def test_task_signing_formats_support_several_projects(context): context.config['taskcluster_scope_prefixes'] = [ 'project:mobile:focus:releng:signing:', 'project:mobile:fenix:releng:signing:', ] context.task = { "payload": { "upstreamArtifacts": [{ "formats": ["focus-jar"] }] }, 'scopes': [ 'project:mobile:focus:releng:signing:cert:dep-signing', ] } assert {'focus-jar'} == stask.task_signing_formats(context) context.task = { "payload": { "upstreamArtifacts": [{ "formats": ["autograph_fenix"] }] }, 'scopes': [ 'project:mobile:fenix:releng:signing:cert:dep-signing', ] } assert {'autograph_fenix'} == stask.task_signing_formats(context)
def test_task_signing_formats_support_several_projects(context): context.config["taskcluster_scope_prefixes"] = [ "project:mobile:focus:releng:signing:", "project:mobile:fenix:releng:signing:" ] context.task = { "payload": { "upstreamArtifacts": [{ "formats": ["focus-jar"] }] }, "scopes": ["project:mobile:focus:releng:signing:cert:dep-signing"] } assert {"focus-jar"} == stask.task_signing_formats(context) context.task = { "payload": { "upstreamArtifacts": [{ "formats": ["autograph_fenix"] }] }, "scopes": ["project:mobile:fenix:releng:signing:cert:dep-signing"] } assert {"autograph_fenix"} == stask.task_signing_formats(context)
async def async_main(context): work_dir = context.config['work_dir'] context.task = scriptworker.client.get_task(context.config) log.info("validating task") validate_task_schema(context) context.signing_servers = load_signing_server_config(context) cert_type = task_cert_type(context.task) signing_formats = task_signing_formats(context.task) # TODO scriptworker needs to validate CoT artifact # Use standard SSL for downloading files. with aiohttp.ClientSession() as base_ssl_session: orig_session = context.session context.session = base_ssl_session file_urls = context.task["payload"]["unsignedArtifacts"] filelist = await download_artifacts(context, file_urls) context.session = orig_session log.info("getting token") await get_token(context, os.path.join(work_dir, 'token'), cert_type, signing_formats) for filepath in filelist: log.info("signing %s", filepath) source = os.path.join(work_dir, filepath) await sign_file(context, source, cert_type, signing_formats, context.config["ssl_cert"]) sigfiles = detached_sigfiles(filepath, signing_formats) copy_to_artifact_dir(context, source, target=filepath) for sigpath in sigfiles: copy_to_artifact_dir(context, os.path.join(work_dir, sigpath), target=sigpath) log.info("Done!")
def test_task_signing_formats(context): context.task = { "scopes": [ TEST_CERT_TYPE, "project:releng:signing:format:mar", "project:releng:signing:format:gpg" ] } assert ["mar", "gpg"] == stask.task_signing_formats(context)
def test_task_signing_formats(context): context.task = { "payload": { "upstreamArtifacts": [{ "formats": ["mar", "gpg"] }] }, "scopes": [TEST_CERT_TYPE] } assert {"mar", "gpg"} == stask.task_signing_formats(context)
async def async_main(context): """Sign all the things. Args: context (Context): the signing context. """ connector = _craft_aiohttp_connector(context) async with aiohttp.ClientSession(connector=connector) as session: context.session = session work_dir = context.config['work_dir'] context.signing_servers = load_signing_server_config(context) all_signing_formats = task_signing_formats(context) if 'gpg' in all_signing_formats or 'autograph_gpg' in all_signing_formats: if not context.config.get('gpg_pubkey'): raise Exception( "GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config['gpg_pubkey']): raise Exception("gpg_pubkey ({}) doesn't exist!".format( context.config['gpg_pubkey'])) if 'autograph_widevine' in all_signing_formats: if not context.config.get('widevine_cert'): raise Exception( "Widevine format is enabled, but widevine_cert is not defined" ) if not all( is_autograph_signing_format(format_) for format_ in all_signing_formats): log.info("getting signingserver token") await get_token(context, os.path.join(work_dir, 'token'), task_cert_type(context), all_signing_formats) filelist_dict = build_filelist_dict(context) for path, path_dict in filelist_dict.items(): copy_to_dir(path_dict['full_path'], context.config['work_dir'], target=path) log.info("signing %s", path) output_files = await sign(context, os.path.join(work_dir, path), path_dict['formats']) for source in output_files: source = os.path.relpath(source, work_dir) copy_to_dir(os.path.join(work_dir, source), context.config['artifact_dir'], target=source) if 'gpg' in path_dict['formats'] or 'autograph_gpg' in path_dict[ 'formats']: copy_to_dir(context.config['gpg_pubkey'], context.config['artifact_dir'], target="public/build/KEY") log.info("Done!")
