Bug 1409091 - Add Mozilla mobile signing and push apk instances r=aki draft
authorJohan Lorenzo <jlorenzo@mozilla.com>
Tue, 24 Apr 2018 16:14:38 +0200
changeset 6846 4f430fb0ff4d0f1fcd1eaa69ffb982d606fcd461
parent 6842 c6d14b8861ee877097d8b958646c2ae4ed93dfa2
push id2772
push userbmo:jlorenzo@mozilla.com
push dateWed, 16 May 2018 15:57:41 +0000
reviewersaki
bugs1409091
Bug 1409091 - Add Mozilla mobile signing and push apk instances r=aki MozReview-Commit-ID: 5PsUFttEpiM
manifests/moco-nodes.pp
modules/pushapk_scriptworker/files/focus.pem
modules/pushapk_scriptworker/files/requirements.txt
modules/pushapk_scriptworker/manifests/init.pp
modules/pushapk_scriptworker/manifests/jarsigner_init.pp
modules/pushapk_scriptworker/manifests/settings.pp
modules/signing_scriptworker/files/requirements.txt
modules/signing_scriptworker/manifests/settings.pp
modules/signing_scriptworker/templates/passwords-mobile.json.erb
modules/signingserver/manifests/instance.pp
modules/signingserver/templates/signing.ini.erb
modules/signingserver/templates/signscript.ini.erb
modules/toplevel/manifests/server/signing.pp
--- a/manifests/moco-nodes.pp
+++ b/manifests/moco-nodes.pp
@@ -921,16 +921,26 @@ node /^tb-signing-\d*\.srv\.releng\..*\.
 node /^tb-depsigning-worker.*\.srv\.releng\..*\.mozilla\.com$/ {
     $aspects                  = [ 'maximum-security' ]
     $signing_scriptworker_env = 'comm-thunderbird-dep'
     $timezone                 = 'UTC'
     $only_user_ssh            = true
     include toplevel::server::signingscriptworker
 }
 
+# https://github.com/mozilla-mobile workers. The "e" in mobile was stripped out
+# in order to leave up to 100 workers instead of 10.
+node /^mobil-signing-linux-\d*\.srv\.releng\..*\.mozilla\.com$/ {
+    $aspects                  = [ 'maximum-security' ]
+    $signing_scriptworker_env = 'mobile-prod'
+    $timezone                 = 'UTC'
+    $only_user_ssh            = true
+    include toplevel::server::signingscriptworker
+}
+
 # Addon scriptworkers
 node /^addonworker-\d*\.srv\.releng\..*\.mozilla\.com$/ {
     $aspects          = [ 'maximum-security' ]
     $addon_scriptworker_env = 'prod'
     $timezone         = 'UTC'
     $only_user_ssh    = true
     include toplevel::server::addonscriptworker
 }
@@ -1040,16 +1050,26 @@ node /^dep-pushapkworker-.*\.srv\.releng
 node /^pushapkworker-.*\.srv\.releng\..*\.mozilla\.com$/ {
     $aspects                  = [ 'maximum-security' ]
     $pushapk_scriptworker_env = 'prod'
     $timezone                 = 'UTC'
     $only_user_ssh            = true
     include toplevel::server::pushapkscriptworker
 }
 
