Bug 1388431 - [win32/64, macosx64] Devedition: mars should be signed with Nightly key r=Callek
authorJohan Lorenzo <jlorenzo@mozilla.com>
Tue, 08 Aug 2017 19:22:43 +0200
changeset 425432 46b4a667c1e43ad4c3153187051b1dcff5e4b0ea
parent 425431 ad20fd5faada2aedfea3e290c7501b8f6edff3c3
child 425433 2b09cdaae71cf5e2f98825ce960954eb1c36a435
push id1567
push userjlorenzo@mozilla.com
push dateThu, 02 Nov 2017 12:36:05 +0000
treeherdermozilla-release@e512c14a0406 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCallek
bugs1388431
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1388431 - [win32/64, macosx64] Devedition: mars should be signed with Nightly key r=Callek MozReview-Commit-ID: LEJ1OsZNSm9
taskcluster/taskgraph/transforms/repackage_signing.py
taskcluster/taskgraph/transforms/signing.py
taskcluster/taskgraph/util/scriptworker.py
--- a/taskcluster/taskgraph/transforms/repackage_signing.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing.py
@@ -5,17 +5,17 @@
 Transform the repackage signing task into an actual task description.
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
 from taskgraph.util.schema import validate_schema, Schema
-from taskgraph.util.scriptworker import get_signing_cert_scope
+from taskgraph.util.scriptworker import get_signing_cert_scope_per_platform
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Required, Optional
 
 # Voluptuous uses marker objects as dictionary *keys*, but they are not
 # comparable, so we cast all of the keys back to regular strings
 task_description_schema = {str(k): v for k, v in task_description_schema.schema.iteritems()}
 
 transforms = TransformSequence()
@@ -72,40 +72,44 @@ def make_repackage_signing_description(c
         attributes['repackage_type'] = 'repackage-signing'
 
         locale_str = ""
         if dep_job.attributes.get('locale'):
             treeherder['symbol'] = 'tc-rs({})'.format(dep_job.attributes.get('locale'))
             attributes['locale'] = dep_job.attributes.get('locale')
             locale_str = "{}/".format(dep_job.attributes.get('locale'))
 
-        scopes = [get_signing_cert_scope(config),
-                  "project:releng:signing:format:mar_sha384"]
+        build_platform = dep_job.attributes.get('build_platform')
+        is_nightly = dep_job.attributes.get('nightly')
+        signing_cert_scope = get_signing_cert_scope_per_platform(
+            build_platform, is_nightly, config
+        )
+        scopes = [signing_cert_scope, 'project:releng:signing:format:mar_sha384']
 
         upstream_artifacts = [{
             "taskId": {"task-reference": "<repackage>"},
             "taskType": "repackage",
             "paths": [
                 "public/build/{}target.complete.mar".format(locale_str),
             ],
             "formats": ["mar_sha384"]
         }]
-        if 'win' in dep_job.attributes.get('build_platform'):
+        if 'win' in build_platform:
             upstream_artifacts.append({
                 "taskId": {"task-reference": "<repackage>"},
                 "taskType": "repackage",
                 "paths": [
                     "public/build/{}target.installer.exe".format(locale_str),
                 ],
                 "formats": ["sha2signcode"]
             })
             scopes.append("project:releng:signing:format:sha2signcode")
 
             # Stub installer is only generated on win32
-            if '32' in dep_job.attributes.get('build_platform'):
+            if '32' in build_platform:
                 upstream_artifacts.append({
                     "taskId": {"task-reference": "<repackage>"},
                     "taskType": "repackage",
                     "paths": [
                         "public/build/{}target.stub-installer.exe".format(locale_str),
                     ],
                     "formats": ["sha2signcodestub"]
                 })
@@ -125,17 +129,16 @@ def make_repackage_signing_description(c
             'treeherder': treeherder,
         }
 
         funsize_platforms = [
             'macosx64-nightly',
             'win32-nightly',
             'win64-nightly'
         ]
-        if dep_job.attributes.get('build_platform') in funsize_platforms and \
-                dep_job.attributes.get('nightly'):
+        if build_platform in funsize_platforms and is_nightly:
             route_template = "project.releng.funsize.level-{level}.{project}"
             task['routes'] = [
                 route_template.format(project=config.params['project'],
                                       level=config.params['level'])
             ]
 
         yield task
--- a/taskcluster/taskgraph/transforms/signing.py
+++ b/taskcluster/taskgraph/transforms/signing.py
@@ -5,17 +5,17 @@
 Transform the signing task into an actual task description.
 """
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 from taskgraph.transforms.base import TransformSequence
 from taskgraph.util.attributes import copy_attributes_from_dependent_job
 from taskgraph.util.schema import validate_schema, Schema
-from taskgraph.util.scriptworker import get_signing_cert_scope, get_devedition_signing_cert_scope
+from taskgraph.util.scriptworker import get_signing_cert_scope_per_platform
 from taskgraph.transforms.task import task_description_schema
 from voluptuous import Any, Required, Optional
 
 
 # Voluptuous uses marker objects as dictionary *keys*, but they are not
 # comparable, so we cast all of the keys back to regular strings
 task_description_schema = {str(k): v for k, v in task_description_schema.schema.iteritems()}
 
@@ -112,26 +112,19 @@ def make_task_description(config, jobs):
 
         attributes = copy_attributes_from_dependent_job(dep_job)
         attributes['signed'] = True
 
         if dep_job.attributes.get('chunk_locales'):
             # Used for l10n attribute passthrough
             attributes['chunk_locales'] = dep_job.attributes.get('chunk_locales')
 
-        # This code wasn't originally written with the possibility of using different
-        # signing cert scopes for different platforms on the same branch. This isn't
-        # ideal, but it's what we currently have to make this possible.
-        if dep_job.attributes.get('build_platform') in set(
-          ['linux64-devedition-nightly', 'linux-devedition-nightly']):
-            signing_cert_scope = get_devedition_signing_cert_scope(config)
-        elif is_nightly:
-            signing_cert_scope = get_signing_cert_scope(config)
-        else:
-            signing_cert_scope = 'project:releng:signing:cert:dep-signing'
+        signing_cert_scope = get_signing_cert_scope_per_platform(
+            dep_job.attributes.get('build_platform'), is_nightly, config
+        )
 
         task = {
             'label': label,
             'description': description,
             'worker-type': _generate_worker_type(signing_cert_scope),
             'worker': {'implementation': 'scriptworker-signing',
                        'upstream-artifacts': job['upstream-artifacts'],
                        'max-run-time': 3600},
--- a/taskcluster/taskgraph/util/scriptworker.py
+++ b/taskcluster/taskgraph/util/scriptworker.py
@@ -414,8 +414,21 @@ def get_release_config(config):
         build_number = str(os.environ.get("BUILD_NUMBER", ""))
         if not build_number.isdigit():
             raise ValueError("Release graphs must specify `BUILD_NUMBER` in the environment!")
         release_config['build_number'] = int(build_number)
         with open(VERSION_PATH, "r") as fh:
             version = fh.readline().rstrip()
         release_config['version'] = version
     return release_config
+
+
+def get_signing_cert_scope_per_platform(build_platform, is_nightly, config):
+    if build_platform in (
+        'linux-devedition-nightly', 'linux64-devedition-nightly',
+        'macosx64-devedition-nightly',
+        'win32-devedition-nightly', 'win64-devedition-nightly',
+    ):
+        return get_devedition_signing_cert_scope(config)
+    elif is_nightly:
+        return get_signing_cert_scope(config)
+    else:
+        return 'project:releng:signing:cert:dep-signing'