Bug 1540276: Migrate authenticode signing to autograph r=Callek,mshal a=release
authorChris AtLee <catlee@mozilla.com>
Mon, 30 Sep 2019 13:57:32 +0000
changeset 555685 2d7eef3ae040515738746128dcbf718b8cfee1bb
parent 555684 a0c03214c1d5e58b6a0255a30b67c155a05bcb76
child 555686 7bb39acc489c9531183e6fd605290c497cf21674
push id2186
push usermtabara@mozilla.com
push dateMon, 04 Nov 2019 21:44:17 +0000
treeherdermozilla-release@2d7eef3ae040 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCallek, mshal, release
bugs1540276
milestone70.0.2
Bug 1540276: Migrate authenticode signing to autograph r=Callek,mshal a=release Differential Revision: https://phabricator.services.mozilla.com/D47114
Makefile.in
taskcluster/docs/partner-repacks.rst
taskcluster/docs/signing.rst
taskcluster/taskgraph/transforms/geckodriver_signing.py
taskcluster/taskgraph/transforms/openh264_signing.py
taskcluster/taskgraph/transforms/repackage_signing_partner.py
toolkit/mozapps/installer/upload-files.mk
tools/update-packaging/Makefile.in
--- a/Makefile.in
+++ b/Makefile.in
@@ -187,17 +187,17 @@ default all::
 
 # PGO build target.
 profiledbuild::
 	$(call BUILDSTATUS,TIERS pgo_profile_generate pgo_package pgo_profile pgo_clobber pgo_profile_use)
 	$(call BUILDSTATUS,TIER_START pgo_profile_generate)
 	$(MAKE) default MOZ_PROFILE_GENERATE=1 MOZ_LTO=
 	$(call BUILDSTATUS,TIER_FINISH pgo_profile_generate)
 	$(call BUILDSTATUS,TIER_START pgo_package)
-	$(MAKE) package MOZ_INTERNAL_SIGNING_FORMAT= MOZ_EXTERNAL_SIGNING_FORMAT=
+	$(MAKE) package
 	rm -f jarlog/en-US.log
 	$(call BUILDSTATUS,TIER_FINISH pgo_package)
 	$(call BUILDSTATUS,TIER_START pgo_profile)
 	JARLOG_FILE=jarlog/en-US.log $(PYTHON) $(topsrcdir)/build/pgo/profileserver.py
 	$(call BUILDSTATUS,TIER_FINISH pgo_profile)
 	$(call BUILDSTATUS,TIER_START pgo_clobber)
 	$(MAKE) maybe_clobber_profiledbuild
 	$(call BUILDSTATUS,TIER_FINISH pgo_clobber)
--- a/taskcluster/docs/partner-repacks.rst
+++ b/taskcluster/docs/partner-repacks.rst
@@ -202,17 +202,17 @@ Repackage Signing
 
 * kinds: ``release-partner-repack-repackage-signing`` ``release-eme-free-repack-repackage-signing``
 * platforms: All
 * upstreams:
 
    * Mac & Windows: ``release-partner-repackage`` ``release-eme-free-repackage``
    * Linux: ``release-partner-repack-chunking-dummy``
 
-This step GPG signs all platforms, and sha2signcode signs the Windows installer.
+This step GPG signs all platforms, and authenticode signs the Windows installer.
 
 Beetmover
 ^^^^^^^^^
 
 * kinds: ``release-partner-repack-beetmover`` ``release-eme-free-repack-beetmover``
 * platforms: All
 * upstreams: ``release-partner-repack-repackage-signing`` ``release-eme-free-repack-repackage-signing``
 
@@ -244,9 +244,9 @@ Updates
 It's very rare to need to update a partner repack differently from the original
 release build but we retain that capability. A partner build with distribution name ``foo``,
 based on a release Firefox build, will query for an update on the ``release-cck-foo`` channel. If
 the update server `Balrog <http://mozilla-balrog.readthedocs.io/en/latest/>`_ finds no rule for
 that channel it will fallback to the ``release`` channel. The update files for the regular releases do not
 modify the ``distribution/`` directory, so the customizations are not modified.
 
 `Bug 1430254 <https://bugzilla.mozilla.org/show_bug.cgi?id=1430254>`_ is an example of an exception to this
-logic.
\ No newline at end of file
+logic.
--- a/taskcluster/docs/signing.rst
+++ b/taskcluster/docs/signing.rst
@@ -102,17 +102,17 @@ set of keys for the Focus app.
 ``macapp`` signing accepts either a ``dmg`` or ``tar.gz``; it converts ``dmg``
 files to ``tar.gz`` before submitting to the signing server. The signed binary
 is a ``tar.gz``.
 
 ``authenticode`` signing takes individual binaries or a zipfile. We sign the
 individual file or internals of the zipfile, skipping any already-signed files
 and a select few blocklisted files (using the `should_sign_windows`_ function).
 It returns a signed individual binary or zipfile with signed internals, depending
-on the input. This format includes ``authograph_authenticode``, and
+on the input. This format includes ``autograph_authenticode``, and
 ``autograph_authenticode_stub``.
 
 ``mar`` signing signs our update files (Mozilla ARchive). ``mar_sha384`` is
 the same, but with a different hashing algorithm.
 
