Bug 1520591: switch gpg signing to autograph r=aki
authorChris AtLee <catlee@mozilla.com>
Wed, 15 May 2019 13:17:26 +0000
changeset 532748 f64789945bb3f49cd7ca160315d5999dbed25387
parent 532747 33b8297c53bcc11843f0992e0e310c8bf9379c57
child 532749 2fe5b3d2dca7c1883b6e6d4bca81da5dc349733b
push id11272
push userapavel@mozilla.com
push dateThu, 16 May 2019 15:28:22 +0000
treeherdermozilla-beta@2265bfc5920d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaki
bugs1520591
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1520591: switch gpg signing to autograph r=aki Differential Revision: https://phabricator.services.mozilla.com/D31135
taskcluster/docs/signing.rst
taskcluster/taskgraph/transforms/checksums_signing.py
taskcluster/taskgraph/transforms/geckodriver_signing.py
taskcluster/taskgraph/transforms/openh264_signing.py
taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
taskcluster/taskgraph/transforms/repackage_signing_partner.py
taskcluster/taskgraph/transforms/source_checksums_signing.py
taskcluster/taskgraph/util/signed_artifacts.py
--- a/taskcluster/docs/signing.rst
+++ b/taskcluster/docs/signing.rst
@@ -28,30 +28,30 @@ An example signing task payload:
     "payload": {
       "upstreamArtifacts": [{
         "paths": ["public/build/target.dmg"],
         "formats": ["macapp"],
         "taskId": "abcde",
         "taskType": "build"
       }, {
         "paths": ["public/build/target.tar.gz"],
-        "formats": ["gpg"],
+        "formats": ["autograph_gpg"],
         "taskId": "12345",
         "taskType": "build"
       }]
     }
   }
 
 In the above example, scriptworker would download the ``target.dmg`` from task
 ``abcde`` and ``target.tar.gz`` from task ``12345`` and verify their shas and
 task definitions via `chain of trust`_ verification. Then it will launch
 `signingscript`_, which requests a signing token from the signing server pool.
 
 Signingscript determines it wants to sign ``target.dmg`` with the ``macapp``
-format, and ``target.tar.gz`` with the ``gpg`` format. Each of the
+format, and ``target.tar.gz`` with the ``autograph_gpg`` format. Each of the
 `signing formats`_ has their own behavior. After performing any format-specific
 checks or optimizations, it calls `signtool`_ to submit the file to the signing
 servers and poll them for signed output. Once it downloads all of the signed
 output files, it exits and scriptworker uploads the signed binaries.
 
 We can specify multiple paths from a single task for a given set of formats,
 and multiple formats for a given set of paths.
 
@@ -85,23 +85,18 @@ in `60.0`_. To generate these, we have t
 .. _signing formats:
 
 Signing formats
 ---------------
 
 The known signingscript formats are listed in the fourth column of the
 `signing password files`_.
 
-The formats are specified in the ``upstreamArtifacts`` list-of-dicts. The task
-must have a superset of scopes to match. For example, a Firefox signing task
-with an ``upstreamArtifacts`` that lists both ``gpg`` and ``macapp`` formats must
-have both ``project:releng:signing:format:gpg`` and
-``project:releng:signing:format:macapp`` in its scopes.
-
-``gpg`` signing results in a detached ``.asc`` signature file. Because of its
+The formats are specified in the ``upstreamArtifacts`` list-of-dicts.
+``autograph_gpg`` signing results in a detached ``.asc`` signature file. Because of its
 nature, we gpg-sign at the end if given multiple formats for a given set of
 files.
 
 ``jar`` signing is Android apk signing. After signing, we ``zipalign`` the apk.
 This includes the ``focus-jar`` format, which is just a way to specify a different
 set of keys for the Focus app.
 
 ``macapp`` signing accepts either a ``dmg`` or ``tar.gz``; it converts ``dmg``
--- a/taskcluster/taskgraph/transforms/checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/checksums_signing.py
@@ -8,17 +8,16 @@ Transform the checksums signing task int
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.loader.single_dep import schema
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
 from taskgraph.util.scriptworker import (
     get_signing_cert_scope,
     get_worker_type_for_scope,
-    add_scope_prefix,
 )
 from taskgraph.util.treeherder import replace_group
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Required, Optional
 
 checksums_signing_description_schema = schema.extend({
     Required('depname', default='beetmover'): basestring,
     Optional('label'): basestring,
@@ -70,30 +69,29 @@ def make_checksums_signing_description(c
             attributes['locale'] = dep_job.attributes.get('locale')
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<beetmover>"},
             "taskType": "beetmover",
             "paths": [
                 "public/target.checksums",
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/transforms/geckodriver_signing.py
+++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py
@@ -90,17 +90,17 @@ def make_repackage_signing_description(c
         yield task
 
 
 def _craft_upstream_artifacts(dependency_kind, build_platform):
     if build_platform.startswith('win'):
         signing_format = 'sha2signcode'
         extension = 'zip'
     elif build_platform.startswith('linux'):
-        signing_format = 'gpg'
+        signing_format = 'autograph_gpg'
         extension = 'tar.gz'
     else:
         raise ValueError('Unsupported build platform "{}"'.format(build_platform))
 
     return [{
         'taskId': {'task-reference': '<{}>'.format(dependency_kind)},
         'taskType': 'repackage',
         'paths': ['public/geckodriver.{}'.format(extension)],
--- a/taskcluster/taskgraph/transforms/openh264_signing.py
+++ b/taskcluster/taskgraph/transforms/openh264_signing.py
@@ -59,18 +59,17 @@ def make_signing_description(config, job
 
         scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             # job['primary-dependency'].task['payload']['command']
             scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
             formats = ['sha2signcode']
         else:
-            scopes.append(add_scope_prefix(config, 'signing:format:gpg'))
-            formats = ['gpg']
+            formats = ['autograph_gpg']
 
         rev = attributes['openh264_rev']
         upstream_artifacts = [{
             "taskId": {"task-reference": "<openh264>"},
             "taskType": "build",
             "paths": [
                 "private/openh264/openh264-{}-{}.zip".format(build_platform, rev),
             ],
--- a/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/release_generate_checksums_signing.py
@@ -8,17 +8,16 @@ Transform the release-generate-checksums
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.loader.single_dep import schema
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
 from taskgraph.util.scriptworker import (
     get_signing_cert_scope,
     get_worker_type_for_scope,
-    add_scope_prefix,
 )
 from taskgraph.util.taskcluster import get_artifact_path
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Required, Optional
 
 release_generate_checksums_signing_schema = schema.extend({
     Required('depname', default='release-generate-checksums'): basestring,
     Optional('label'): basestring,
@@ -56,31 +55,30 @@ def make_release_generate_checksums_sign
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<{}>".format(str(dep_job.kind))},
             "taskType": "build",
             "paths": [
                 get_artifact_path(dep_job, "SHA256SUMS"),
                 get_artifact_path(dep_job, "SHA512SUMS"),
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/transforms/repackage_signing_partner.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py
@@ -67,45 +67,45 @@ def make_repackage_signing_description(c
             dependencies = {"repackage": dep_job.label}
 
         attributes = copy_attributes_from_dependent_job(dep_job)
         attributes['repackage_type'] = 'repackage-signing'
 
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
-        scopes = [signing_cert_scope, add_scope_prefix(config, 'signing:format:gpg')]
+        scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
                 ],
-                "formats": ["sha2signcode", "gpg"]
+                "formats": ["sha2signcode", "autograph_gpg"]
             }]
             scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
         elif 'mac' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
                 ],
-                "formats": ["gpg"]
+                "formats": ["autograph_gpg"]
             }]
         elif 'linux' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repack>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.tar.bz2".format(repack_id)),
                 ],
-                "formats": ["gpg"]
+                "formats": ["autograph_gpg"]
             }]
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
--- a/taskcluster/taskgraph/transforms/source_checksums_signing.py
+++ b/taskcluster/taskgraph/transforms/source_checksums_signing.py
@@ -8,17 +8,16 @@ Transform the checksums signing task int
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.loader.single_dep import schema
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
 from taskgraph.util.scriptworker import (
     get_signing_cert_scope,
     get_worker_type_for_scope,
-    add_scope_prefix,
 )
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Required, Optional
 
 checksums_signing_description_schema = schema.extend({
     Required('depname', default='beetmover'): basestring,
     Optional('label'): basestring,
     Optional('treeherder'): task_description_schema['treeherder'],
@@ -52,31 +51,30 @@ def make_checksums_signing_description(c
         attributes = copy_attributes_from_dependent_job(dep_job)
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<beetmover>"},
             "taskType": "beetmover",
             "paths": [
                 "public/target-source.checksums",
             ],
-            "formats": ["gpg"]
+            "formats": ["autograph_gpg"]
         }]
 
         signing_cert_scope = get_signing_cert_scope(config)
 
         task = {
             'label': label,
             'description': description,
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': upstream_artifacts,
                        'max-run-time': 3600},
             'scopes': [
                 signing_cert_scope,
-                add_scope_prefix(config, 'signing:format:gpg'),
             ],
             'dependencies': dependencies,
             'attributes': attributes,
             'run-on-projects': dep_job.attributes.get('run_on_projects'),
             'treeherder': treeherder,
         }
 
         yield task
--- a/taskcluster/taskgraph/util/signed_artifacts.py
+++ b/taskcluster/taskgraph/util/signed_artifacts.py
@@ -19,17 +19,17 @@ def generate_specifications_of_artifacts
 ):
     build_platform = task.attributes.get('build_platform')
     use_stub = task.attributes.get('stub-installer')
     if kind == 'release-source-signing':
         artifacts_specifications = [{
             'artifacts': [
                 get_artifact_path(task, 'source.tar.xz')
             ],
-            'formats': ['gpg'],
+            'formats': ['autograph_gpg'],
         }]
     elif 'android' in build_platform:
         artifacts_specifications = [{
             'artifacts': [
                 get_artifact_path(task, '{locale}/target.apk'),
             ],
             'formats': ['autograph_apk_fennec_sha1'],
         }]
@@ -59,17 +59,17 @@ def generate_specifications_of_artifacts
 
         if use_stub:
             artifacts_specifications[0]['artifacts'] += [
                 get_artifact_path(task, '{locale}/setup-stub.exe')
             ]
     elif 'linux' in build_platform:
         artifacts_specifications = [{
             'artifacts': [get_artifact_path(task, '{locale}/target.tar.bz2')],
-            'formats': ['gpg', 'widevine'],
+            'formats': ['autograph_gpg', 'widevine'],
         }]
     else:
         raise Exception("Platform not implemented for signing")
 
     if not keep_locale_template:
         artifacts_specifications = _strip_locale_template(artifacts_specifications)
 
     if is_partner_kind(kind):
@@ -103,12 +103,12 @@ def get_signed_artifacts(input, formats)
     """
     Get the list of signed artifacts for the given input and formats.
     """
     artifacts = set()
     if input.endswith('.dmg'):
         artifacts.add(input.replace('.dmg', '.tar.gz'))
     else:
         artifacts.add(input)
-    if 'gpg' in formats:
+    if 'autograph_gpg' in formats:
         artifacts.add('{}.asc'.format(input))
 
     return artifacts