Bug 1540276: Migrate authenticode signing to autograph r=Callek,mshal
authorChris AtLee <catlee@mozilla.com>
Mon, 30 Sep 2019 13:57:32 +0000
changeset 495685 eb661b954b91447706dc34d0c0a8137731e1db26
parent 495684 38005dfbfc8cdca978ab4ec35552317f30089736
child 495686 c36eedede55882d7d5d2f811f448f824126612bf
push id114140
push userdvarga@mozilla.com
push dateWed, 02 Oct 2019 18:04:51 +0000
treeherdermozilla-inbound@32eb0ea893f3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCallek, mshal
bugs1540276
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1540276: Migrate authenticode signing to autograph r=Callek,mshal Differential Revision: https://phabricator.services.mozilla.com/D47114
Makefile.in
taskcluster/docs/partner-repacks.rst
taskcluster/docs/signing.rst
taskcluster/taskgraph/transforms/geckodriver_signing.py
taskcluster/taskgraph/transforms/openh264_signing.py
taskcluster/taskgraph/transforms/repackage_signing_partner.py
toolkit/mozapps/installer/upload-files.mk
tools/update-packaging/Makefile.in
--- a/Makefile.in
+++ b/Makefile.in
@@ -187,17 +187,17 @@ default all::
 
 # PGO build target.
 profiledbuild::
 	$(call BUILDSTATUS,TIERS pgo_profile_generate pgo_package pgo_profile pgo_clobber pgo_profile_use)
 	$(call BUILDSTATUS,TIER_START pgo_profile_generate)
 	$(MAKE) default MOZ_PROFILE_GENERATE=1 MOZ_LTO=
 	$(call BUILDSTATUS,TIER_FINISH pgo_profile_generate)
 	$(call BUILDSTATUS,TIER_START pgo_package)
-	$(MAKE) package MOZ_INTERNAL_SIGNING_FORMAT= MOZ_EXTERNAL_SIGNING_FORMAT=
+	$(MAKE) package
 	rm -f jarlog/en-US.log
 	$(call BUILDSTATUS,TIER_FINISH pgo_package)
 	$(call BUILDSTATUS,TIER_START pgo_profile)
 	JARLOG_FILE=jarlog/en-US.log $(PYTHON) $(topsrcdir)/build/pgo/profileserver.py
 	$(call BUILDSTATUS,TIER_FINISH pgo_profile)
 	$(call BUILDSTATUS,TIER_START pgo_clobber)
 	$(MAKE) maybe_clobber_profiledbuild
 	$(call BUILDSTATUS,TIER_FINISH pgo_clobber)
--- a/taskcluster/docs/partner-repacks.rst
+++ b/taskcluster/docs/partner-repacks.rst
@@ -202,17 +202,17 @@ Repackage Signing
 
 * kinds: ``release-partner-repack-repackage-signing`` ``release-eme-free-repack-repackage-signing``
 * platforms: All
 * upstreams:
 
    * Mac & Windows: ``release-partner-repackage`` ``release-eme-free-repackage``
    * Linux: ``release-partner-repack-chunking-dummy``
 
-This step GPG signs all platforms, and sha2signcode signs the Windows installer.
+This step GPG signs all platforms, and authenticode signs the Windows installer.
 
 Beetmover
 ^^^^^^^^^
 
 * kinds: ``release-partner-repack-beetmover`` ``release-eme-free-repack-beetmover``
 * platforms: All
 * upstreams: ``release-partner-repack-repackage-signing`` ``release-eme-free-repack-repackage-signing``
 
@@ -244,9 +244,9 @@ Updates
 It's very rare to need to update a partner repack differently from the original
 release build but we retain that capability. A partner build with distribution name ``foo``,
 based on a release Firefox build, will query for an update on the ``release-cck-foo`` channel. If
 the update server `Balrog <http://mozilla-balrog.readthedocs.io/en/latest/>`_ finds no rule for
 that channel it will fallback to the ``release`` channel. The update files for the regular releases do not
 modify the ``distribution/`` directory, so the customizations are not modified.
 
 `Bug 1430254 <https://bugzilla.mozilla.org/show_bug.cgi?id=1430254>`_ is an example of an exception to this
-logic.
\ No newline at end of file
+logic.
--- a/taskcluster/docs/signing.rst
+++ b/taskcluster/docs/signing.rst
@@ -102,17 +102,17 @@ set of keys for the Focus app.
 ``macapp`` signing accepts either a ``dmg`` or ``tar.gz``; it converts ``dmg``
 files to ``tar.gz`` before submitting to the signing server. The signed binary
 is a ``tar.gz``.
 
 ``authenticode`` signing takes individual binaries or a zipfile. We sign the
 individual file or internals of the zipfile, skipping any already-signed files
 and a select few blocklisted files (using the `should_sign_windows`_ function).
 It returns a signed individual binary or zipfile with signed internals, depending
-on the input. This format includes ``authograph_authenticode``, and
+on the input. This format includes ``autograph_authenticode``, and
 ``autograph_authenticode_stub``.
 
 ``mar`` signing signs our update files (Mozilla ARchive). ``mar_sha384`` is
 the same, but with a different hashing algorithm.
 
 ``autograph_widevine`` is also video-related; see the
 `widevine site`_. We sign specific files inside the package and rebuild the
 ``precomplete`` file that we use for updates.
--- a/taskcluster/taskgraph/transforms/geckodriver_signing.py
+++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py
@@ -90,17 +90,17 @@ def make_repackage_signing_description(c
             task['worker-type'] = task['worker-type'].replace("linux-", "mac-")
             task['worker']['mac-behavior'] = 'mac_geckodriver'
 
         yield task
 
 
 def _craft_upstream_artifacts(dependency_kind, build_platform):
     if build_platform.startswith('win'):
-        signing_format = 'sha2signcode'
+        signing_format = 'autograph_authenticode'
         extension = 'zip'
     elif build_platform.startswith('linux'):
         signing_format = 'autograph_gpg'
         extension = 'tar.gz'
     elif build_platform.startswith('macosx'):
         signing_format = 'mac_geckodriver'
         extension = 'tar.gz'
     else:
--- a/taskcluster/taskgraph/transforms/openh264_signing.py
+++ b/taskcluster/taskgraph/transforms/openh264_signing.py
@@ -55,17 +55,17 @@ def make_signing_description(config, job
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
 
         scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             # job['primary-dependency'].task['payload']['command']
-            formats = ['sha2signcode']
+            formats = ['autograph_authenticode']
         else:
             formats = ['autograph_gpg']
 
         rev = attributes['openh264_rev']
         upstream_artifacts = [{
             "taskId": {"task-reference": "<openh264>"},
             "taskType": "build",
             "paths": [
--- a/taskcluster/taskgraph/transforms/repackage_signing_partner.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py
@@ -76,32 +76,32 @@ def make_repackage_signing_description(c
 
         if 'win' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
                 ],
-                "formats": ["sha2signcode", "autograph_gpg"]
+                "formats": ["autograph_authenticode", "autograph_gpg"]
             }]
 
             partner_config = get_partner_config_by_kind(config, config.kind)
             partner, subpartner, _ = repack_id.split('/')
             repack_stub_installer = partner_config[partner][subpartner].get(
                 'repack_stub_installer')
             if build_platform.startswith('win32') and repack_stub_installer:
                 upstream_artifacts.append({
                     "taskId": {"task-reference": "<repackage>"},
                     "taskType": "repackage",
                     "paths": [
                         get_artifact_path(dep_job, "{}/target.stub-installer.exe".format(
                             repack_id)),
                     ],
-                    "formats": ["sha2signcode", "autograph_gpg"]
+                    "formats": ["autograph_authenticode", "autograph_gpg"]
                 })
         elif 'mac' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
                 ],
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -128,20 +128,16 @@ ifeq ($(MOZ_PKG_FORMAT),BZ2)
     INNER_MAKE_PACKAGE 	= $(CREATE_FINAL_TAR) - -C $(MOZ_PKG_DIR) $(_APPNAME) | bzip2 -vf > $(PACKAGE)
   else
     INNER_MAKE_PACKAGE 	= $(CREATE_FINAL_TAR) - $(MOZ_PKG_DIR) | bzip2 -vf > $(PACKAGE)
   endif
   INNER_UNMAKE_PACKAGE	= bunzip2 -c $(UNPACKAGE) | $(UNPACK_TAR)
 endif
 
 ifeq ($(MOZ_PKG_FORMAT),ZIP)
-  ifdef MOZ_EXTERNAL_SIGNING_FORMAT
-    # We can't use sha2signcode on zip files
-    MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
-  endif
   PKG_SUFFIX	= .zip
   INNER_MAKE_PACKAGE = $(call py_action,make_zip,'$(MOZ_PKG_DIR)' '$(PACKAGE)')
   INNER_UNMAKE_PACKAGE = $(call py_action,make_unzip,$(UNPACKAGE))
 endif
 
 ifeq ($(MOZ_PKG_FORMAT),SFX7Z)
   PKG_SUFFIX	= .exe
   INNER_MAKE_PACKAGE = $(call py_action,exe_7z_archive,'$(MOZ_PKG_DIR)' '$(MOZ_INSTALLER_PATH)/app.tag' '$(MOZ_SFX_PACKAGE)' '$(PACKAGE)')
--- a/tools/update-packaging/Makefile.in
+++ b/tools/update-packaging/Makefile.in
@@ -28,28 +28,16 @@ full-update:: complete-patch
 ifeq ($(OS_TARGET), WINNT)
 MOZ_PKG_FORMAT	:= SFX7Z
 UNPACKAGE	= '$(subst $(DIST),$(ABS_DIST),$(INSTALLER_PACKAGE))'
 endif
 
 include $(topsrcdir)/config/rules.mk
 include $(topsrcdir)/toolkit/mozapps/installer/packager.mk
 
-ifdef MOZ_EXTERNAL_SIGNING_FORMAT
-# We can't use sha2signcode on mar files
-MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
-MOZ_EXTERNAL_SIGNING_FORMAT := mar $(MOZ_EXTERNAL_SIGNING_FORMAT)
-endif
-
-ifndef MAR_OLD_FORMAT
-MAR_SIGN_FORMAT=mar_sha384
-else
-MAR_SIGN_FORMAT=mar
-endif
-
 dir-stage := $(call mkdir_deps,$(STAGE_DIR))
 
 complete-patch:: $(dir-stage)
 # unpack the windows installer, unless we're an l10n repack, we just packed this
 ifndef IS_LANGUAGE_REPACK
 ifeq ($(OS_TARGET), WINNT)
 	test -f $(UNPACKAGE)
 	$(RM) -rf '$(PACKAGE_DIR)'