bug 1471197 - sign mar hashes. r=catlee
authorAki Sasaki <asasaki@mozilla.com>
Wed, 10 Oct 2018 09:27:44 -0700
changeset 499014 5899ae8c1e091aed4697af62b98a621118e1059d
parent 499013 3c2fc3b5c03adc291583cb49e346e7580f283c0f
child 499015 2fffb44333de2cc59d84049930e885004c1d5456
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscatlee
bugs1471197
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1471197 - sign mar hashes. r=catlee Summary: Switch to autograph mar hash signing. Test Plan: X pin nightly updates _ autoland this patch _ uplift this patch to central _ wait for nightlies to spin _ test nightlytest channel _ unpin nightly updates Reviewers: catlee Tags: #secure-revision Bug #: 1471197 Differential Revision: https://phabricator.services.mozilla.com/D8251
taskcluster/taskgraph/transforms/partials_signing.py
taskcluster/taskgraph/transforms/repackage_signing.py
--- a/taskcluster/taskgraph/transforms/partials_signing.py
+++ b/taskcluster/taskgraph/transforms/partials_signing.py
@@ -35,17 +35,17 @@ def generate_upstream_artifacts(job, rel
         "taskType": 'partials',
         "paths": [
             "{}/{}".format(artifact_prefix, path)
             for path, version in artifacts
             # TODO Use mozilla-version to avoid comparing strings. Otherwise Firefox 100 will be
             # considered smaller than Firefox 56
             if version is None or version >= '56'
         ],
-        "formats": ["autograph_mar384"],
+        "formats": ["autograph_hash_only_mar384"],
     }]
 
     old_mar_upstream_artifacts = {
         "taskId": {"task-reference": '<partials>'},
         "taskType": 'partials',
         "paths": [
             "{}/{}".format(artifact_prefix, path)
             for path, version in artifacts
@@ -98,17 +98,17 @@ def make_task_description(config, jobs):
             dep_job, config.params['release_history'], balrog_platform, locale)
 
         build_platform = dep_job.attributes.get('build_platform')
         is_nightly = dep_job.attributes.get('nightly')
         signing_cert_scope = get_signing_cert_scope_per_platform(
             build_platform, is_nightly, config
         )
 
-        scopes = [signing_cert_scope, 'project:releng:signing:format:autograph_mar384']
+        scopes = [signing_cert_scope, 'project:releng:signing:format:autograph_hash_only_mar384']
         if any("mar" in upstream_details["formats"] for upstream_details in upstream_artifacts):
             scopes.append('project:releng:signing:format:mar')
 
         task = {
             'label': label,
             'description': "{} Partials".format(
                 dep_job.task["metadata"]["description"]),
             'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
--- a/taskcluster/taskgraph/transforms/repackage_signing.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing.py
@@ -31,17 +31,17 @@ repackage_signing_description_schema = S
     Required('depname', default='repackage'): basestring,
     Optional('label'): basestring,
     Optional('treeherder'): task_description_schema['treeherder'],
     Optional('shipping-product'): task_description_schema['shipping-product'],
     Optional('shipping-phase'): task_description_schema['shipping-phase'],
 })
 
 SIGNING_FORMATS = {
-    'target.complete.mar': ["autograph_mar384"],
+    'target.complete.mar': ["autograph_hash_only_mar384"],
     'target.bz2.complete.mar': ["mar"],
     "target.installer.exe": ["sha2signcode"],
     "target.stub-installer.exe": ["sha2signcodestub"],
 }
 
 
 @transforms.add
 def validate(config, jobs):