DO NOT MERGE - Test signingscript rcodesign

signing-manifests/test-mac-hardened-sign.yml

@@ -3,13 +3,13 @@ bug: 0000000
 sha256: 5b95d1a32ca449970e49d7a85a8a88294de31ec427e8b6616098b088aeea5ee7
 filesize: 80945464
 private-artifact: false
-signing-formats: ["macapp", "autograph_widevine", "autograph_omnija"]
-requestor: Haik Aftandilian <haftandilian@mozilla.com>
+signing-formats: ["apple_hardened_signing"]
+requestor: Heitor Neiva <hneiva@mozilla.com>
 reason: Firefox hardened signing per-process entitlements
 product: firefox
 artifact-name: target.dmg
-mac-behavior: mac_sign_and_pkg_hardened
 signingscript-notarization: true
+sign-tool: rcodesign
 hardened-sign-config:
   - deep: false
     runtime: true

taskcluster/adhoc_taskgraph/signing_manifest.py

@@ -27,8 +27,9 @@
     "autograph_authenticode_sha2_rfc3161_stub",
     "autograph_hash_only_mar384",
     "macapp",
+    "apple_hardened_signing",
     "mac_single_file",
-    "autograph_widevine", 
+    "autograph_widevine",
     "autograph_omnija",
 )
 
@@ -61,6 +62,7 @@
             },
         ),
         Required("manifest_name"): str,
+        Optional("sign-tool"): str,
         Optional("mac-behavior"): str,
         Optional("signingscript-notarization"): bool,
         Optional("hardened-sign-config"): [{str: object}],

taskcluster/adhoc_taskgraph/transforms/signing.py

@@ -29,17 +29,18 @@ def define_signing_flags(config, tasks):
 
         # XXX: hack alert, we're taking a list and turning into a single item
         format_ = ""
-        for f in ("macapp", "mac_single_file"):
+        for f in ("macapp", "mac_single_file", "apple_hardened_signing"):
             if f in task["attributes"]["manifest"]["signing-formats"]:
                 format_ = f
+        sign_tool = task["attributes"]["manifest"].get("sign-tool")
 
         for key in ("worker-type", "worker.signing-type", "index.type"):
             resolve_keyed_by(
                 task,
                 key,
                 item_name=task["name"],
                 level=config.params["level"],
-                format=format_,
+                **{"format": format_, "sign-tool": sign_tool},
             )
         yield task
 

taskcluster/adhoc_taskgraph/worker_types.py

@@ -46,6 +46,7 @@ def _set_task_scopes(config, worker, task_def):
             }
         ],
         Optional("product"): str,
+        Optional("hardened-sign-config"): [{str: object}],
     },
 )
 def build_scriptworker_signing_payload(config, task, task_def):
@@ -58,8 +59,9 @@ def build_scriptworker_signing_payload(config, task, task_def):
         "upstreamArtifacts": worker["upstream-artifacts"],
     }
 
-    if "product" in worker:
-        task_def["payload"]["product"] = worker["product"]
+    for key in ("product", "hardened-sign-config"):
+        if key in worker:
+            task_def["payload"][key] = worker[key]
 
     _set_task_scopes(config, worker, task_def)
 

taskcluster/ci/config.yml

@@ -41,7 +41,7 @@ workers:
             provisioner: scriptworker-k8s
             implementation: scriptworker-signing
             os: scriptworker
-            worker-type: adhoc-t-signing
+            worker-type: adhoc-t-signing-dev
         signing:
             provisioner: scriptworker-k8s
             implementation: scriptworker-signing

taskcluster/ci/dep-signing/kind.yml

@@ -19,9 +19,12 @@ task-template:
     index:
         type: dep-signing
     worker-type:
-        by-format:
-            mac.*: mac-signing
-            default: dep-signing
+        by-sign-tool:
+            rcodesign: dep-signing
+            default:
+                by-format:
+                    mac.*: mac-signing
+                    default: dep-signing
     worker:
         signing-type: dep-signing
         max-run-time: 3600