # Test files for the various signing formats
 # signscript will be run on each of these on startup to test that passphrases
 # have been entered correctly
 testfile_signcode = test.exe
 testfile_osslsigncode = test64.exe
 testfile_sha2signcode = test.exe
 testfile_sha2signcodestub = test.exe
 testfile_mar = test.mar
+testfile_mar_sha384 = test.mar
 testfile_gpg = test.mar
 testfile_emevoucher = test.bin
 
 [signscript]
 # Various settings for signscript. signing-server.py doesn't look in here
 # Where are MozAuthenticode.{pvk,spc} located
 signcode_keydir = /path/to/keys
 osslsigncode_keydir = /path/to/keys
 sha2signcode_keydir = /path/to/keys
 # Where is the gpg directory with our private key
 gpg_homedir = /path/to/.gpg
 # Where is the eme voucher private key
 emevoucher_key = /path/to/cert.pem
 emevoucher_chain = /path/to/chain.pem
 # How to run mar
 mar_cmd = /path/to/signmar -d /path/to/nsscerts -n keyname -s
+mar_sha384_cmd = /path/to/signmar-sha384 -d /path/to/nsscerts -n keyname -s
--- a/release/signing/signscript.py
+++ b/release/signing/signscript.py
@@ -21,16 +21,17 @@ if __name__ == '__main__':
     parser = OptionParser(__doc__)
     parser.set_defaults(
         fake=False,
         signcode_keydir=None,
         gpg_homedir=None,
         loglevel=logging.INFO,
         configfile=None,
         mar_cmd=None,
+        mar_sha384_cmd=None,
         signcode_timestamp=None,
         jar_keystore=None,
         jar_keyname=None,
         emevoucher_key=None,
         emevoucher_chain=None,
     )
     parser.add_option("--keydir", dest="signcode_keydir",
                       help="where MozAuthenticode.spc, MozAuthenticode.spk can be found")
@@ -133,16 +134,22 @@ if __name__ == '__main__':
             inputfile, tmpfile, options.emevoucher_key,
             options.emevoucher_chain, options.fake, passphrase)
     elif format_ == "mar":
         if not options.mar_cmd:
             parser.error("mar_cmd is required when format is mar")
         safe_unlink(tmpfile)
         mar_signfile(
             inputfile, tmpfile, options.mar_cmd, options.fake, passphrase)
+    elif format_ == "mar_sha384":
+        if not options.mar_sha384_cmd:
+            parser.error("mar_sha384_cmd is required when format is mar_sha384")
+        safe_unlink(tmpfile)
+        mar_signfile(
+            inputfile, tmpfile, options.mar_sha384_cmd, options.fake, passphrase)
     elif format_ == "dmg":
         if not options.dmg_keychain:
             parser.error("dmg_keychain required when format is dmg")
         if not options.mac_id:
             parser.error("mac_id required when format is dmg")
         safe_unlink(tmpfile)
         dmg_signpackage(inputfile, tmpfile, options.dmg_keychain, options.mac_id, options.mac_cert_subject_ou, options.fake, passphrase)
     elif format_ == "jar":
--- a/release/signing/signtool.py
+++ b/release/signing/signtool.py
@@ -35,18 +35,19 @@ def is_authenticode_signed(filename):
         log.exception("Problem parsing file")
         return False
     finally:
         if p:
             p.close()
 
 
 def main():
-    allowed_formats = ("sha2signcode", "sha2signcodestub", "signcode", "osslsigncode",
-                       "gpg", "mar", "dmg", "dmgv2", "jar", "emevoucher")
+    allowed_formats = ("sha2signcode", "sha2signcodestub", "signcode",
+                       "osslsigncode", "gpg", "mar", "mar_sha384", "dmg",
+                       "dmgv2", "jar", "emevoucher")
 
     from optparse import OptionParser
     import random
     parser = OptionParser(__doc__)
     parser.set_defaults(
         hosts=[],
         cert=None,
         log_level=logging.INFO,