Bug 1540276: Migrate authenticode signing to autograph r=Callek,mshal

Differential Revision: https://phabricator.services.mozilla.com/D47114

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Chris AtLee 2019-09-30 13:57:32 +00:00
parent cecd7f36da
commit 4a7ce514be
8 changed files with 8 additions and 24 deletions

View File

@ -192,7 +192,7 @@ profiledbuild::
$(MAKE) default MOZ_PROFILE_GENERATE=1 MOZ_LTO=
$(call BUILDSTATUS,TIER_FINISH pgo_profile_generate)
$(call BUILDSTATUS,TIER_START pgo_package)
$(MAKE) package MOZ_INTERNAL_SIGNING_FORMAT= MOZ_EXTERNAL_SIGNING_FORMAT=
$(MAKE) package
rm -f jarlog/en-US.log
$(call BUILDSTATUS,TIER_FINISH pgo_package)
$(call BUILDSTATUS,TIER_START pgo_profile)

View File

@ -207,7 +207,7 @@ Repackage Signing
* Mac & Windows: ``release-partner-repackage`` ``release-eme-free-repackage``
* Linux: ``release-partner-repack-chunking-dummy``
This step GPG signs all platforms, and sha2signcode signs the Windows installer.
This step GPG signs all platforms, and authenticode signs the Windows installer.
Beetmover
^^^^^^^^^
@ -249,4 +249,4 @@ that channel it will fallback to the ``release`` channel. The update files for t
modify the ``distribution/`` directory, so the customizations are not modified.
`Bug 1430254 <https://bugzilla.mozilla.org/show_bug.cgi?id=1430254>`_ is an example of an exception to this
logic.
logic.

View File

@ -107,7 +107,7 @@ is a ``tar.gz``.
individual file or internals of the zipfile, skipping any already-signed files
and a select few blocklisted files (using the `should_sign_windows`_ function).
It returns a signed individual binary or zipfile with signed internals, depending
on the input. This format includes ``authograph_authenticode``, and
on the input. This format includes ``autograph_authenticode``, and
``autograph_authenticode_stub``.
``mar`` signing signs our update files (Mozilla ARchive). ``mar_sha384`` is

View File

@ -95,7 +95,7 @@ def make_repackage_signing_description(config, jobs):
def _craft_upstream_artifacts(dependency_kind, build_platform):
if build_platform.startswith('win'):
signing_format = 'sha2signcode'
signing_format = 'autograph_authenticode'
extension = 'zip'
elif build_platform.startswith('linux'):
signing_format = 'autograph_gpg'

View File

@ -60,7 +60,7 @@ def make_signing_description(config, jobs):
if 'win' in build_platform:
# job['primary-dependency'].task['payload']['command']
formats = ['sha2signcode']
formats = ['autograph_authenticode']
else:
formats = ['autograph_gpg']

View File

@ -81,7 +81,7 @@ def make_repackage_signing_description(config, jobs):
"paths": [
get_artifact_path(dep_job, "{}/target.installer.exe".format(repack_id)),
],
"formats": ["sha2signcode", "autograph_gpg"]
"formats": ["autograph_authenticode", "autograph_gpg"]
}]
partner_config = get_partner_config_by_kind(config, config.kind)
@ -96,7 +96,7 @@ def make_repackage_signing_description(config, jobs):
get_artifact_path(dep_job, "{}/target.stub-installer.exe".format(
repack_id)),
],
"formats": ["sha2signcode", "autograph_gpg"]
"formats": ["autograph_authenticode", "autograph_gpg"]
})
elif 'mac' in build_platform:
upstream_artifacts = [{

View File

@ -133,10 +133,6 @@ ifeq ($(MOZ_PKG_FORMAT),BZ2)
endif
ifeq ($(MOZ_PKG_FORMAT),ZIP)
ifdef MOZ_EXTERNAL_SIGNING_FORMAT
# We can't use sha2signcode on zip files
MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
endif
PKG_SUFFIX = .zip
INNER_MAKE_PACKAGE = $(call py_action,make_zip,'$(MOZ_PKG_DIR)' '$(PACKAGE)')
INNER_UNMAKE_PACKAGE = $(call py_action,make_unzip,$(UNPACKAGE))

View File

@ -33,18 +33,6 @@ endif
include $(topsrcdir)/config/rules.mk
include $(topsrcdir)/toolkit/mozapps/installer/packager.mk
ifdef MOZ_EXTERNAL_SIGNING_FORMAT
# We can't use sha2signcode on mar files
MOZ_EXTERNAL_SIGNING_FORMAT := $(filter-out sha2signcode,$(MOZ_EXTERNAL_SIGNING_FORMAT))
MOZ_EXTERNAL_SIGNING_FORMAT := mar $(MOZ_EXTERNAL_SIGNING_FORMAT)
endif
ifndef MAR_OLD_FORMAT
MAR_SIGN_FORMAT=mar_sha384
else
MAR_SIGN_FORMAT=mar
endif
dir-stage := $(call mkdir_deps,$(STAGE_DIR))
complete-patch:: $(dir-stage)