Bug 1540276: Switch to autograph for windows signing r=Callek a=release
authorChris AtLee <catlee@mozilla.com>
Thu, 29 Aug 2019 01:18:27 +0000
changeset 555684 a0c03214c1d5e58b6a0255a30b67c155a05bcb76
parent 555683 e19149a8ab7d79a0d66ef2d091558ef051b70a8f
child 555685 2d7eef3ae040515738746128dcbf718b8cfee1bb
push id2186
push usermtabara@mozilla.com
push dateMon, 04 Nov 2019 21:44:17 +0000
treeherdermozilla-release@2d7eef3ae040 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersCallek, release
bugs1540276
milestone70.0.2
Bug 1540276: Switch to autograph for windows signing r=Callek a=release Differential Revision: https://phabricator.services.mozilla.com/D43829
taskcluster/docs/signing.rst
taskcluster/taskgraph/transforms/repackage_signing.py
taskcluster/taskgraph/util/signed_artifacts.py
--- a/taskcluster/docs/signing.rst
+++ b/taskcluster/docs/signing.rst
@@ -98,22 +98,22 @@ files.
 ``jar`` signing is Android apk signing. After signing, we ``zipalign`` the apk.
 This includes the ``focus-jar`` format, which is just a way to specify a different
 set of keys for the Focus app.
 
 ``macapp`` signing accepts either a ``dmg`` or ``tar.gz``; it converts ``dmg``
 files to ``tar.gz`` before submitting to the signing server. The signed binary
 is a ``tar.gz``.
 
-``signcode`` signing takes individual binaries or a zipfile. We sign the
+``authenticode`` signing takes individual binaries or a zipfile. We sign the
 individual file or internals of the zipfile, skipping any already-signed files
 and a select few blocklisted files (using the `should_sign_windows`_ function).
 It returns a signed individual binary or zipfile with signed internals, depending
-on the input. This format includes ``signcode``, ``osslsigncode``,
-``sha2signcode``, and ``sha2signcodestub``.
+on the input. This format includes ``authograph_authenticode``, and
+``autograph_authenticode_stub``.
 
 ``mar`` signing signs our update files (Mozilla ARchive). ``mar_sha384`` is
 the same, but with a different hashing algorithm.
 
 ``autograph_widevine`` is also video-related; see the
 `widevine site`_. We sign specific files inside the package and rebuild the
 ``precomplete`` file that we use for updates.
 
--- a/taskcluster/taskgraph/transforms/repackage_signing.py
+++ b/taskcluster/taskgraph/transforms/repackage_signing.py
@@ -23,19 +23,19 @@ repackage_signing_description_schema = s
     Required('depname', default='repackage'): basestring,
     Optional('label'): basestring,
     Optional('treeherder'): task_description_schema['treeherder'],
     Optional('shipping-product'): task_description_schema['shipping-product'],
     Optional('shipping-phase'): task_description_schema['shipping-phase'],
 })
 
 SIGNING_FORMATS = {
-    "target.installer.exe": ["sha2signcode"],
-    "target.stub-installer.exe": ["sha2signcodestub"],
-    "target.installer.msi": ["sha2signcode"],
+    "target.installer.exe": ["autograph_authenticode"],
+    "target.stub-installer.exe": ["autograph_authenticode_stub"],
+    "target.installer.msi": ["autograph_authenticode"],
 }
 
 transforms = TransformSequence()
 transforms.add_validate(repackage_signing_description_schema)
 
 
 @transforms.add
 def make_repackage_signing_description(config, jobs):
--- a/taskcluster/taskgraph/util/signed_artifacts.py
+++ b/taskcluster/taskgraph/util/signed_artifacts.py
@@ -62,22 +62,22 @@ def generate_specifications_of_artifacts
                 'artifacts': [get_artifact_path(job, 'ja-JP-mac/target.langpack.xpi')],
                 'formats': ['autograph_langpack'],
             }]
     elif 'win' in build_platform:
         artifacts_specifications = [{
             'artifacts': [
                 get_artifact_path(job, '{locale}/setup.exe'),
             ],
-            'formats': ['sha2signcode'],
+            'formats': ['autograph_authenticode'],
         }, {
             'artifacts': [
                 get_artifact_path(job, '{locale}/target.zip'),
             ],
-            'formats': ['sha2signcode', 'autograph_widevine', 'autograph_omnija'],
+            'formats': ['autograph_authenticode', 'autograph_widevine', 'autograph_omnija'],
         }]
 
         if use_stub:
             artifacts_specifications[0]['artifacts'] += [
                 get_artifact_path(job, '{locale}/setup-stub.exe')
             ]
     elif 'linux' in build_platform:
         artifacts_specifications = [{