Bug 1517652: [release] Use old signing for old complete mars; r=aki
authorTom Prince <mozilla@hocat.ca>
Fri, 04 Jan 2019 16:38:52 +0000
changeset 509660 eacca0ce75d8d2625df1e7ebddaeeab99672751e
parent 509659 dbea03a5c55e1deb19b8092c0cc13bf33af8e99c
child 509661 1e6d3675ae4eaac986ecf27f76b5d2a4cf78b7b7
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaki
bugs1517652
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1517652: [release] Use old signing for old complete mars; r=aki Differential Revision: https://phabricator.services.mozilla.com/D15693
taskcluster/taskgraph/transforms/mar_signing.py
taskcluster/taskgraph/util/scriptworker.py
--- a/taskcluster/taskgraph/transforms/mar_signing.py
+++ b/taskcluster/taskgraph/transforms/mar_signing.py
@@ -6,27 +6,32 @@ Transform the {partials,mar}-signing tas
 """
 from __future__ import absolute_import, print_function, unicode_literals
 
 import os
 
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job, sorted_unique_list
 from taskgraph.util.scriptworker import (
+    add_scope_prefix,
     get_signing_cert_scope_per_platform,
     get_worker_type_for_scope,
-    get_autograph_format_scope,
 )
 from taskgraph.util.partials import get_balrog_platform_name, get_partials_artifacts
 from taskgraph.util.taskcluster import get_artifact_prefix
 from taskgraph.util.treeherder import join_symbol
 
 import logging
 logger = logging.getLogger(__name__)
 
+SIGNING_FORMATS = {
+    'target.complete.mar': ['autograph_hash_only_mar384'],
+    'target.bz2.complete.mar': ['mar'],
+}
+
 transforms = TransformSequence()
 
 
 def generate_partials_artifacts(job, release_history, platform, locale=None):
     artifact_prefix = get_artifact_prefix(job)
     if locale:
         artifact_prefix = '{}/{}'.format(artifact_prefix, locale)
     else:
@@ -65,22 +70,22 @@ def generate_partials_artifacts(job, rel
 
     return upstream_artifacts
 
 
 def generate_complete_artifacts(job):
     upstream_artifacts = []
     for artifact in job.release_artifacts:
         basename = os.path.basename(artifact)
-        if basename.endswith('.complete.mar'):
+        if basename in SIGNING_FORMATS:
             upstream_artifacts.append({
                 "taskId": {"task-reference": '<{}>'.format(job.kind)},
                 "taskType": 'build',
                 "paths": [artifact],
-                "formats": ["autograph_hash_only_mar384"],
+                "formats": SIGNING_FORMATS[basename],
             })
 
     return upstream_artifacts
 
 
 @transforms.add
 def make_task_description(config, jobs):
     for job in jobs:
@@ -126,21 +131,22 @@ def make_task_description(config, jobs):
         else:
             upstream_artifacts = generate_complete_artifacts(dep_job)
 
         build_platform = dep_job.attributes.get('build_platform')
         is_nightly = dep_job.attributes.get('nightly')
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
-        autograph_hash_format_scope = get_autograph_format_scope(config)
 
-        scopes = [signing_cert_scope, autograph_hash_format_scope]
-        if any("mar" in upstream_details["formats"] for upstream_details in upstream_artifacts):
-            scopes.append('project:releng:signing:format:mar')
+        scopes = [signing_cert_scope] + list({
+            add_scope_prefix(config, 'signing:format:{}'.format(format))
+            for artifact in upstream_artifacts
+            for format in artifact['formats']
+        })
 
         task = {
             'label': label,
             'description': "{} {}".format(
                 dep_job.task["metadata"]["description"], job['description-suffix']),
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
--- a/taskcluster/taskgraph/util/scriptworker.py
+++ b/taskcluster/taskgraph/util/scriptworker.py
@@ -366,20 +366,16 @@ def get_signing_cert_scope_per_platform(
     if 'devedition' in build_platform:
         return get_devedition_signing_cert_scope(config)
     elif is_nightly or build_platform in ('firefox-source', 'fennec-source', 'thunderbird-source'):
         return get_signing_cert_scope(config)
     else:
         return add_scope_prefix(config, 'signing:cert:dep-signing')
 
 
-def get_autograph_format_scope(config):
-    return add_scope_prefix(config, 'signing:format:autograph_hash_only_mar384')
-
-
 def get_worker_type_for_scope(config, scope):
     """Get the scriptworker type that will accept the given scope.
 
     Args:
         config (TransformConfig): The configuration for the kind being transformed.
         scope (string): The scope being used.
 
     Returns: