def test_task_signing_formats_support_several_projects(context):
context.config['taskcluster_scope_prefixes'] = [
'project:mobile:focus:releng:signing:',
'project:mobile:fenix:releng:signing:',
]
context.task = {
"payload": {
"upstreamArtifacts": [{
"formats": ["focus-jar"]
}]
},
'scopes': [
'project:mobile:focus:releng:signing:cert:dep-signing',
]
}
assert {'focus-jar'} == stask.task_signing_formats(context)
context.task = {
"payload": {
"upstreamArtifacts": [{
"formats": ["autograph_fenix"]
}]
},
'scopes': [
'project:mobile:fenix:releng:signing:cert:dep-signing',
]
}
assert {'autograph_fenix'} == stask.task_signing_formats(context)
def test_task_signing_formats_support_several_projects(context):
context.config["taskcluster_scope_prefixes"] = [
"project:mobile:focus:releng:signing:",
"project:mobile:fenix:releng:signing:"
]
context.task = {
"payload": {
"upstreamArtifacts": [{
"formats": ["focus-jar"]
}]
},
"scopes": ["project:mobile:focus:releng:signing:cert:dep-signing"]
}
assert {"focus-jar"} == stask.task_signing_formats(context)
context.task = {
"payload": {
"upstreamArtifacts": [{
"formats": ["autograph_fenix"]
}]
},
"scopes": ["project:mobile:fenix:releng:signing:cert:dep-signing"]
}
assert {"autograph_fenix"} == stask.task_signing_formats(context)
async def async_main(context):
work_dir = context.config['work_dir']
context.task = scriptworker.client.get_task(context.config)
log.info("validating task")
validate_task_schema(context)
context.signing_servers = load_signing_server_config(context)
cert_type = task_cert_type(context.task)
signing_formats = task_signing_formats(context.task)
# TODO scriptworker needs to validate CoT artifact
# Use standard SSL for downloading files.
with aiohttp.ClientSession() as base_ssl_session:
orig_session = context.session
context.session = base_ssl_session
file_urls = context.task["payload"]["unsignedArtifacts"]
filelist = await download_artifacts(context, file_urls)
context.session = orig_session
log.info("getting token")
await get_token(context, os.path.join(work_dir, 'token'), cert_type, signing_formats)
for filepath in filelist:
log.info("signing %s", filepath)
source = os.path.join(work_dir, filepath)
await sign_file(context, source, cert_type, signing_formats,
context.config["ssl_cert"])
sigfiles = detached_sigfiles(filepath, signing_formats)
copy_to_artifact_dir(context, source, target=filepath)
for sigpath in sigfiles:
copy_to_artifact_dir(context, os.path.join(work_dir, sigpath), target=sigpath)
log.info("Done!")
def test_task_signing_formats(context):
context.task = {
"scopes": [
TEST_CERT_TYPE, "project:releng:signing:format:mar",
"project:releng:signing:format:gpg"
]
}
assert ["mar", "gpg"] == stask.task_signing_formats(context)
def test_task_signing_formats(context):
context.task = {
"payload": {
"upstreamArtifacts": [{
"formats": ["mar", "gpg"]
}]
},
"scopes": [TEST_CERT_TYPE]
}
assert {"mar", "gpg"} == stask.task_signing_formats(context)
async def async_main(context):
"""Sign all the things.
Args:
context (Context): the signing context.
"""
connector = _craft_aiohttp_connector(context)
async with aiohttp.ClientSession(connector=connector) as session:
context.session = session
work_dir = context.config['work_dir']
context.signing_servers = load_signing_server_config(context)
all_signing_formats = task_signing_formats(context)
if 'gpg' in all_signing_formats or 'autograph_gpg' in all_signing_formats:
if not context.config.get('gpg_pubkey'):
raise Exception(
"GPG format is enabled but gpg_pubkey is not defined")
if not os.path.exists(context.config['gpg_pubkey']):
raise Exception("gpg_pubkey ({}) doesn't exist!".format(
context.config['gpg_pubkey']))
if 'autograph_widevine' in all_signing_formats:
if not context.config.get('widevine_cert'):
raise Exception(
"Widevine format is enabled, but widevine_cert is not defined"
)
if not all(
is_autograph_signing_format(format_)
for format_ in all_signing_formats):
log.info("getting signingserver token")
await get_token(context, os.path.join(work_dir, 'token'),
task_cert_type(context), all_signing_formats)
filelist_dict = build_filelist_dict(context)
for path, path_dict in filelist_dict.items():
copy_to_dir(path_dict['full_path'],
context.config['work_dir'],
target=path)
log.info("signing %s", path)
output_files = await sign(context, os.path.join(work_dir, path),
path_dict['formats'])
for source in output_files:
source = os.path.relpath(source, work_dir)
copy_to_dir(os.path.join(work_dir, source),
context.config['artifact_dir'],
target=source)
if 'gpg' in path_dict['formats'] or 'autograph_gpg' in path_dict[
'formats']:
copy_to_dir(context.config['gpg_pubkey'],
context.config['artifact_dir'],
target="public/build/KEY")
log.info("Done!")
def test_task_signing_formats_support_several_projects(context):
context.config['taskcluster_scope_prefixes'] = [
'project:mobile:focus:releng:signing:',
'project:mobile:fenix:releng:signing:',
]
context.task = {
'scopes': [
'project:mobile:focus:releng:signing:cert:dep-signing',
'project:mobile:focus:releng:signing:format:focus-jar',
]
}
assert ['focus-jar'] == stask.task_signing_formats(context)
context.task = {
'scopes': [
'project:mobile:fenix:releng:signing:cert:dep-signing',
'project:mobile:fenix:releng:signing:format:autograph_fenix',
]
}
assert ['autograph_fenix'] == stask.task_signing_formats(context)
async def async_main(context):
"""Sign all the things.
Args:
context (Context): the signing context.
"""
async with aiohttp.ClientSession() as session:
all_signing_formats = task_signing_formats(context)
if "gpg" in all_signing_formats or "autograph_gpg" in all_signing_formats:
if not context.config.get("gpg_pubkey"):
raise Exception(
"GPG format is enabled but gpg_pubkey is not defined")
if not os.path.exists(context.config["gpg_pubkey"]):
raise Exception("gpg_pubkey ({}) doesn't exist!".format(
context.config["gpg_pubkey"]))
if "autograph_widevine" in all_signing_formats:
if not context.config.get("widevine_cert"):
raise Exception(
"Widevine format is enabled, but widevine_cert is not defined"
)
context.session = session
context.autograph_configs = load_autograph_configs(
context.config["autograph_configs"])
work_dir = context.config["work_dir"]
filelist_dict = build_filelist_dict(context)
for path, path_dict in filelist_dict.items():
copy_to_dir(path_dict["full_path"],
context.config["work_dir"],
target=path)
log.info("signing %s", path)
output_files = await sign(
context,
os.path.join(work_dir, path),
path_dict["formats"],
authenticode_comment=path_dict.get("comment"))
for source in output_files:
source = os.path.relpath(source, work_dir)
copy_to_dir(os.path.join(work_dir, source),
context.config["artifact_dir"],
target=source)
if "gpg" in path_dict["formats"] or "autograph_gpg" in path_dict[
"formats"]:
copy_to_dir(context.config["gpg_pubkey"],
context.config["artifact_dir"],
target="public/build/KEY")
log.info("Done!")