+# https://github.com/mozilla-mobile workers. The "e" in mobile was stripped out
+# in order to leave up to 100 workers instead of 10.
+node /^mobil-pushapkworker-\d*\.srv\.releng\..*\.mozilla\.com$/ {
+    $aspects                  = [ 'maximum-security' ]
+    $pushapk_scriptworker_env = 'mobile-prod'
+    $timezone                 = 'UTC'
+    $only_user_ssh            = true
+    include toplevel::server::pushapkscriptworker
+}
+
 # PushSnap scriptworkers
 node /^dep-pushsnapworker-.*\.srv\.releng\..*\.mozilla\.com$/ {
     $aspects                  = [ 'maximum-security' ]
     $pushsnap_scriptworker_env = 'dep'
     $timezone                 = 'UTC'
     $only_user_ssh            = true
     include toplevel::server::pushsnapscriptworker
 }
new file mode 100644
--- /dev/null
+++ b/modules/pushapk_scriptworker/files/focus.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpjCCAo6gAwIBAgIEWTpt0zANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+HDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2Ug
+RW5naW5lZXJpbmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwHhcNMTcw
+NjA5MDk0MzQ3WhcNNDQxMDI1MDk0MzQ3WjCBlDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoT
+E01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJp
+bmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCxa1amhSf93ooT/RMVgvN/96v6RbwDH5+p1PwqrJg9
+A95oyIkL3ihPpec6zOy6Z4bwds9m8PcJVRXYYzvMgX5vrh4TstX5tzVRCBp2saqh
+19lN1E2tgZNUx2VypMyQwr0GdhZTBXiGbOFNLfNWpgxVnI/H7eKnLm+QxPX04Ixm
+oDpaJ20zdgErkuFB/sGDIMK3R5drW4RHmQGerPMvRBz3WJ44vE6QhiBevoibIxWn
+X2SorsFHYa5R9yu5GmusZjok6WgB9AkNOk2DQh87tJfz0TQzyytNaQ1Sc34dHYjv
+/TJrV8w0l3Mn5NhBNV37pfHKZi6Yg7orM912SUPojZJxAgMBAAEwDQYJKoZIhvcN
+AQELBQADggEBAGmtBmN47bKyJHEjlwRWauKLKFtAV17hcD0aoBmMEw72KDQRSW0+
+FPelIygIdgG4L42RIqLVMBzZDq0y2XkaBMOQ8PYb1DnSr5DR+jvfeUkL+hEzSRQh
+A4clH6ZQhqHisWdDB6m9bOkVtV08U8734eITy7Qs1+uy12tyhuR6ltrhpxPM0GB7
+vD4CthxTNYKjcH+noKC6VpB8imC2vkYkBNFKlwPc/11k+PM5eBjQpqhfE536JaC8
+ueJwAMW6vTzHk/6h47DBzT0e9Dsf4ns9v6CUSccEKZKC3Ax+9tgKVeR0yIi78JE6
+TgP6E/XHTPV50c8a8wyV59yHeBIZfwq6Gxc=
+-----END CERTIFICATE-----
--- a/modules/pushapk_scriptworker/files/requirements.txt
+++ b/modules/pushapk_scriptworker/files/requirements.txt
@@ -29,17 +29,17 @@ ipython==6.4.0
 ipython_genutils==0.2.0
 jedi==0.12.0
 json-e==2.5.0
 jsonschema==2.6.0
 kiwisolver==1.0.1
 lxml==4.2.1
 matplotlib==2.2.2
 mohawk==0.3.4
-mozapkpublisher==0.7.1
+mozapkpublisher==0.7.2
 multidict==4.3.1
 networkx==2.1
 numpy==1.14.3
 oauth2client==4.1.2
 parso==0.2.0
 pexpect==4.5.0
 pickleshare==0.7.4
 prompt_toolkit==1.0.15
@@ -49,20 +49,20 @@ pyasn1==0.4.2
 pyasn1-modules==0.2.1
 pycparser==2.18
 pyparsing==2.2.0
 python-dateutil==2.7.3
 python-gnupg==0.4.2
 pytz==2018.4
 requests==2.18.4
 rsa==3.4.2
-scriptworker==11.0.0
+scriptworker==11.1.0
 simplegeneric==0.8.1
 slugid==1.0.7
 taskcluster==3.0.1
 traitlets==4.3.2
 uritemplate==3.0.0
 urllib3==1.22
 virtualenv==15.2.0
 voluptuous==0.11.1
 wcwidth==0.1.7
 yarl==1.2.4
-pushapkscript==0.6.0
+pushapkscript==0.7.0
--- a/modules/pushapk_scriptworker/manifests/init.pp
+++ b/modules/pushapk_scriptworker/manifests/init.pp
@@ -46,16 +46,17 @@ class pushapk_scriptworker {
             group                    => $pushapk_scriptworker::settings::group,
 
             taskcluster_client_id    => $pushapk_scriptworker::settings::taskcluster_client_id,
             taskcluster_access_token => $pushapk_scriptworker::settings::taskcluster_access_token,
             worker_group             => $pushapk_scriptworker::settings::worker_group,
             worker_type              => $pushapk_scriptworker::settings::worker_type,
 
             cot_job_type             => 'pushapk',
+            cot_product              => $pushapk_scriptworker::settings::cot_product,
 
             sign_chain_of_trust      => $pushapk_scriptworker::settings::sign_chain_of_trust,
             verify_chain_of_trust    => $pushapk_scriptworker::settings::verify_chain_of_trust,
             verify_cot_signature     => $pushapk_scriptworker::settings::verify_cot_signature,
 
             verbose_logging          => $pushapk_scriptworker::settings::verbose_logging,
     }
 
@@ -87,13 +88,19 @@ class pushapk_scriptworker {
                 $google_play_config['aurora']['certificate_target_location']:
                     content     => $google_play_config['aurora']['certificate'];
                 $google_play_config['beta']['certificate_target_location']:
                     content     => $google_play_config['beta']['certificate'];
                 $google_play_config['release']['certificate_target_location']:
                     content     => $google_play_config['release']['certificate'];
             }
         }
+        'mobile-prod': {
+            file {
+                $google_play_config['focus']['certificate_target_location']:
+                    content     => $google_play_config['focus']['certificate'];
+            }
+        }
         default: {
             fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
         }
     }
 }
--- a/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
+++ b/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
@@ -46,13 +46,25 @@ class pushapk_scriptworker::jarsigner_in
             java_ks {
                 'nightly':
                     certificate  => $nightly;
 
                 'release':
                     certificate  => $release;
             }
         }
+        'mobile-prod': {
+            $focus = $pushapk_scriptworker::settings::jarsigner_all_certificates['focus']
+            file {
+                $focus:
+                    source => 'puppet:///modules/pushapk_scriptworker/focus.pem';
+            }
+
+            java_ks {
+                'focus':
+                    certificate  => $focus;
+            }
+        }
         default: {
             fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
         }
     }
 }
--- a/modules/pushapk_scriptworker/manifests/settings.pp
+++ b/modules/pushapk_scriptworker/manifests/settings.pp
@@ -12,27 +12,44 @@ class pushapk_scriptworker::settings {
 
     $_env_configs                        = {
       'dep'  => {
         worker_group             => 'dep-pushapk',
         worker_type              => 'dep-pushapk',
         verbose_logging          => true,
         taskcluster_client_id    => secret('pushapk_scriptworker_taskcluster_client_id_dep'),
         taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_dep'),
+        scope_prefix             => 'project:releng:googleplay:',
+        cot_product              => 'firefox',
 
         sign_chain_of_trust      => false,
         verify_chain_of_trust    => true,
         verify_cot_signature     => false,
       },
       'prod' => {
         worker_group             => 'pushapk-v1',
         worker_type              => 'pushapk-v1',
         verbose_logging          => true,
         taskcluster_client_id    => secret('pushapk_scriptworker_taskcluster_client_id_prod'),
         taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_prod'),
+        scope_prefix             => 'project:releng:googleplay:',
+        cot_product              => 'firefox',
+
+        sign_chain_of_trust      => true,
+        verify_chain_of_trust    => true,
+        verify_cot_signature     => true,
+      },
+      'mobile-prod' => {
+        worker_group             => 'mobile-pushapk-v1',
+        worker_type              => 'mobile-pushapk-v1',
+        verbose_logging          => true,
+        taskcluster_client_id    => 'project/mobile/focus/releng/scriptworker/pushapk/production',
+        taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_mobile'),
+        scope_prefix             => 'project:mobile:focus:releng:googleplay:product:',
+        cot_product              => 'mobile',
 
         sign_chain_of_trust      => true,
         verify_chain_of_trust    => true,
         verify_cot_signature     => true,
       },
     }
 
     $_env_config                         = $_env_configs[$pushapk_scriptworker_env]
@@ -46,16 +63,17 @@ class pushapk_scriptworker::settings {
     $taskcluster_client_id               = $_env_config['taskcluster_client_id']
     $taskcluster_access_token            = $_env_config['taskcluster_access_token']
     $worker_group                        = $_env_config['worker_group']
     $worker_type                         = $_env_config['worker_type']
 
     $sign_chain_of_trust                 = $_env_config['sign_chain_of_trust']
     $verify_chain_of_trust               = $_env_config['verify_chain_of_trust']
     $verify_cot_signature                = $_env_config['verify_cot_signature']
+    $cot_product                         = $_env_config['cot_product']
 
     $_google_play_all_accounts           = hiera_hash('pushapk_scriptworker_google_play_accounts')
     $_google_play_accounts               = $_google_play_all_accounts[$fqdn]
 
     # TODO: Replace this cumbersome logic by an `each` loop once we switch to Puppet 4
     case $pushapk_scriptworker_env {
         'dep': {
             $google_play_config = {
@@ -108,35 +126,56 @@ class pushapk_scriptworker::settings {
               },
             }
             $jarsigner_certificate_aliases_content = {
               'aurora'  => 'nightly',
               'beta'    => 'release',
               'release' => 'release',
             }
         }
+        'mobile-prod': {
+            $google_play_config = {
+                'focus'  => {
+                    service_account             => $_google_play_accounts['focus']['service_account'],
+                    certificate                 => $_google_play_accounts['focus']['certificate'],
+                    certificate_target_location => "${root}/focus.p12",
+                },
+            }
+            $google_play_accounts_config_content = {
+                'focus' => {
+                  'service_account' => $google_play_config['focus']['service_account'],
+                  'certificate' => $google_play_config['focus']['certificate_target_location'],
+                }
+            }
+            $jarsigner_certificate_aliases_content = {
+                'focus' => 'focus',
+            }
+        }
         default: {
             fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
         }
     }
 
     $jarsigner_keystore                  = "${root}/mozilla-android-keystore"
     $jarsigner_keystore_password         = secret('pushapk_scriptworker_jarsigner_keystore_password')
 
     $jarsigner_all_certificates = {
         'nightly' => "${root}/nightly.cer",
         'release' => "${root}/release.cer",
         'dep'     => "${root}/dep.cer",
+        'focus'   => "${root}/focus.cer",
     }
 
     $verbose_logging                     = $_env_config['verbose_logging']
 
     $script_config                       = "${root}/script_config.json"
     $script_config_content = {
         'work_dir'   => $work_dir,
         'schema_file'=> $schema_file,
         'verbose'    => $verbose_logging,
 
         'google_play_accounts' => $google_play_accounts_config_content,
         'jarsigner_key_store' => $jarsigner_keystore,
         'jarsigner_certificate_aliases' => $jarsigner_certificate_aliases_content,
+
+        'taskcluster_scope_prefix' => $_env_config['scope_prefix'],
     }
 }
--- a/modules/signing_scriptworker/files/requirements.txt
+++ b/modules/signing_scriptworker/files/requirements.txt
@@ -21,17 +21,18 @@ multidict==4.3.1
 pexpect==4.5.0
 ptyprocess==0.5.2
 pyasn1==0.4.2
 python-dateutil==2.7.3
 python-gnupg==0.4.2
 python-jose==3.0.0
 requests==2.18.4
 rsa==3.4.2
-scriptworker==11.0.0
+scriptworker==11.1.0
+signingscript==6.1.0
 signtool==3.2.0
 simplejson==3.14.0
 six==1.11.0
 slugid==1.0.7
 taskcluster==3.0.1
 urllib3==1.22
 virtualenv==15.2.0
 yarl==1.2.4
--- a/modules/signing_scriptworker/manifests/settings.pp
+++ b/modules/signing_scriptworker/manifests/settings.pp
@@ -78,10 +78,24 @@ class signing_scriptworker::settings {
             scope_prefix             => 'project:comm:thunderbird:releng:signing:',
             sign_chain_of_trust      => true,
             verify_chain_of_trust    => true,
             verify_cot_signature     => true,
             cot_product              => 'thunderbird',
             datadog_api_key          => secret('scriptworker_datadog_api_key'),
             gpg_keyfile              => 'KEY_prod',
         },
+        'mobile-prod' => {
+            worker_type              => 'mobile-signing-v1',
+            worker_group             => 'mobile-signing-v1',
+            taskcluster_client_id    => 'project/mobile/focus/releng/scriptworker/signing/production',
+            taskcluster_access_token => secret('mobile_focus_signing_scriptworker_taskcluster_access_token'),
+            passwords_template       => 'passwords-mobile.json.erb',
+            scope_prefix             => 'project:mobile:focus:releng:signing:',
+            sign_chain_of_trust      => true,
+            verify_chain_of_trust    => true,
+            verify_cot_signature     => true,
+            cot_product              => 'mobile',
+            datadog_api_key          => secret('scriptworker_datadog_api_key'),
+            gpg_keyfile              => 'KEY_dep',
+        },
     }
 }
new file mode 100644
--- /dev/null
+++ b/modules/signing_scriptworker/templates/passwords-mobile.json.erb
@@ -0,0 +1,7 @@
+{
+    "<%= @env_config['scope_prefix'] %>cert:release-signing": [
+        ["signing4.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]],
+        ["signing5.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]],
+        ["signing6.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]]
+    ]
+}
--- a/modules/signingserver/manifests/instance.pp
+++ b/modules/signingserver/manifests/instance.pp
@@ -5,16 +5,17 @@
 define signingserver::instance(
         $listenaddr, $port, $code_tag,
         $token_secret, $token_secret0,
         $new_token_auth, $new_token_auth0,
         $mar_key_name, $mar_sha384_key_name,
         $jar_key_name, $jar_digestalg, $jar_sigalg,
         $formats, $mac_cert_subject_ou,
         $ssl_cert, $ssl_private_key,
+        $focus_jar_key_name = '', $focus_jar_digestalg = '', $focus_jar_sigalg = '',
         $signcode_timestamp = 'yes',
         $concurrency        = 4,
         $signcode_maxsize   = 157286400) {
     include config
     include signingserver::base
     include users::signer
 
     # verify non-empty secrets first
@@ -38,16 +39,17 @@ define signingserver::instance(
 
     $secrets_dir           = "${basedir}/secrets"
     $signcode_keydir       = "${secrets_dir}/signcode"
     $sha2signcode_keydir   = "${secrets_dir}/sha2signcode"
     $gpg_homedir           = "${secrets_dir}/gpg"
     $mar_keydir            = "${secrets_dir}/mar"
     $mar_sha384_keydir     = "${secrets_dir}/mar-sha384"
     $jar_keystore          = "${secrets_dir}/jar"
+    $focus_jar_keystore    = "${secrets_dir}/focus-jar"
     $server_certdir        = "${secrets_dir}/server"
     $emevoucher_key        = "${secrets_dir}/emevouch.pem"
     $emevoucher_chain      = "${secrets_dir}/emechain.pem"
 
