Bug 1427849 - Digitally sign geckodriver binaries on Windows and Linux r=aki
authorJohan Lorenzo <jlorenzo@mozilla.com>
Tue, 23 Apr 2019 09:03:22 +0000
changeset 470461 80a5deca74380b8c01ae7194aba33ff1e8e3df82
parent 470460 63d133aae187fde835f9f9a0b9f83bdbada8dcd8
child 470462 cf05b09d3f3a726f554d2600f3b9b5e5f629972b
push id35906
push useraciure@mozilla.com
push dateTue, 23 Apr 2019 22:14:56 +0000
treeherdermozilla-central@0ce3633f8b80 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaki
bugs1427849
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1427849 - Digitally sign geckodriver binaries on Windows and Linux r=aki Digitally sign geckodriver binaries on Windows and Linux Differential Revision: https://phabricator.services.mozilla.com/D28185
taskcluster/ci/geckodriver-repack/kind.yml
taskcluster/ci/geckodriver-signing/kind.yml
taskcluster/docs/kinds.rst
taskcluster/taskgraph/transforms/geckodriver_signing.py
--- a/taskcluster/ci/geckodriver-repack/kind.yml
+++ b/taskcluster/ci/geckodriver-repack/kind.yml
@@ -4,36 +4,38 @@
 
 loader: taskgraph.loader.transform:loader
 
 kind-dependencies:
     - build
     - fetch
 
 transforms:
+    - taskgraph.transforms.build_attrs:transforms
     - taskgraph.transforms.job:transforms
     - taskgraph.transforms.task:transforms
 
 job-defaults:
     attributes:
         nightly: true
     description: "Extract geckodriver binary from common tests package"
     treeherder:
         kind: other
         symbol: Gd(repack)
         tier: 2
     worker-type: aws-provisioner-v1/gecko-{level}-b-linux
     worker:
         max-run-time: 1200
         docker-image: {in-tree: debian9-amd64-build}
+        chain-of-trust: true
     run:
         using: run-task
 
 jobs:
-    linux/opt:
+    linux-nightly/opt:
         treeherder:
             platform: linux32/opt
         dependencies:
             build-linux/opt: build-linux-shippable/opt
         fetches:
             build-linux/opt:
                 - artifact: target.common.tests.tar.gz
         worker:
@@ -42,17 +44,17 @@ jobs:
                   name: public/geckodriver.tar.gz
                   path: /builds/worker/geckodriver.tar.gz
         run:
             command: >
                 cd /builds/worker/fetches/bin/ &&
                 tar -cvzf geckodriver.tar.gz geckodriver &&
                 cp geckodriver.tar.gz /builds/worker
 
-    linux64/opt:
+    linux64-nightly/opt:
         treeherder:
             platform: linux64/opt
         dependencies:
             build-linux64/opt: build-linux64-shippable/opt
         fetches:
             build-linux64/opt:
                 - artifact: target.common.tests.tar.gz
         worker:
@@ -61,17 +63,17 @@ jobs:
                   name: public/geckodriver.tar.gz
                   path: /builds/worker/geckodriver.tar.gz
         run:
             command: >
                 cd /builds/worker/fetches/bin/ &&
                 tar -cvzf geckodriver.tar.gz geckodriver &&
                 cp geckodriver.tar.gz /builds/worker
 
-    macosx64/opt:
+    macosx64-nightly/opt:
         treeherder:
             platform: osx-cross/opt
         dependencies:
             build-macosx64/opt: build-macosx64-shippable/opt
         fetches:
             build-macosx64/opt:
                 - artifact: target.common.tests.tar.gz
         worker:
@@ -80,17 +82,17 @@ jobs:
                   name: public/geckodriver.tar.gz
                   path: /builds/worker/geckodriver.tar.gz
         run:
             command: >
                 cd /builds/worker/fetches/bin/ &&
                 tar -cvzf geckodriver.tar.gz geckodriver &&
                 cp geckodriver.tar.gz /builds/worker
 
-    win32/opt:
+    win32-nightly/opt:
         treeherder:
             platform: windows2012-32/opt
         dependencies:
             build-win32/opt: build-win32-shippable/opt
         fetches:
             build-win32/opt:
                 - artifact: target.common.tests.tar.gz
         worker:
@@ -99,17 +101,17 @@ jobs:
                   name: public/geckodriver.zip
                   path: /builds/worker/geckodriver.zip
         run:
             command: >
                 cd /builds/worker/fetches/bin/ &&
                 zip -r geckodriver.zip geckodriver.exe &&
                 cp geckodriver.zip /builds/worker
 
