Bug 1520591: switch gpg signing to autograph r=aki
☠☠ backed out by 111e20704621 ☠ ☠
authorChris AtLee <catlee@mozilla.com>
Tue, 14 May 2019 21:36:08 +0000
changeset 532693 632f66ae2b3993eb80d0692a0b029221a7a3e69b
parent 532692 b820404d54be6c82689fa631174960551d3347ef
child 532694 8a76118beb7bfd13c4d8e01514f7905c62285a1b
push id11270
push userrgurzau@mozilla.com
push dateWed, 15 May 2019 15:07:19 +0000
treeherdermozilla-beta@571bc76da583 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaki
bugs1520591
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1520591: switch gpg signing to autograph r=aki Differential Revision: https://phabricator.services.mozilla.com/D31135
taskcluster/docs/signing.rst
taskcluster/taskgraph/transforms/checksums_signing.py
taskcluster/taskgraph/transforms/geckodriver_signing.py
taskcluster/taskgraph/transforms/openh264_signing.py
taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
taskcluster/taskgraph/transforms/repackage_signing_partner.py
taskcluster/taskgraph/transforms/source_checksums_signing.py
taskcluster/taskgraph/util/signed_artifacts.py
--- a/taskcluster/docs/signing.rst
+++ b/taskcluster/docs/signing.rst
@@ -28,30 +28,30 @@ An example signing task payload:
     "payload": {
       "upstreamArtifacts": [{
         "paths": ["public/build/target.dmg"],
         "formats": ["macapp"],
         "taskId": "abcde",
         "taskType": "build"
       }, {
         "paths": ["public/build/target.tar.gz"],
-        "formats": ["gpg"],
+        "formats": ["autograph_gpg"],
         "taskId": "12345",
         "taskType": "build"
       }]
     }
   }
 
 In the above example, scriptworker would download the ``target.dmg`` from task
 ``abcde`` and ``target.tar.gz`` from task ``12345`` and verify their shas and
 task definitions via `chain of trust`_ verification. Then it will launch
 `signingscript`_, which requests a signing token from the signing server pool.
 
 Signingscript determines it wants to sign ``target.dmg`` with the ``macapp``
-format, and ``target.tar.gz`` with the ``gpg`` format. Each of the
+format, and ``target.tar.gz`` with the ``autograph_gpg`` format. Each of the
 `signing formats`_ has their own behavior. After performing any format-specific
 checks or optimizations, it calls `signtool`_ to submit the file to the signing
 servers and poll them for signed output. Once it downloads all of the signed
 output files, it exits and scriptworker uploads the signed binaries.
 
 We can specify multiple paths from a single task for a given set of formats,
 and multiple formats for a given set of paths.
 
@@ -85,23 +85,18 @@ in `60.0`_. To generate these, we have t
 .. _signing formats:
 
 Signing formats
 ---------------
 
 The known signingscript formats are listed in the fourth column of the
 `signing password files`_.
 
-The formats are specified in the ``upstreamArtifacts`` list-of-dicts. The task
-must have a superset of scopes to match. For example, a Firefox signing task
-with an ``upstreamArtifacts`` that lists both ``gpg`` and ``macapp`` formats must
-have both ``project:releng:signing:format:gpg`` and
-``project:releng:signing:format:macapp`` in its scopes.
-
-``gpg`` signing results in a detached ``.asc`` signature file. Because of its
+The formats are specified in the ``upstreamArtifacts`` list-of-dicts.
+``autograph_gpg`` signing results in a detached ``.asc`` signature file. Because of its
 nature, we gpg-sign at the end if given multiple formats for a given set of
 files.
 
 ``jar`` signing is Android apk signing. After signing, we ``zipalign`` the apk.
 This includes the ``focus-jar`` format, which is just a way to specify a different
 set of keys for the Focus app.
 
 ``macapp`` signing accepts either a ``dmg`` or ``tar.gz``; it converts ``dmg``
--- a/taskcluster/taskgraph/transforms/checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/checksums_signing.py
@@ -70,30 +70,29 @@ def make_checksums_signing_description(c
             attributes['locale'] = dep_job.attributes.get('locale')
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<beetmover>"},
             "taskType": "beetmover",
             "paths": [
                 "public/target.checksums",
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/transforms/geckodriver_signing.py
+++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py
@@ -90,17 +90,17 @@ def make_repackage_signing_description(c
         yield task
 
 
 def _craft_upstream_artifacts(dependency_kind, build_platform):
     if build_platform.startswith('win'):
         signing_format = 'sha2signcode'
         extension = 'zip'
     elif build_platform.startswith('linux'):
-        signing_format = 'gpg'
+        signing_format = 'autograph_gpg'
         extension = 'tar.gz'
     else:
         raise ValueError('Unsupported build platform "{}"'.format(build_platform))
 
