DO NOT MERGE - Test signingscript rcodesign

mozilla-releng · Dec 1, 2023 · 8816777 · 8816777
1 parent c94d9b5
commit 8816777
Show file tree

Hide file tree

Showing 27 changed files with 33 additions and 289 deletions.
diff --git a/signing-manifests/2023-new-gpg-subkey-test.yml b/signing-manifests/2023-new-gpg-subkey-test.yml
diff --git a/signing-manifests/bug1751450-nsis-core-ansi.yml b/signing-manifests/bug1751450-nsis-core-ansi.yml
diff --git a/signing-manifests/bug1751450-nsis-core-unicode.yml b/signing-manifests/bug1751450-nsis-core-unicode.yml
diff --git a/signing-manifests/bug1751450.yml b/signing-manifests/bug1751450.yml
diff --git a/signing-manifests/bug1763427b.yml b/signing-manifests/bug1763427b.yml
diff --git a/signing-manifests/bug1769081.yml b/signing-manifests/bug1769081.yml
diff --git a/signing-manifests/bug1774221-2.yml b/signing-manifests/bug1774221-2.yml
diff --git a/signing-manifests/bug1774221-3.yml b/signing-manifests/bug1774221-3.yml
diff --git a/signing-manifests/bug1774221.yml b/signing-manifests/bug1774221.yml
diff --git a/signing-manifests/bug1778996.yml b/signing-manifests/bug1778996.yml
diff --git a/signing-manifests/bug1799220.yml b/signing-manifests/bug1799220.yml
diff --git a/signing-manifests/bug1808742-rm-distribution-mar.yml b/signing-manifests/bug1808742-rm-distribution-mar.yml
diff --git a/signing-manifests/bug1835022-2.yml b/signing-manifests/bug1835022-2.yml
diff --git a/signing-manifests/bug1835022-3.yml b/signing-manifests/bug1835022-3.yml
diff --git a/signing-manifests/bug1835022.yml b/signing-manifests/bug1835022.yml
diff --git a/signing-manifests/bug1843034-2.yml b/signing-manifests/bug1843034-2.yml
diff --git a/signing-manifests/bug1843034.yml b/signing-manifests/bug1843034.yml
diff --git a/signing-manifests/mozregression-macOS.yml b/signing-manifests/mozregression-macOS.yml
diff --git a/signing-manifests/mozregression-windows.yml b/signing-manifests/mozregression-windows.yml
diff --git a/signing-manifests/test-mac-hardened-sign.yml b/signing-manifests/test-mac-hardened-sign.yml
@@ -1,53 +1,58 @@
 ---
 bug: 0000000
-sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7
-filesize: 80945464
+sha256: f4fa4fe0e7ca4059e8823894f792ad5488f9c36681b7e8b7fae5de1a163ed516
+filesize: 148668188
 private-artifact: false
-signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"]
-requestor: Haik Aftandilian <haftandilian@mozilla.com>
+signing-formats: ["apple_hardened_signing"]
+requestor: Heitor Neiva <hneiva@mozilla.com>
 reason: Firefox hardened signing per-process entitlements
 product: firefox
 artifact-name: target.dmg
-mac-behavior: mac_sign_and_pkg_hardened
 signingscript-notarization: true
+sign-tool: rcodesign
 hardened-sign-config:
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/plugin-container.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/plugin-container.xml
     globs:
       - "/Contents/MacOS/plugin-container.app"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
     globs:
       - "/Contents/MacOS/media-plugin-helper.app"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/default.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/utility.xml
     globs:
       - "/Contents/MacOS/crashreporter.app"
       - "/Contents/MacOS/updater.app"
       - "/Contents/Library/LaunchServices/org.mozilla.updater"
-      - "/Contents/MacOS/XUL"
       - "/Contents/MacOS/pingsender"
       - "/Contents/MacOS/minidump-analyzer"
+
+  - deep: false
+    runtime: true
+    force: true
+    globs:
+      - "/Contents/MacOS/XUL"
       - "/Contents/MacOS/*.dylib"
       - "/Contents/Resources/gmp-clearkey/*/*.dylib"
 
   - deep: false
     runtime: true
     force: true
-    entitlements: https://hg.mozilla.org/try/raw-file/722d4a7887b701cdef7b8ff81d0273985adada6a/security/mac/hardenedruntime/v2/production/browser.xml
+    entitlements: https://hg.mozilla.org/try/raw-file/tip/security/mac/hardenedruntime/v2/developer/browser.xml
     globs:
       - "/Contents/MacOS/firefox-bin"
       - "/"
 
 fetch:
   type: static-url
   # mozilla-release OS X AArch64 Cross Compiled Shippable
-  url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/LjKBrB4WTiOpm_2A0ljKDQ/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg
+  url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Jcl-M-6qTJmXINrG3fykRw/runs/0/artifacts/public%2Fbuild%2Ftarget.dmg
diff --git a/signing-manifests/test-mac.yml b/signing-manifests/test-mac.yml
diff --git a/signing-manifests/test-notarization-signingscript.yml b/signing-manifests/test-notarization-signingscript.yml
diff --git a/taskcluster/adhoc_taskgraph/signing_manifest.py b/taskcluster/adhoc_taskgraph/signing_manifest.py
@@ -27,8 +27,9 @@
     "autograph_authenticode_sha2_rfc3161_stub",
     "autograph_hash_only_mar384",
     "macapp",
+    "apple_hardened_signing",
     "mac_single_file",
-    "autograph_widevine", 
+    "autograph_widevine",
     "autograph_omnija",
 )
 
@@ -61,6 +62,7 @@
             },
         ),
         Required("manifest_name"): str,
+        Optional("sign-tool"): str,
         Optional("mac-behavior"): str,
         Optional("signingscript-notarization"): bool,
         Optional("hardened-sign-config"): [{str: object}],

diff --git a/taskcluster/adhoc_taskgraph/transforms/signing.py b/taskcluster/adhoc_taskgraph/transforms/signing.py
@@ -29,17 +29,18 @@ def define_signing_flags(config, tasks):
 
         # XXX: hack alert, we're taking a list and turning into a single item
         format_ = ""
-        for f in ("macapp", "mac_single_file"):
+        for f in ("macapp", "mac_single_file", "apple_hardened_signing"):
             if f in task["attributes"]["manifest"]["signing-formats"]:
                 format_ = f
+        sign_tool = task["attributes"]["manifest"].get("sign-tool")
 
         for key in ("worker-type", "worker.signing-type", "index.type"):
             resolve_keyed_by(
                 task,
                 key,
                 item_name=task["name"],
                 level=config.params["level"],
-                format=format_,
+                **{"format": format_, "sign-tool": sign_tool},
             )
         yield task