-    win64/opt:
+    win64-nightly/opt:
         treeherder:
             platform: windows2012-64/opt
         dependencies:
             build-win64/opt: build-win64-shippable/opt
         fetches:
             build-win64/opt:
                 - artifact: target.common.tests.tar.gz
         worker:
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/geckodriver-signing/kind.yml
@@ -0,0 +1,20 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+  - taskgraph.transforms.name_sanity:transforms
+  - taskgraph.transforms.geckodriver_signing:transforms
+  - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+  - geckodriver-repack
+
+job-template:
+  shipping-phase: promote
+
+not-for-build-platforms:
+  # TODO: Allow mac signing once bug 1470607 is done
+  - macosx64-nightly/opt
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -568,8 +568,12 @@ generate-profile
 Tasks that take a build configured for PGO and run the binary against a sample
 set to generate profile data. This is the 2nd stage of the full 3-step PGO
 process.
 
 geckodriver-repack
 ------------------
 Tasks to repackage the geckodriver binary from a build tasks's common
 test archive into it's own archive.
+
+geckodriver-signing
+-------------------
+Signing for geckodriver binary.
new file mode 100644
--- /dev/null
+++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py
@@ -0,0 +1,108 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"""
+Transform the repackage signing task into an actual task description.
+"""
+
+from __future__ import absolute_import, print_function, unicode_literals
+
+from taskgraph.loader.single_dep import schema
+from taskgraph.transforms.base import TransformSequence
+from taskgraph.util.attributes import copy_attributes_from_dependent_job
+from taskgraph.util.scriptworker import (
+    add_scope_prefix,
+    get_signing_cert_scope_per_platform,
+    get_worker_type_for_scope,
+)
+from taskgraph.transforms.task import task_description_schema
+from voluptuous import Required, Optional
+
+repackage_signing_description_schema = schema.extend({
+    Required('depname', default='geckodriver-repackage'): basestring,
+    Optional('label'): basestring,
+    Optional('treeherder'): task_description_schema['treeherder'],
+    Optional('shipping-phase'): task_description_schema['shipping-phase'],
+})
+
+transforms = TransformSequence()
+transforms.add_validate(repackage_signing_description_schema)
+
+
+@transforms.add
+def make_repackage_signing_description(config, jobs):
+    for job in jobs:
+        dep_job = job['primary-dependency']
+        attributes = copy_attributes_from_dependent_job(dep_job)
+        attributes['repackage_type'] = 'repackage-signing'
+
+        treeherder = job.get('treeherder', {})
+        treeherder.setdefault('symbol', 'Gd(s)')
+        treeherder.setdefault('platform', dep_job.task.get('extra', {}).get('treeherder-platform'))
+        treeherder.setdefault(
+            'tier',
+            dep_job.task.get('extra', {}).get('treeherder', {}).get('tier', 1)
+        )
+        treeherder.setdefault('kind', 'build')
+
+        dependencies = {dep_job.kind: dep_job.label}
+        signing_dependencies = dep_job.dependencies
+        dependencies.update({
+            k: v for k, v in signing_dependencies.items()
+            if k != 'docker-image'
+        })
+
+        description = "Signing Geckodriver for build '{}/{}'".format(
+            attributes.get('build_platform'),
+            attributes.get('build_type'),
+        )
+
+        build_platform = dep_job.attributes.get('build_platform')
+        is_nightly = dep_job.attributes.get('nightly', dep_job.attributes.get('shippable'))
+        signing_cert_scope = get_signing_cert_scope_per_platform(
+            build_platform, is_nightly, config
+        )
+
+        upstream_artifacts = _craft_upstream_artifacts(dep_job.kind, build_platform)
+
+        scopes = [signing_cert_scope]
+        scopes += list({
+            add_scope_prefix(config, 'signing:format:{}'.format(format))
+            for artifact in upstream_artifacts
+            for format in artifact['formats']
+        })
+
+        task = {
+            'label': job['label'],
+            'description': description,
+            'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
+            'worker': {
+                'implementation': 'scriptworker-signing',
+                'upstream-artifacts': upstream_artifacts,
+            },
+            'scopes': scopes,
+            'dependencies': dependencies,
+            'attributes': attributes,
+            'run-on-projects': dep_job.attributes.get('run_on_projects'),
+            'treeherder': treeherder,
+        }
+
+        yield task
+
+
+def _craft_upstream_artifacts(dependency_kind, build_platform):
+    if build_platform.startswith('win'):
+        signing_format = 'sha2signcode'
+        extension = 'zip'
+    elif build_platform.startswith('linux'):
+        signing_format = 'gpg'
+        extension = 'tar.gz'
+    else:
+        raise ValueError('Unsupported build platform "{}"'.format(build_platform))
+
+    return [{
+        'taskId': {'task-reference': '<{}>'.format(dependency_kind)},
+        'taskType': 'repackage',
+        'paths': ['public/geckodriver.{}'.format(extension)],
+        'formats': [signing_format],
+    }]