[ tor-browser ].git.dasho

signed_artifacts.py (6313B)
      1 # This Source Code Form is subject to the terms of the Mozilla Public
      2 # License, v. 2.0. If a copy of the MPL was not distributed with this
      3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      4 """
      5 Defines artifacts to sign before repackage.
      6 """
      7 
      8 from taskgraph.util.taskcluster import get_artifact_path
      9 
     10 from gecko_taskgraph.util.declarative_artifacts import get_geckoview_upstream_artifacts
     11 
     12 LANGPACK_SIGN_PLATFORMS = {  # set
     13    "linux64-shippable",
     14    "linux64-devedition",
     15    "macosx64-shippable",
     16    "macosx64-devedition",
     17 }
     18 
     19 
     20 def is_partner_kind(kind):
     21    if kind and kind.startswith(("release-partner", "release-eme-free")):
     22        return True
     23 
     24 
     25 def is_notarization_kind(kind):
     26    if kind and "notarization" in kind:
     27        return True
     28 
     29 
     30 def is_mac_signing_king(kind):
     31    return kind and "mac-signing" in kind
     32 
     33 
     34 def generate_specifications_of_artifacts_to_sign(
     35    config, job, keep_locale_template=True, kind=None, dep_kind=None
     36 ):
     37    build_platform = job["attributes"].get("build_platform")
     38    use_stub = job["attributes"].get("stub-installer")
     39    # Get locales to know if we want to sign ja-JP-mac langpack
     40    locales = job["attributes"].get("chunk_locales", [])
     41    if kind == "release-source-signing":
     42        artifacts_specifications = [
     43            {
     44                "artifacts": [get_artifact_path(job, "source.tar.xz")],
     45                "formats": ["gcp_prod_autograph_gpg"],
     46            }
     47        ]
     48    elif "android" in build_platform:
     49        artifacts_specifications = [
     50            {
     51                "artifacts": get_geckoview_artifacts_to_sign(config, job),
     52                "formats": ["gcp_prod_autograph_gpg"],
     53            }
     54        ]
     55    # XXX: Mars aren't signed here (on any platform) because internals will be
     56    # signed at after this stage of the release
     57    elif "macosx" in build_platform:
     58        langpack_formats = []
     59        if is_notarization_kind(config.kind):
     60            formats = ["apple_notarization_stacked"]
     61            artifacts_specifications = [
     62                {
     63                    "artifacts": [
     64                        get_artifact_path(job, "{locale}/target.tar.gz"),
     65                        get_artifact_path(job, "{locale}/target.pkg"),
     66                    ],
     67                    "formats": formats,
     68                }
     69            ]
     70        else:
     71            # This task is mac-signing
     72            if is_partner_kind(kind):
     73                extension = "tar.gz"
     74            else:
     75                extension = "dmg"
     76            artifacts_specifications = [
     77                {
     78                    "artifacts": [
     79                        get_artifact_path(job, f"{{locale}}/target.{extension}")
     80                    ],
     81                    "formats": ["macapp", "gcp_prod_autograph_widevine"],
     82                }
     83            ]
     84            langpack_formats = ["gcp_prod_autograph_langpack"]
     85 
     86        if "ja-JP-mac" in locales and build_platform in LANGPACK_SIGN_PLATFORMS:
     87            artifacts_specifications += [
     88                {
     89                    "artifacts": [
     90                        get_artifact_path(job, "ja-JP-mac/target.langpack.xpi")
     91                    ],
     92                    "formats": langpack_formats,
     93                }
     94            ]
     95    elif "win" in build_platform:
     96        artifacts_specifications = [
     97            {
     98                "artifacts": [
     99                    get_artifact_path(job, "{locale}/setup.exe"),
    100                ],
    101                "formats": ["gcp_prod_autograph_authenticode_202412"],
    102            },
    103            {
    104                "artifacts": [
    105                    get_artifact_path(job, "{locale}/target.zip"),
    106                ],
    107                "formats": [
    108                    "gcp_prod_autograph_authenticode_202412",
    109                    "gcp_prod_autograph_widevine",
    110                ],
    111            },
    112        ]
    113 
    114        if use_stub:
    115            artifacts_specifications[0]["artifacts"] += [
    116                get_artifact_path(job, "{locale}/setup-stub.exe")
    117            ]
    118    elif "linux" in build_platform:
    119        artifacts_specifications = [
    120            {
    121                "artifacts": [get_artifact_path(job, "{locale}/target.tar.xz")],
    122                "formats": ["gcp_prod_autograph_gpg", "gcp_prod_autograph_widevine"],
    123            }
    124        ]
    125        dep_job = config.kind_dependencies_tasks[job["dependencies"][dep_kind]]
    126        if build_platform in LANGPACK_SIGN_PLATFORMS and not dep_job.attributes.get(
    127            "artifact-build"
    128        ):
    129            artifacts_specifications += [
    130                {
    131                    "artifacts": [
    132                        get_artifact_path(job, "{locale}/target.langpack.xpi")
    133                    ],
    134                    "formats": ["gcp_prod_autograph_langpack"],
    135                }
    136            ]
    137    else:
    138        raise Exception("Platform not implemented for signing")
    139 
    140    if not keep_locale_template:
    141        artifacts_specifications = _strip_locale_template(artifacts_specifications)
    142 
    143    if is_partner_kind(kind):
    144        artifacts_specifications = _strip_widevine_for_partners(
    145            artifacts_specifications
    146        )
    147 
    148    return artifacts_specifications
    149 
    150 
    151 def _strip_locale_template(artifacts_without_locales):
    152    for spec in artifacts_without_locales:
    153        for index, artifact in enumerate(spec["artifacts"]):
    154            stripped_artifact = artifact.format(locale="")
    155            stripped_artifact = stripped_artifact.replace("//", "/")
    156            spec["artifacts"][index] = stripped_artifact
    157 
    158    return artifacts_without_locales
    159 
    160 
    161 def _strip_widevine_for_partners(artifacts_specifications):
    162    """Partner repacks should not resign that's previously signed for fear of breaking partial
    163    updates
    164    """
    165    for spec in artifacts_specifications:
    166        if "gcp_prod_autograph_widevine" in spec["formats"]:
    167            spec["formats"].remove("gcp_prod_autograph_widevine")
    168 
    169    return artifacts_specifications
    170 
    171 
    172 def get_geckoview_artifacts_to_sign(config, job):
    173    upstream_artifacts = []
    174    for package in job["attributes"]["maven_packages"]:
    175        upstream_artifacts += get_geckoview_upstream_artifacts(config, job, package)
    176    return [
    177        path
    178        for upstream_artifact in upstream_artifacts
    179        for path in upstream_artifact["paths"]
    180        if not path.endswith(".md5") and not path.endswith(".sha1")
    181    ]
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE