Bug 1442545: [partner-repack] Sign repacked partner builds; r=Callek, a=release DEVEDITION_60_0b14_BUILD1 DEVEDITION_60_0b14_RELEASE FIREFOX_60_0b14_BUILD2 FIREFOX_60_0b14_RELEASE
authorTom Prince <mozilla@hocat.ca>
Wed, 18 Apr 2018 12:17:09 -0600
changeset 463425 98d5361303491977c2c27ae35f06e8c6a6709bba
parent 463424 0135bba5d76e1355da89313b4c5809cb73114ac4
child 463426 7e6c1f7d66c00eeba98c84ddb7869e7322c47236
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCallek, release
bugs1442545
milestone60.0
Bug 1442545: [partner-repack] Sign repacked partner builds; r=Callek, a=release Differential Revision: https://phabricator.services.mozilla.com/D983
taskcluster/ci/release-eme-free-repack-repackage-signing/kind.yml
taskcluster/ci/release-partner-repack-repackage-signing/kind.yml
taskcluster/docs/kinds.rst
taskcluster/taskgraph/transforms/repackage_signing_partner.py
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/release-eme-free-repack-repackage-signing/kind.yml
@@ -0,0 +1,18 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+   - taskgraph.transforms.name_sanity:transforms
+   - taskgraph.transforms.repackage_signing_partner:transforms
+   - taskgraph.transforms.release_notifications:transforms
+   - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+   - release-eme-free-repack-repackage
+
+only-for-build-platforms:
+   - win32-nightly/opt
+   - win64-nightly/opt
new file mode 100644
--- /dev/null
+++ b/taskcluster/ci/release-partner-repack-repackage-signing/kind.yml
@@ -0,0 +1,18 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+loader: taskgraph.loader.single_dep:loader
+
+transforms:
+   - taskgraph.transforms.name_sanity:transforms
+   - taskgraph.transforms.repackage_signing_partner:transforms
+   - taskgraph.transforms.release_notifications:transforms
+   - taskgraph.transforms.task:transforms
+
+kind-dependencies:
+   - release-partner-repack-repackage
+
+only-for-build-platforms:
+   - win32-nightly/opt
+   - win64-nightly/opt
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -364,36 +364,44 @@ Chunks the partner repacks by locale.
 release-partner-repack-signing
 ------------------------------
 Internal signing of partner repacks.
 
 release-partner-repack-repackage
 ------------------------------
 Repackaging of partner repacks.
 
+release-partner-repack-repackage-signing
+------------------------------
+External signing of partner repacks.
+
 release-partner-repack-beetmover
 ------------------------------
 Moves the partner repacks to S3 buckets.
 
 release-eme-free-repack
 ----------------------
 Generates customized versions of releases for eme-free repacks.
 
 release-eme-free-repack-signing
 ------------------------------
 Internal signing of eme-free repacks
 
 release-eme-free-repack-repackage
 ------------------------------
 Repackaging of eme-free repacks.
 
+release-eme-free-repack-repackage-signing
+------------------------------
+External signing of eme-free repacks.
 
 release-eme-free-repack-beetmover
 ------------------------------
 Moves the eme-free repacks to S3 buckets.
+
 repackage
 ---------
 Repackage tasks take a signed output and package them up into something suitable
 for shipping to our users. For example, on OSX we return a tarball as the signed output
 and this task would package that up as an Apple Disk Image (.dmg)
 
 repackage-l10n
 --------------
new file mode 100644
--- /dev/null
+++ b/taskcluster/taskgraph/transforms/repackage_signing_partner.py
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"""
+Transform the repackage signing task into an actual task description.
+"""
+
+from __future__ import absolute_import, print_function, unicode_literals
+
+from taskgraph.transforms.base import TransformSequence
+from taskgraph.util.attributes import copy_attributes_from_dependent_job
+from taskgraph.util.partners import check_if_partners_enabled
+from taskgraph.util.schema import validate_schema, Schema
+from taskgraph.util.scriptworker import (
+    add_scope_prefix,
+    get_signing_cert_scope_per_platform,
+)
+from taskgraph.util.taskcluster import get_artifact_path
+from taskgraph.transforms.task import task_description_schema
+from voluptuous import Required, Optional
+
+# Voluptuous uses marker objects as dictionary *keys*, but they are not
+# comparable, so we cast all of the keys back to regular strings
+task_description_schema = {str(k): v for k, v in task_description_schema.schema.iteritems()}
+
+transforms = TransformSequence()
+
+repackage_signing_description_schema = Schema({
+    Required('dependent-task'): object,
+    Required('depname', default='repackage'): basestring,
+    Optional('label'): basestring,
+    Optional('extra'): object,
+    Optional('shipping-product'): task_description_schema['shipping-product'],
+    Optional('shipping-phase'): task_description_schema['shipping-phase'],
+})
+
+transforms.add(check_if_partners_enabled)
+
+
+@transforms.add
+def validate(config, jobs):
+    for job in jobs:
+        label = job.get('dependent-task', object).__dict__.get('label', '?no-label?')
+        validate_schema(
+            repackage_signing_description_schema, job,
+            "In repackage-signing ({!r} kind) task for {!r}:".format(config.kind, label))
+        yield job
+
+
+@transforms.add
+def make_repackage_signing_description(config, jobs):
+    for job in jobs:
+        dep_job = job['dependent-task']
+        repack_id = dep_job.task['extra']['repack_id']
+        attributes = dep_job.attributes
+
+        label = dep_job.label.replace("repackage-", "repackage-signing-")
+        description = (
+            "Signing of repackaged artifacts for partner repack id '{repack_id}' for build '"
+            "{build_platform}/{build_type}'".format(
+                repack_id=repack_id,
+                build_platform=attributes.get('build_platform'),
+                build_type=attributes.get('build_type')
+            )
+        )
+
+        dependencies = {"repackage": dep_job.label}
+
+        signing_dependencies = dep_job.dependencies
+        # This is so we get the build task etc in our dependencies to
+        # have better beetmover support.
+        dependencies.update({k: v for k, v in signing_dependencies.items()
+                             if k != 'docker-image'})
+        attributes = copy_attributes_from_dependent_job(dep_job)
+        attributes['repackage_type'] = 'repackage-signing'
+
+        build_platform = dep_job.attributes.get('build_platform')
+        is_nightly = dep_job.attributes.get('nightly')
+        signing_cert_scope = get_signing_cert_scope_per_platform(
+            build_platform, is_nightly, config
+        )
+        scopes = [signing_cert_scope]
+
+        if 'win' not in build_platform:
+            raise Exception("Repackage signing is not supported for non-Windows partner repacks.")
+
+        upstream_artifacts = [{
+            "taskId": {"task-reference": "<repackage>"},
+            "taskType": "repackage",
+            "paths": [
+                get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
+            ],
+            "formats": ["sha2signcode"]
+        }]
+        scopes.append(add_scope_prefix(config, "signing:format:sha2signcode"))
+
+        task = {
+            'label': label,
+            'description': description,
+            # 'worker-type': get_worker_type_for_scope(config, signing_cert_scope),
+            'worker-type': 'scriptworker-prov-v1/signing-linux-v1',
+            'worker': {'implementation': 'scriptworker-signing',
+                       'upstream-artifacts': upstream_artifacts,
+                       'max-run-time': 3600},
+            'scopes': scopes,
+            'dependencies': dependencies,
+            'attributes': attributes,
+            'run-on-projects': dep_job.attributes.get('run_on_projects'),
+            'extra': {
+                'repack_id': repack_id,
+            }
+        }
+
+        yield task