tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 8303ed3a7f526977770a9132a76a2d04f4932f88
parent ff08bedebcc87d1d005d8f01588b9a62bb970837
Author: Sandor Molnar <smolnar@mozilla.com>
Date:   Tue, 23 Dec 2025 14:58:48 +0200

Revert "Bug 2006928 - Skip signing security-module-helper.app on non-Nightly macOS builds. r=haik,releng-reviewers,taskgraph-reviewers,ahal" for causing Mac signing failures

This reverts commit 672bca6089872f9c626e223996923e3e83db3be7.

Diffstat:

Mtaskcluster/config.yml | 12++++--------


Mtaskcluster/gecko_taskgraph/config.py | 1-


Mtaskcluster/gecko_taskgraph/transforms/hardened_signing.py | 14--------------


Mtools/signing/macos/mach_commands.py | 31-------------------------------


4 files changed, 4 insertions(+), 54 deletions(-)

diff --git a/taskcluster/config.yml b/taskcluster/config.yml
@@ -875,16 +875,14 @@ mac-signing:
                   globs:
                       - "/Contents/MacOS/media-plugin-helper.app"
 
+                # Only built in Nightly builds for now. For other builds, the
+                # globs will match nothing, and so nothing will happen.
                 - deep: false
                   runtime: true
                   force: true
                   entitlements: public/build/security/security-module-helper.xml
                   globs:
                       - "/Contents/MacOS/security-module-helper.app"
-                  skip:
-                      by-release-type:
-                          nightly.*: false
-                          default: true
 
                 - deep: false
                   runtime: true
@@ -935,16 +933,14 @@ mac-signing:
                   globs:
                       - "/Contents/MacOS/media-plugin-helper.app"
 
+                # Only built in Nightly builds for now. For other builds, the
+                # globs will match nothing, and so nothing will happen.
                 - deep: false
                   runtime: true
                   force: true
                   entitlements: public/build/security/security-module-helper.xml
                   globs:
                       - "/Contents/MacOS/security-module-helper.app"
-                  skip:
-                      by-release-type:
-                          nightly.*: false
-                          default: true
 
                 - deep: false
                   runtime: true
diff --git a/taskcluster/gecko_taskgraph/config.py b/taskcluster/gecko_taskgraph/config.py
@@ -100,7 +100,6 @@ graph_config_schema = Schema(
                             "build-platform", "project", str
                         ),
                         Required("globs"): [str],
-                        Optional("skip"): optionally_keyed_by("release-type", bool),
                     }
                 ],
             ),
diff --git a/taskcluster/gecko_taskgraph/transforms/hardened_signing.py b/taskcluster/gecko_taskgraph/transforms/hardened_signing.py
@@ -62,20 +62,6 @@ def add_hardened_sign_config(config, jobs):
                         "project": config.params["project"],
                     },
                 )
-            if "skip" in sign_cfg and isinstance(sign_cfg.get("skip"), dict):
-                sign_cfg["skip"] = evaluate_keyed_by(
-                    sign_cfg["skip"],
-                    "skip",
-                    {
-                        "release-type": config.params["release_type"],
-                    },
-                )
-
-        hardened_sign_config = [
-            sign_cfg
-            for sign_cfg in hardened_sign_config
-            if not sign_cfg.pop("skip", False)
-        ]
 
         job["worker"]["hardened-sign-config"] = hardened_sign_config
         job["worker"]["mac-behavior"] = "mac_sign_and_pkg_hardened"
diff --git a/tools/signing/macos/mach_commands.py b/tools/signing/macos/mach_commands.py
@@ -461,31 +461,6 @@ def auto_detect_channel(ctx, app):
         sys.exit(1)
 
 
-# Simulate the resolution of the 'skip' attribute in 'hardened-sign-config' by
-# taskgraph. This only accounts for the current variations for 'skip' found in
-# config.yml. This code must be adapted each time a new variation is added.
-def should_skip_on_channel(signing_group, channel):
-    if "skip" not in signing_group:
-        return False
-    if isinstance(signing_group["skip"], bool):
-        return signing_group["skip"]
-    if (
-        not isinstance(signing_group["skip"], dict)
-        or set(signing_group["skip"].keys()) != {"by-release-type"}
-        or not isinstance(signing_group["skip"]["by-release-type"], dict)
-        or set(signing_group["skip"]["by-release-type"].keys())
-        != {"nightly.*", "default"}
-        or not isinstance(signing_group["skip"]["by-release-type"]["nightly.*"], bool)
-        or not isinstance(signing_group["skip"]["by-release-type"]["default"], bool)
-    ):
-        raise (
-            "Detected a new unhandled variation for the 'skip' attribute, please update should_skip_on_channel"
-        )
-    return signing_group["skip"]["by-release-type"][
-        "nightly.*" if channel == "nightly" else "default"
-    ]
-
-
 def sign_with_codesign(
     ctx,
     verbose_arg,
@@ -503,9 +478,6 @@ def sign_with_codesign(
     ctx.log(logging.INFO, "macos-sign", {}, "Signing with codesign")
 
     for signing_group in signing_groups:
-        if should_skip_on_channel(signing_group, channel):
-            continue
-
         cs_cmd = ["codesign"]
         cs_cmd.append("--sign")
         cs_cmd.append(signing_identity)
@@ -655,9 +627,6 @@ def sign_with_rcodesign(
     temp_files_to_cleanup = []
 
     for signing_group in signing_groups:
-        if should_skip_on_channel(signing_group, channel):
-            continue
-
         # Ignore the 'deep' and 'force' setting for rcodesign
         group_runtime = "runtime" in signing_group and signing_group["runtime"]