     $dmg_keydir            = "${secrets_dir}/dmg"
     $dmg_keychain          = "${dmg_keydir}/signing.keychain"
     $full_private_ssl_cert = "${server_certdir}/signing.server.key"
     $full_public_ssl_cert  = "${server_certdir}/signing.server.cert"
--- a/modules/signingserver/templates/signing.ini.erb
+++ b/modules/signingserver/templates/signing.ini.erb
@@ -58,11 +58,12 @@ testfile_mar_sha384 = <%=@testfile_mar_s
 testfile_gpg = <%=@testfile_gpg%>
 testfile_signcode = <%=@testfile_signcode%>
 testfile_osslsigncode = <%=@testfile_osslsigncode%>
 testfile_sha2signcode = <%=@testfile_osslsigncode%>
 testfile_sha2signcodestub = <%=@testfile_osslsigncode%>
 testfile_emevoucher = <%=@testfile_emevoucher%>
 testfile_dmg = <%=@testfile_dmg%>
 testfile_jar = <%=@testfile_jar%>
+testfile_focus-jar = <%=@testfile_jar%>
 testfile_widevine = <%=@testfile_widevine%>
 testfile_widevine_blessed = <%=@testfile_widevine_blessed%>
 formats = <%=@formats.join(",")%>
--- a/modules/signingserver/templates/signscript.ini.erb
+++ b/modules/signingserver/templates/signscript.ini.erb
@@ -11,13 +11,17 @@ mar_sha384_cmd = <%=@mar_sha384_cmd%>
 dmg_keychain = <%=@dmg_keychain%>
 mac_id = <%= @mac_id %>
 mac_cert_subject_ou = <%=@mac_cert_subject_ou%>
 signcode_timestamp = <%=@signcode_timestamp%>
 jar_keystore = <%=@jar_keystore%>
 jar_keyname = <%=@jar_key_name%>
 jar_digestalg = <%=@jar_digestalg%>
 jar_sigalg = <%=@jar_sigalg%>
+focus_jar_keystore = <%=@focus_jar_keystore%>
+focus_jar_keyname = <%=@focus_jar_key_name%>
+focus_jar_digestalg = <%=@focus_jar_digestalg%>
+focus_jar_sigalg = <%=@focus_jar_sigalg%>
 emevoucher_key = <%=@emevoucher_key%>
 emevoucher_chain = <%=@emevoucher_chain%>
 widevine_key = <%=@widevine_key%>
 widevine_cert = <%=@widevine_cert%>
 widevine_cmd = <%=@widevine_cmd%>
--- a/modules/toplevel/manifests/server/signing.pp
+++ b/modules/toplevel/manifests/server/signing.pp
@@ -80,16 +80,27 @@ class toplevel::server::signing inherits
                     signcode_timestamp  => 'no',
                     ssl_cert            => $signing_server_ssl_cert,
                     ssl_private_key     => $signing_server_ssl_private_key,
                     concurrency         => $concurrency,
                     # We need to allow very large files to be signed for code
                     # coverage builds
                     signcode_maxsize    => 786432000;
             }
+
+            $release_signing_formats = $::operatingsystem ? {
+                Darwin => $signing_formats,
+                # Linux release signing servers can handle focus signing.
+                # XXX Sadly in puppet, there is no way to append to an existing array defined in the same scope.
+                # That's why the array is duplicated with the added formats on the second line.
+                CentOS => [
+                    'gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher', 'widevine', 'widevine_blessed',
+                    'focus-jar',
+                ],
+            }
             signingserver::instance {
                 'rel-key-signing-server':
                     listenaddr          => '0.0.0.0',
                     port                => '9120',
                     code_tag            => 'SIGNING_SERVER',
                     # The OU on the Developer ID certificates is set to a random-ish string
                     # that is consistent for all certs from the same account.
                     mac_cert_subject_ou => '43AQ936H96',
@@ -97,17 +108,20 @@ class toplevel::server::signing inherits
                     token_secret0       => secret('moco_signing_server_old_token_secret'),
                     new_token_auth      => "${signing_server_username}:${signing_server_release_password}",
                     new_token_auth0     => "${signing_server_username}:${moco_signing_server_repack_password}",
                     mar_key_name        => 'rel1',
                     mar_sha384_key_name => 'rel1',
                     jar_key_name        => 'release',
                     jar_digestalg       => 'SHA1',
                     jar_sigalg          => 'SHA1withRSA',
-                    formats             => $signing_formats,
+                    focus_jar_key_name  => 'focus',
+                    focus_jar_digestalg => 'SHA-256',
+                    focus_jar_sigalg    => 'SHA256withRSA',
+                    formats             => $release_signing_formats,
                     ssl_cert            => $signing_server_ssl_cert,
                     ssl_private_key     => $signing_server_ssl_private_key,
                     concurrency         => $concurrency;
             }
         }
         relabs: {
             $signing_formats = $::operatingsystem ? {
                 Darwin => ['gpg', 'dmg', 'mar'],