     return [{
         'taskId': {'task-reference': '<{}>'.format(dependency_kind)},
         'taskType': 'repackage',
         'paths': ['public/geckodriver.{}'.format(extension)],
--- a/taskcluster/taskgraph/transforms/openh264_signing.py
+++ b/taskcluster/taskgraph/transforms/openh264_signing.py
@@ -59,18 +59,17 @@ def make_signing_description(config, job
 
         scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             # job['primary-dependency'].task['payload']['command']
             scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
             formats = ['sha2signcode']
         else:
-            scopes.append(add_scope_prefix(config, 'signing:format:gpg'))
-            formats = ['gpg']
+            formats = ['autograph_gpg']
 
         rev = attributes['openh264_rev']
         upstream_artifacts = [{
             "taskId": {"task-reference": "<openh264>"},
             "taskType": "build",
             "paths": [
                 "private/openh264/openh264-{}-{}.zip".format(build_platform, rev),
             ],
--- a/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
@@ -56,31 +56,30 @@ def make_release_generate_checksums_sign
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<{}>".format(str(dep_job.kind))},
             "taskType": "build",
             "paths": [
                 get_artifact_path(dep_job, "SHA256SUMS"),
                 get_artifact_path(dep_job, "SHA512SUMS"),
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/transforms/repackage_signing_partner.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py
@@ -67,45 +67,45 @@ def make_repackage_signing_description(c
             dependencies = {"repackage": dep_job.label}
 
         attributes = copy_attributes_from_dependent_job(dep_job)
         attributes['repackage_type'] = 'repackage-signing'
 
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
-        scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:gpg')]
+        scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
                 ],
-                "formats": ["sha2signcode", "gpg"]
+                "formats": ["sha2signcode", "autograph_gpg"]
             }]
             scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
         elif 'mac' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
                 ],
-                "formats": ["gpg"]
+                "formats": ["autograph_gpg"]
             }]
         elif 'linux' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repack>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.tar.bz2".format(repack_id)),
                 ],
-                "formats": ["gpg"]
+                "formats": ["autograph_gpg"]
             }]
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
--- a/taskcluster/taskgraph/transforms/source_checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/source_checksums_signing.py
@@ -52,31 +52,30 @@ def make_checksums_signing_description(c
         attributes = copy_attributes_from_dependent_job(dep_job)
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<beetmover>"},
             "taskType": "beetmover",
             "paths": [
                 "public/target-source.checksums",
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/util/signed_artifacts.py
+++ b/taskcluster/taskgraph/util/signed_artifacts.py
@@ -19,17 +19,17 @@ def generate_specifications_of_artifacts
 ):
     build_platform = task.attributes.get('build_platform')
     use_stub = task.attributes.get('stub-installer')
     if kind == 'release-source-signing':
         artifacts_specifications = [{
             'artifacts': [
                 get_artifact_path(task, 'source.tar.xz')
             ],
-            'formats': ['gpg'],
+            'formats': ['autograph_gpg'],
         }]
     elif 'android' in build_platform:
         artifacts_specifications = [{
             'artifacts': [
                 get_artifact_path(task, '{locale}/target.apk'),
             ],
             'formats': ['autograph_apk_fennec_sha1'],
         }]
@@ -59,17 +59,17 @@ def generate_specifications_of_artifacts
 
         if use_stub:
             artifacts_specifications[0]['artifacts'] += [
                 get_artifact_path(task, '{locale}/setup-stub.exe')
             ]
     elif 'linux' in build_platform:
         artifacts_specifications = [{
             'artifacts': [get_artifact_path(task, '{locale}/target.tar.bz2')],
-            'formats': ['gpg', 'widevine'],
+            'formats': ['autograph_gpg', 'widevine'],
         }]
     else:
         raise Exception("Platform not implemented for signing")
 
     if not keep_locale_template:
         artifacts_specifications = _strip_locale_template(artifacts_specifications)
 
     if is_partner_kind(kind):
@@ -103,12 +103,12 @@ def get_signed_artifacts(input, formats)
     """
     Get the list of signed artifacts for the given input and formats.
     """
     artifacts = set()
     if input.endswith('.dmg'):
         artifacts.add(input.replace('.dmg', '.tar.gz'))
     else:
         artifacts.add(input)
-    if 'gpg' in formats:
+    if 'autograph_gpg' in formats:
         artifacts.add('{}.asc'.format(input))
 
     return artifacts