forked from mirrors/gecko-dev
b3493133fe
Sign language packs via Autograph instead of AMO. Differential Revision: https://phabricator.services.mozilla.com/D38149 --HG-- extra : moz-landing-system : lando
151 lines
5.4 KiB
Python
151 lines
5.4 KiB
Python
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
"""
|
|
Defines artifacts to sign before repackage.
|
|
"""
|
|
|
|
from __future__ import absolute_import, print_function, unicode_literals
|
|
from taskgraph.util.taskcluster import get_artifact_path
|
|
from taskgraph.util.declarative_artifacts import get_geckoview_upstream_artifacts
|
|
|
|
|
|
LANGPACK_SIGN_PLATFORMS = { # set
|
|
'linux64-shippable', 'linux64-devedition-nightly',
|
|
'macosx64-shippable', 'macosx64-devedition-nightly',
|
|
}
|
|
|
|
|
|
def is_partner_kind(kind):
|
|
if kind and kind.startswith(('release-partner', 'release-eme-free')):
|
|
return True
|
|
|
|
|
|
def generate_specifications_of_artifacts_to_sign(
|
|
config, job, keep_locale_template=True, kind=None,
|
|
):
|
|
build_platform = job['attributes'].get('build_platform')
|
|
use_stub = job['attributes'].get('stub-installer')
|
|
# Get locales to know if we want to sign ja-JP-mac langpack
|
|
locales = job["attributes"].get('chunk_locales', [])
|
|
if kind == 'release-source-signing':
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, 'source.tar.xz')
|
|
],
|
|
'formats': ['autograph_gpg'],
|
|
}]
|
|
elif 'android' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/target.apk'),
|
|
],
|
|
'formats': ['autograph_apk_fennec_sha1'],
|
|
}, {
|
|
'artifacts': get_geckoview_artifacts_to_sign(config, job),
|
|
'formats': ['autograph_gpg'],
|
|
}]
|
|
# XXX: Mars aren't signed here (on any platform) because internals will be
|
|
# signed at after this stage of the release
|
|
elif 'macosx' in build_platform:
|
|
if is_partner_kind(kind):
|
|
extension = 'tar.gz'
|
|
else:
|
|
extension = 'dmg'
|
|
artifacts_specifications = [{
|
|
'artifacts': [get_artifact_path(job, '{{locale}}/target.{}'.format(extension))],
|
|
'formats': ['macapp', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
|
|
if 'ja-JP-mac' in locales and build_platform in LANGPACK_SIGN_PLATFORMS:
|
|
artifacts_specifications += [{
|
|
'artifacts': [get_artifact_path(job, 'ja-JP-mac/target.langpack.xpi')],
|
|
'formats': ['autograph_langpack'],
|
|
}]
|
|
elif 'win' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/setup.exe'),
|
|
],
|
|
'formats': ['sha2signcode'],
|
|
}, {
|
|
'artifacts': [
|
|
get_artifact_path(job, '{locale}/target.zip'),
|
|
],
|
|
'formats': ['sha2signcode', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
|
|
if use_stub:
|
|
artifacts_specifications[0]['artifacts'] += [
|
|
get_artifact_path(job, '{locale}/setup-stub.exe')
|
|
]
|
|
elif 'linux' in build_platform:
|
|
artifacts_specifications = [{
|
|
'artifacts': [get_artifact_path(job, '{locale}/target.tar.bz2')],
|
|
'formats': ['autograph_gpg', 'autograph_widevine', 'autograph_omnija'],
|
|
}]
|
|
if build_platform in LANGPACK_SIGN_PLATFORMS:
|
|
artifacts_specifications += [{
|
|
'artifacts': [get_artifact_path(job, '{locale}/target.langpack.xpi')],
|
|
'formats': ['autograph_langpack'],
|
|
}]
|
|
else:
|
|
raise Exception("Platform not implemented for signing")
|
|
|
|
if not keep_locale_template:
|
|
artifacts_specifications = _strip_locale_template(artifacts_specifications)
|
|
|
|
if is_partner_kind(kind):
|
|
artifacts_specifications = _strip_widevine_for_partners(artifacts_specifications)
|
|
|
|
return artifacts_specifications
|
|
|
|
|
|
def _strip_locale_template(artifacts_without_locales):
|
|
for spec in artifacts_without_locales:
|
|
for index, artifact in enumerate(spec['artifacts']):
|
|
stripped_artifact = artifact.format(locale='')
|
|
stripped_artifact = stripped_artifact.replace('//', '/')
|
|
spec['artifacts'][index] = stripped_artifact
|
|
|
|
return artifacts_without_locales
|
|
|
|
|
|
def _strip_widevine_for_partners(artifacts_specifications):
|
|
""" Partner repacks should not resign that's previously signed for fear of breaking partial
|
|
updates
|
|
"""
|
|
for spec in artifacts_specifications:
|
|
if 'autograph_widevine' in spec['formats']:
|
|
spec['formats'].remove('autograph_widevine')
|
|
if 'autograph_omnija' in spec['formats']:
|
|
spec['formats'].remove('autograph_omnija')
|
|
|
|
return artifacts_specifications
|
|
|
|
|
|
def get_signed_artifacts(input, formats, behavior=None):
|
|
"""
|
|
Get the list of signed artifacts for the given input and formats.
|
|
"""
|
|
artifacts = set()
|
|
if input.endswith('.dmg'):
|
|
artifacts.add(input.replace('.dmg', '.tar.gz'))
|
|
if behavior and behavior != "mac_sign":
|
|
artifacts.add(input.replace('.dmg', '.pkg'))
|
|
else:
|
|
artifacts.add(input)
|
|
if 'autograph_gpg' in formats:
|
|
artifacts.add('{}.asc'.format(input))
|
|
|
|
return artifacts
|
|
|
|
|
|
def get_geckoview_artifacts_to_sign(config, job):
|
|
upstream_artifacts = get_geckoview_upstream_artifacts(config, job)
|
|
return [
|
|
path
|
|
for upstream_artifact in upstream_artifacts
|
|
for path in upstream_artifact['paths']
|
|
if not path.endswith('.md5') and not path.endswith('.sha1')
|
|
]
|