 ``autograph_widevine`` is also video-related; see the
 `widevine site`_. We sign specific files inside the package and rebuild the
 ``precomplete`` file that we use for updates.
--- a/taskcluster/taskgraph/transforms/geckodriver_signing.py
+++ b/taskcluster/taskgraph/transforms/geckodriver_signing.py
@@ -99,17 +99,17 @@ def make_repackage_signing_description(c
             task['worker-type'] = worker_type_alias_map[task['worker-type']]
             task['worker']['mac-behavior'] = 'mac_geckodriver'
 
         yield task
 
 
 def _craft_upstream_artifacts(dependency_kind, build_platform):
     if build_platform.startswith('win'):
-        signing_format = 'sha2signcode'
+        signing_format = 'autograph_authenticode'
         extension = 'zip'
     elif build_platform.startswith('linux'):
         signing_format = 'autograph_gpg'
         extension = 'tar.gz'
     elif build_platform.startswith('macosx'):
         signing_format = 'mac_geckodriver'
         extension = 'tar.gz'
     else:
--- a/taskcluster/taskgraph/transforms/openh264_signing.py
+++ b/taskcluster/taskgraph/transforms/openh264_signing.py
@@ -55,17 +55,17 @@ def make_signing_description(config, job
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
 
         scopes = [signing_cert_scope]
 
         if 'win' in build_platform:
             # job['primary-dependency'].task['payload']['command']
-            formats = ['sha2signcode']
+            formats = ['autograph_authenticode']
         else:
             formats = ['autograph_gpg']
 
         rev = attributes['openh264_rev']
         upstream_artifacts = [{
             "taskId": {"task-reference": "<openh264>"},
             "taskType": "build",
             "paths": [
--- a/taskcluster/taskgraph/transforms/repackage_signing_partner.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py
@@ -76,32 +76,32 @@ def make_repackage_signing_description(c
 
         if 'win' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
                 ],
-                "formats": ["sha2signcode", "autograph_gpg"]
+                "formats": ["autograph_authenticode", "autograph_gpg"]
             }]
 
             partner_config = get_partner_config_by_kind(config, config.kind)
             partner, subpartner, _ = repack_id.split('/')
             repack_stub_installer = partner_config[partner][subpartner].get(
                 'repack_stub_installer')
             if build_platform.startswith('win32') and repack_stub_installer:
                 upstream_artifacts.append({
                     "taskId": {"task-reference": "<repackage>"},
                     "taskType": "repackage",
                     "paths": [
                         get_artifact_path(dep_job, "{}/target.stub-installer.exe".format(
                             repack_id)),
                     ],
-                    "formats": ["sha2signcode", "autograph_gpg"]
+                    "formats": ["autograph_authenticode", "autograph_gpg"]
                 })
         elif 'mac' in build_platform:
             upstream_artifacts = [{
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     get_artifact_path(dep_job, "{}/target.dmg".format(repack_id)),
                 ],
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -128,20 +128,16 @@ ifeq ($(MOZ_PKG_FORMAT),BZ2)
     INNER_MAKE_PACKAGE 	= $(CREATE_FINAL_TAR) - -C $(MOZ_PKG_DIR) $(_APPNAME) | bzip2 -vf > $(PACKAGE)
   else
     INNER_MAKE_PACKAGE 	= $(CREATE_FINAL_TAR) - $(MOZ_PKG_DIR) | bzip2 -vf > $(PACKAGE)
   endif
   INNER_UNMAKE_PACKAGE	= bunzip2 -c $(UNPACKAGE) | $(UNPACK_TAR)
 endif
 
 ifeq ($(MOZ_PKG_FORMAT),ZIP)
-  ifdef MOZ_EXTERNAL_SIGNING_FORMAT
-    # We can't use sha2signcode on zip files
-    MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
-  endif
   PKG_SUFFIX	= .zip
   INNER_MAKE_PACKAGE = $(call py_action,make_zip,'$(MOZ_PKG_DIR)' '$(PACKAGE)')
   INNER_UNMAKE_PACKAGE = $(call py_action,make_unzip,$(UNPACKAGE))
 endif
 
 ifeq ($(MOZ_PKG_FORMAT),SFX7Z)
   PKG_SUFFIX	= .exe
   INNER_MAKE_PACKAGE = $(call py_action,exe_7z_archive,'$(MOZ_PKG_DIR)' '$(MOZ_INSTALLER_PATH)/app.tag' '$(MOZ_SFX_PACKAGE)' '$(PACKAGE)')
--- a/tools/update-packaging/Makefile.in
+++ b/tools/update-packaging/Makefile.in
@@ -28,28 +28,16 @@ full-update:: complete-patch
 ifeq ($(OS_TARGET), WINNT)
 MOZ_PKG_FORMAT	:= SFX7Z
 UNPACKAGE	= '$(subst $(DIST),$(ABS_DIST),$(INSTALLER_PACKAGE))'
 endif
 
 include $(topsrcdir)/config/rules.mk
 include $(topsrcdir)/toolkit/mozapps/installer/packager.mk
 
-ifdef MOZ_EXTERNAL_SIGNING_FORMAT
-# We can't use sha2signcode on mar files
-MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
-MOZ_EXTERNAL_SIGNING_FORMAT := mar $(MOZ_EXTERNAL_SIGNING_FORMAT)
-endif
-
-ifndef MAR_OLD_FORMAT
-MAR_SIGN_FORMAT=mar_sha384
-else
-MAR_SIGN_FORMAT=mar
-endif
-
 dir-stage := $(call mkdir_deps,$(STAGE_DIR))
 
 complete-patch:: $(dir-stage)
 # unpack the windows installer, unless we're an l10n repack, we just packed this
 ifndef IS_LANGUAGE_REPACK
 ifeq ($(OS_TARGET), WINNT)
 	test -f $(UNPACKAGE)
 	$(RM) -rf '$(PACKAGE_DIR)'