def test_task_signing_formats_errors_when_2_different_projects_are_signed_in_the_same_task(context):
context.config['taskcluster_scope_prefixes'] = [
'project:mobile:focus:releng:signing:',
'project:mobile:fenix:releng:signing:',
]
context.task = {
'scopes': [
'project:mobile:focus:releng:signing:cert:dep-signing',
'project:mobile:focus:releng:signing:format:focus-jar',
'project:mobile:fenix:releng:signing:format:autograph_fenix',
]
}
with pytest.raises(TaskVerificationError):
stask.task_signing_formats(context)
context.task = {
'scopes': [
'project:mobile:focus:releng:signing:cert:dep-signing',
'project:mobile:focus:releng:signing:format:same-format',
'project:mobile:fenix:releng:signing:format:same-format',
]
}
with pytest.raises(TaskVerificationError):
stask.task_signing_formats(context)
async def async_main(context):
work_dir = context.config['work_dir']
context.task = scriptworker.client.get_task(context.config)
log.info("validating task")
validate_task_schema(context)
context.signing_servers = load_signing_server_config(context)
cert_type = task_cert_type(context.task)
all_signing_formats = task_signing_formats(context.task)
log.info("getting token")
await get_token(context, os.path.join(work_dir, 'token'), cert_type, all_signing_formats)
filelist_dict = build_filelist_dict(context, all_signing_formats)
for path, path_dict in filelist_dict.items():
copy_to_dir(path_dict['full_path'], context.config['work_dir'], target=path)
log.info("signing %s", path)
source = os.path.join(work_dir, path)
await sign_file(context, source, cert_type, path_dict['formats'], context.config["ssl_cert"])
sigfiles = detached_sigfiles(path, path_dict['formats'])
copy_to_dir(source, context.config['artifact_dir'], target=path)
for sigpath in sigfiles:
copy_to_dir(os.path.join(work_dir, sigpath), context.config['artifact_dir'], target=sigpath)
log.info("Done!")
def test_task_signing_formats():
task = {"scopes": ["project:releng:signing:cert:dep-signing",
"project:releng:signing:format:mar",
"project:releng:signing:format:gpg"]}
assert ["mar", "gpg"] == task_signing_formats(task)
async def async_main(context):
"""Sign all the things.
Args:
context (Context): the signing context.
"""
connector = _craft_aiohttp_connector(context)
# Create a session for talking to the legacy signing servers in order to
# generate a signing token
async with aiohttp.ClientSession(connector=connector) as session:
context.session = session
work_dir = context.config["work_dir"]
context.signing_servers = load_signing_server_config(context)
all_signing_formats = task_signing_formats(context)
if "gpg" in all_signing_formats or "autograph_gpg" in all_signing_formats:
if not context.config.get("gpg_pubkey"):
raise Exception("GPG format is enabled but gpg_pubkey is not defined")
if not os.path.exists(context.config["gpg_pubkey"]):
raise Exception(
"gpg_pubkey ({}) doesn't exist!".format(
context.config["gpg_pubkey"]
)
)
if "autograph_widevine" in all_signing_formats:
if not context.config.get("widevine_cert"):
raise Exception(
"Widevine format is enabled, but widevine_cert is not defined"
)
if not all(
is_autograph_signing_format(format_) for format_ in all_signing_formats
):
log.info("getting signingserver token")
await get_token(
context,
os.path.join(work_dir, "token"),
task_cert_type(context),
all_signing_formats,
)
# Create a new session to talk to autograph
async with aiohttp.ClientSession() as session:
context.session = session
filelist_dict = build_filelist_dict(context)
for path, path_dict in filelist_dict.items():
copy_to_dir(path_dict["full_path"], context.config["work_dir"], target=path)
log.info("signing %s", path)
output_files = await sign(
context, os.path.join(work_dir, path), path_dict["formats"]
)
for source in output_files:
source = os.path.relpath(source, work_dir)
copy_to_dir(
os.path.join(work_dir, source),
context.config["artifact_dir"],
target=source,
)
if "gpg" in path_dict["formats"] or "autograph_gpg" in path_dict["formats"]:
copy_to_dir(
context.config["gpg_pubkey"],
context.config["artifact_dir"],
target="public/build/KEY",
)
log.info("Done!")
