PR changes

signingscript/Dockerfile

@@ -24,13 +24,9 @@ COPY ["version.jso[n]", "/app/"]
 # Install msix
 # Install rcodesign
 RUN chown -R app:app /app \
- && cd /app/scriptworker_client \
- && pip install /app/scriptworker_client \
- && pip install -r requirements/base.txt \
- && pip install . \
  && cd /app/signingscript/docker.d \
  && bash build_libdmg_hfsplus.sh /usr/bin \
- && bash build_rcodesign.sh /usr/bin \
+ && bash install_rcodesign.sh /usr/bin \
  && bash build_msix_packaging.sh
 
 # Set user and workdir
@@ -39,8 +35,8 @@ WORKDIR /app
 
 # Install signingscript + configloader + widevine
 RUN python -m venv /app \
- && cd signingscript \
  && /app/bin/pip install /app/scriptworker_client \
+ && cd signingscript \
  && /app/bin/pip install -r requirements/base.txt \
  && /app/bin/pip install . \
  && python -m venv /app/configloader_venv \

signingscript/docker.d/apple_signing_creds.yml

@@ -10,15 +10,15 @@ in:
     $match:
       'ENV == "prod" && scope_prefix':
         '${scope_prefix[0]}cert:release-signing':
-          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"}
-            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"}
-            "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"}
+          - "app_pkcs12_bundle": {"$eval": "APPLE_APP_SIGNING_PKCS12"}
+            "installer_pkcs12_bundle": {"$eval": "APPLE_INSTALLER_SIGNING_PKCS12"}
+            "pkcs12_password": {"$eval": "APPLE_SIGNING_PKCS12_PASSWORD"}
         '${scope_prefix[0]}cert:nightly-signing':
-          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_CREDENTIALS"}
-            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_CREDENTIALS"}
-            "password": {"$eval": "APPLE_SIGNING_CREDS_PASSWORD"}
+          - "app_pkcs12_bundle": {"$eval": "APPLE_APP_SIGNING_PKCS12"}
+            "installer_pkcs12_bundle": {"$eval": "APPLE_INSTALLER_SIGNING_PKCS12"}
+            "pkcs12_password": {"$eval": "APPLE_SIGNING_PKCS12_PASSWORD"}
       'ENV != "prod" && scope_prefix':
         '${scope_prefix[0]}cert:dep-signing':
-          - "app_credentials": {"$eval": "APPLE_APP_SIGNING_DEP_CREDENTIALS"}
-            "installer_credentials": {"$eval": "APPLE_INSTALLER_SIGNING_DEP_CREDENTIALS"}
-            "password": {"$eval": "APPLE_SIGNING_DEP_CREDS_PASSWORD"}
+          - "app_pkcs12_bundle": {"$eval": "APPLE_APP_SIGNING_DEP_PKCS12"}
+            "installer_pkcs12_bundle": {"$eval": "APPLE_INSTALLER_SIGNING_DEP_PKCS12"}
+            "pkcs12_password": {"$eval": "APPLE_SIGNING_DEP_PKCS12_PASSWORD"}

signingscript/src/signingscript/script.py

@@ -143,33 +143,33 @@ def setup_apple_signing_credentials(context):
     if len(scope_credentials) != 1:
         raise SigningScriptError("There should only be 1 scope credential, %s found." % len(scope_credentials))
 
-    context.apple_app_signing_creds_path = os.path.join(
+    context.apple_app_signing_pkcs12_path = os.path.join(
         os.path.dirname(context.config["apple_signing_configs"]),
         "apple_app_signing_creds.p12",
     )
-    unlink(context.apple_app_signing_creds_path)
-    context.apple_installer_signing_creds_path = os.path.join(
+    unlink(context.apple_app_signing_pkcs12_path)
+    context.apple_installer_signing_pkcs12_path = os.path.join(
         os.path.dirname(context.config["apple_signing_configs"]),
         "apple_installer_signing_creds.p12",
     )
-    unlink(context.apple_installer_signing_creds_path)
-    context.apple_signing_creds_pass_path = os.path.join(
+    unlink(context.apple_installer_signing_pkcs12_path)
+    context.apple_signing_pkcs12_pass_path = os.path.join(
         os.path.dirname(context.config["apple_signing_configs"]),
         "apple_signing_creds_pass.passwd",
     )
-    unlink(context.apple_signing_creds_pass_path)
+    unlink(context.apple_signing_pkcs12_pass_path)
 
     # Convert dataclass to dict so json module can read it
     creds_config = asdict(scope_credentials[0])
-    _write_text(context.apple_app_signing_creds_path, base64.b64decode(creds_config["app_credentials"]))
+    _write_text(context.apple_app_signing_pkcs12_path, base64.b64decode(creds_config["app_credentials"]))
 
     # Defaults to using the app credentials (ie: on Try)
     if creds_config.get("installer_credentials"):
-        _write_text(context.apple_installer_signing_creds_path, base64.b64decode(creds_config["installer_credentials"]))
+        _write_text(context.apple_installer_signing_pkcs12_path, base64.b64decode(creds_config["installer_credentials"]))
     else:
-        context.apple_installer_signing_creds_path = context.apple_app_signing_creds_path
+        context.apple_installer_signing_pkcs12_path = context.apple_app_signing_pkcs12_path
 
-    _write_text(context.apple_signing_creds_pass_path, creds_config["password"])
+    _write_text(context.apple_signing_pkcs12_pass_path, creds_config["password"])
 
 
 def main():

signingscript/src/signingscript/sign.py

@@ -1657,12 +1657,13 @@ async def apple_app_hardened_sign(context, path, *args, **kwargs):
     for file in os.scandir(signing_dir):
         if file.is_dir() and file.name.endswith(".app"):
             # Developer ID Application certificate
-            creds = context.apple_app_signing_creds_path
+            creds = context.apple_app_signing_pkcs12_path
         elif file.is_file() and file.name.endswith(".pkg"):
             # Use installer credentials
-            creds = context.apple_installer_signing_creds_path
+            creds = context.apple_installer_signing_pkcs12_path
         else:
             # If not pkg AND not a directory (.app) - then skip file
+            log.info(f"Skipping unsupported file at root: {file.path}")
             continue
 
         bundle_path = os.path.join(signing_dir, file.path)
@@ -1679,7 +1680,7 @@ async def apple_app_hardened_sign(context, path, *args, **kwargs):
             context.config["work_dir"],
             bundle_path,
             creds,
-            context.apple_signing_creds_pass_path,
+            context.apple_signing_pkcs12_pass_path,
             hardened_sign_config,
         )
         signed = True

signingscript/tests/conftest.py

@@ -59,8 +59,8 @@ def context(tmpdir):
     context.config["apple_signing_configs"] = APPLE_CONFIG_PATH
     context.autograph_configs = load_autograph_configs(SERVER_CONFIG_PATH)
     context.apple_credentials_path = os.path.join(tmpdir, "fakepath")
-    context.apple_app_signing_creds_path = os.path.join(tmpdir, "apple_app.p12")
-    context.apple_installer_signing_creds_path = os.path.join(tmpdir, "apple_installer.p12")
+    context.apple_app_signing_pkcs12_path = os.path.join(tmpdir, "apple_app.p12")
+    context.apple_installer_signing_pkcs12_path = os.path.join(tmpdir, "apple_installer.p12")
     context.apple_signing_creds_path = os.path.join(tmpdir, "apple_p12.passwd")
     mkdir(context.config["work_dir"])
     mkdir(context.config["artifact_dir"])

signingscript/tests/test_rcodesign.py

@@ -179,8 +179,8 @@ async def test_rcodesign_sign(context, mocker):
     app_path.mkdir()
     (app_path / "samplefile").touch()
     (app_path / "samplefile2").touch()
-    context.apple_app_signing_creds_path = workdir / "test_cred.p12"
-    context.apple_signing_creds_pass_path = workdir / "test_cred.passwd"
+    context.apple_app_signing_pkcs12_path = workdir / "test_cred.p12"
+    context.apple_signing_pkcs12_pass_path = workdir / "test_cred.passwd"
     entitlement_file = workdir / "test.xml"
     entitlement_file.touch()
 
@@ -204,8 +204,8 @@ async def test_rcodesign_sign(context, mocker):
     await rcodesign.rcodesign_sign(
         context.config["work_dir"],
         str(app_path),
-        context.apple_app_signing_creds_path,
-        context.apple_signing_creds_pass_path,
+        context.apple_app_signing_pkcs12_path,
+        context.apple_signing_pkcs12_pass_path,
         hardened_sign_config,
     )
     download.assert_called_once()