commit 672bca6089872f9c626e223996923e3e83db3be7
parent 5ae1543dc98ac21e17f609f848897272f0384440
Author: Yannis Juglaret <yjuglaret@mozilla.com>
Date: Tue, 23 Dec 2025 10:46:14 +0000
Bug 2006928 - Skip signing security-module-helper.app on non-Nightly macOS builds. r=haik,releng-reviewers,taskgraph-reviewers,ahal
security-module-helper.app is only built on Nightly for the moment, so
signing it should accordingly only be attempted on Nightly builds. This
patch ensures this, by adding a new 'skip' boolean attribute to our
'hardened-sign-config'. This boolean is resolved based on release_type,
which correctly reflects the expected presence or absence of
security-module-helper.app in a build.
Differential Revision: https://phabricator.services.mozilla.com/D277307
Diffstat:
4 files changed, 54 insertions(+), 4 deletions(-)
diff --git a/taskcluster/config.yml b/taskcluster/config.yml
@@ -875,14 +875,16 @@ mac-signing:
globs:
- "/Contents/MacOS/media-plugin-helper.app"
- # Only built in Nightly builds for now. For other builds, the
- # globs will match nothing, and so nothing will happen.
- deep: false
runtime: true
force: true
entitlements: public/build/security/security-module-helper.xml
globs:
- "/Contents/MacOS/security-module-helper.app"
+ skip:
+ by-release-type:
+ nightly.*: false
+ default: true
- deep: false
runtime: true
@@ -933,14 +935,16 @@ mac-signing:
globs:
- "/Contents/MacOS/media-plugin-helper.app"
- # Only built in Nightly builds for now. For other builds, the
- # globs will match nothing, and so nothing will happen.
- deep: false
runtime: true
force: true
entitlements: public/build/security/security-module-helper.xml
globs:
- "/Contents/MacOS/security-module-helper.app"
+ skip:
+ by-release-type:
+ nightly.*: false
+ default: true
- deep: false
runtime: true
diff --git a/taskcluster/gecko_taskgraph/config.py b/taskcluster/gecko_taskgraph/config.py
@@ -100,6 +100,7 @@ graph_config_schema = Schema(
"build-platform", "project", str
),
Required("globs"): [str],
+ Optional("skip"): optionally_keyed_by("release-type", bool),
}
],
),
diff --git a/taskcluster/gecko_taskgraph/transforms/hardened_signing.py b/taskcluster/gecko_taskgraph/transforms/hardened_signing.py
@@ -62,6 +62,20 @@ def add_hardened_sign_config(config, jobs):
"project": config.params["project"],
},
)
+ if "skip" in sign_cfg and isinstance(sign_cfg.get("skip"), dict):
+ sign_cfg["skip"] = evaluate_keyed_by(
+ sign_cfg["skip"],
+ "skip",
+ {
+ "release-type": config.params["release_type"],
+ },
+ )
+
+ hardened_sign_config = [
+ sign_cfg
+ for sign_cfg in hardened_sign_config
+ if not sign_cfg.pop("skip", False)
+ ]
job["worker"]["hardened-sign-config"] = hardened_sign_config
job["worker"]["mac-behavior"] = "mac_sign_and_pkg_hardened"
diff --git a/tools/signing/macos/mach_commands.py b/tools/signing/macos/mach_commands.py
@@ -461,6 +461,31 @@ def auto_detect_channel(ctx, app):
sys.exit(1)
+# Simulate the resolution of the 'skip' attribute in 'hardened-sign-config' by
+# taskgraph. This only accounts for the current variations for 'skip' found in
+# config.yml. This code must be adapted each time a new variation is added.
+def should_skip_on_channel(signing_group, channel):
+ if "skip" not in signing_group:
+ return False
+ if isinstance(signing_group["skip"], bool):
+ return signing_group["skip"]
+ if (
+ not isinstance(signing_group["skip"], dict)
+ or set(signing_group["skip"].keys()) != {"by-release-type"}
+ or not isinstance(signing_group["skip"]["by-release-type"], dict)
+ or set(signing_group["skip"]["by-release-type"].keys())
+ != {"nightly.*", "default"}
+ or not isinstance(signing_group["skip"]["by-release-type"]["nightly.*"], bool)
+ or not isinstance(signing_group["skip"]["by-release-type"]["default"], bool)
+ ):
+ raise (
+ "Detected a new unhandled variation for the 'skip' attribute, please update should_skip_on_channel"
+ )
+ return signing_group["skip"]["by-release-type"][
+ "nightly.*" if channel == "nightly" else "default"
+ ]
+
+
def sign_with_codesign(
ctx,
verbose_arg,
@@ -478,6 +503,9 @@ def sign_with_codesign(
ctx.log(logging.INFO, "macos-sign", {}, "Signing with codesign")
for signing_group in signing_groups:
+ if should_skip_on_channel(signing_group, channel):
+ continue
+
cs_cmd = ["codesign"]
cs_cmd.append("--sign")
cs_cmd.append(signing_identity)
@@ -627,6 +655,9 @@ def sign_with_rcodesign(
temp_files_to_cleanup = []
for signing_group in signing_groups:
+ if should_skip_on_channel(signing_group, channel):
+ continue
+
# Ignore the 'deep' and 'force' setting for rcodesign
group_runtime = "runtime" in signing_group and signing_group["runtime"]