def test_task_signing_formats_support_several_projects(context): context.config['taskcluster_scope_prefixes'] = [ 'project:mobile:focus:releng:signing:', 'project:mobile:fenix:releng:signing:', ] context.task = { 'scopes': [ 'project:mobile:focus:releng:signing:cert:dep-signing', 'project:mobile:focus:releng:signing:format:focus-jar', ] } assert ['focus-jar'] == stask.task_signing_formats(context) context.task = { 'scopes': [ 'project:mobile:fenix:releng:signing:cert:dep-signing', 'project:mobile:fenix:releng:signing:format:autograph_fenix', ] } assert ['autograph_fenix'] == stask.task_signing_formats(context)
async def async_main(context): """Sign all the things. Args: context (Context): the signing context. """ async with aiohttp.ClientSession() as session: all_signing_formats = task_signing_formats(context) if "gpg" in all_signing_formats or "autograph_gpg" in all_signing_formats: if not context.config.get("gpg_pubkey"): raise Exception( "GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config["gpg_pubkey"]): raise Exception("gpg_pubkey ({}) doesn't exist!".format( context.config["gpg_pubkey"])) if "autograph_widevine" in all_signing_formats: if not context.config.get("widevine_cert"): raise Exception( "Widevine format is enabled, but widevine_cert is not defined" ) context.session = session context.autograph_configs = load_autograph_configs( context.config["autograph_configs"]) work_dir = context.config["work_dir"] filelist_dict = build_filelist_dict(context) for path, path_dict in filelist_dict.items(): copy_to_dir(path_dict["full_path"], context.config["work_dir"], target=path) log.info("signing %s", path) output_files = await sign( context, os.path.join(work_dir, path), path_dict["formats"], authenticode_comment=path_dict.get("comment")) for source in output_files: source = os.path.relpath(source, work_dir) copy_to_dir(os.path.join(work_dir, source), context.config["artifact_dir"], target=source) if "gpg" in path_dict["formats"] or "autograph_gpg" in path_dict[ "formats"]: copy_to_dir(context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY") log.info("Done!")
def test_task_signing_formats_errors_when_2_different_projects_are_signed_in_the_same_task(context): context.config['taskcluster_scope_prefixes'] = [ 'project:mobile:focus:releng:signing:', 'project:mobile:fenix:releng:signing:', ] context.task = { 'scopes': [ 'project:mobile:focus:releng:signing:cert:dep-signing', 'project:mobile:focus:releng:signing:format:focus-jar', 'project:mobile:fenix:releng:signing:format:autograph_fenix', ] } with pytest.raises(TaskVerificationError): stask.task_signing_formats(context) context.task = { 'scopes': [ 'project:mobile:focus:releng:signing:cert:dep-signing', 'project:mobile:focus:releng:signing:format:same-format', 'project:mobile:fenix:releng:signing:format:same-format', ] } with pytest.raises(TaskVerificationError): stask.task_signing_formats(context)
async def async_main(context): work_dir = context.config['work_dir'] context.task = scriptworker.client.get_task(context.config) log.info("validating task") validate_task_schema(context) context.signing_servers = load_signing_server_config(context) cert_type = task_cert_type(context.task) all_signing_formats = task_signing_formats(context.task) log.info("getting token") await get_token(context, os.path.join(work_dir, 'token'), cert_type, all_signing_formats) filelist_dict = build_filelist_dict(context, all_signing_formats) for path, path_dict in filelist_dict.items(): copy_to_dir(path_dict['full_path'], context.config['work_dir'], target=path) log.info("signing %s", path) source = os.path.join(work_dir, path) await sign_file(context, source, cert_type, path_dict['formats'], context.config["ssl_cert"]) sigfiles = detached_sigfiles(path, path_dict['formats']) copy_to_dir(source, context.config['artifact_dir'], target=path) for sigpath in sigfiles: copy_to_dir(os.path.join(work_dir, sigpath), context.config['artifact_dir'], target=sigpath) log.info("Done!")
def test_task_signing_formats(): task = {"scopes": ["project:releng:signing:cert:dep-signing", "project:releng:signing:format:mar", "project:releng:signing:format:gpg"]} assert ["mar", "gpg"] == task_signing_formats(task)
async def async_main(context): """Sign all the things. Args: context (Context): the signing context. """ connector = _craft_aiohttp_connector(context) # Create a session for talking to the legacy signing servers in order to # generate a signing token async with aiohttp.ClientSession(connector=connector) as session: context.session = session work_dir = context.config["work_dir"] context.signing_servers = load_signing_server_config(context) all_signing_formats = task_signing_formats(context) if "gpg" in all_signing_formats or "autograph_gpg" in all_signing_formats: if not context.config.get("gpg_pubkey"): raise Exception("GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config["gpg_pubkey"]): raise Exception( "gpg_pubkey ({}) doesn't exist!".format( context.config["gpg_pubkey"] ) ) if "autograph_widevine" in all_signing_formats: if not context.config.get("widevine_cert"): raise Exception( "Widevine format is enabled, but widevine_cert is not defined" ) if not all( is_autograph_signing_format(format_) for format_ in all_signing_formats ): log.info("getting signingserver token") await get_token( context, os.path.join(work_dir, "token"), task_cert_type(context), all_signing_formats, ) # Create a new session to talk to autograph async with aiohttp.ClientSession() as session: context.session = session filelist_dict = build_filelist_dict(context) for path, path_dict in filelist_dict.items(): copy_to_dir(path_dict["full_path"], context.config["work_dir"], target=path) log.info("signing %s", path) output_files = await sign( context, os.path.join(work_dir, path), path_dict["formats"] ) for source in output_files: source = os.path.relpath(source, work_dir) copy_to_dir( os.path.join(work_dir, source), context.config["artifact_dir"], target=source, ) if "gpg" in path_dict["formats"] or "autograph_gpg" in path_dict["formats"]: copy_to_dir( context.config["gpg_pubkey"], context.config["artifact_dir"], target="public/build/KEY", ) log.info("Done!")