--- a/modules/buildmaster/templates/passwords.py.erb
+++ b/modules/buildmaster/templates/passwords.py.erb
@@ -6,41 +6,41 @@
BBDB_URL='mysql://<%= scope.function_secret(["buildbot_schedulerdb_username"])%>:<%= scope.function_secret(["buildbot_schedulerdb_password"])%>@<%= scope.function_secret(["buildbot_schedulerdb_hostname"])%>/<%= scope.function_secret(["buildbot_schedulerdb_database"])%>'
PULSE_USERNAME='<%= scope.function_secret(["pulse_username"])%>'
PULSE_PASSWORD='<%= scope.function_secret(["pulse_password"])%>'
PULSE_EXCHANGE='<%= scope.function_secret(["pulse_exchange"])%>'
<% if @fqdn.match "mozilla.com" %>
secrets={
'nightly-signing': [
- ('signing4.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing5.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing6.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
+ ('signing4.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing5.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing6.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
('mac-v2-signing1.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
('mac-v2-signing2.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
('mac-v2-signing3.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
('mac-v2-signing4.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
('mac-v2-signing6.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
('mac-v2-signing7.srv.releng.scl3.mozilla.com:9100', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_nightly_password']) %>', ('dmgv2',)),
],
'dep-signing': [
- ('signing4.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing5.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing6.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
+ ('signing4.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing5.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing6.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
('mac-v2-signing1.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
('mac-v2-signing2.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
('mac-v2-signing3.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
('mac-v2-signing4.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
('mac-v2-signing6.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
('mac-v2-signing7.srv.releng.scl3.mozilla.com:9110', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_dep_password']) %>', ('dmgv2',)),
],
'release-signing': [
- ('signing4.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing5.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
- ('signing6.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'jar', 'emevoucher')),
+ ('signing4.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing5.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
+ ('signing6.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher')),
('mac-v2-signing1.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
('mac-v2-signing2.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
('mac-v2-signing3.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
('mac-v2-signing4.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
('mac-v2-signing6.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
('mac-v2-signing7.srv.releng.scl3.mozilla.com:9120', '<%= scope.function_secret(['signing_server_username']) %>', '<%= scope.function_secret(['signing_server_release_password']) %>', ('dmgv2',)),
],
}
new file mode 100644
--- /dev/null
+++ b/modules/packages/manifests/mozilla/signmar-sha384.diff
@@ -0,0 +1,260 @@
+# HG changeset patch
+# User Robert Strong <robert.bugzilla@gmail.com>
+# Parent 7962ee92970c9072877b8c898a6c8acbd0003ff6
+
+diff --git a/modules/libmar/sign/mar_sign.c b/modules/libmar/sign/mar_sign.c
+--- a/modules/libmar/sign/mar_sign.c
++++ b/modules/libmar/sign/mar_sign.c
+@@ -90,17 +90,17 @@ NSSSignBegin(const char *certName,
+
+ /* Check that the key length is large enough for our requirements */
+ if (*signatureLength < XP_MIN_SIGNATURE_LEN_IN_BYTES) {
+ fprintf(stderr, "ERROR: Key length must be >= %d bytes\n",
+ XP_MIN_SIGNATURE_LEN_IN_BYTES);
+ return -1;
+ }
+
+- *ctx = SGN_NewContext (SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, *privKey);
++ *ctx = SGN_NewContext(SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION, *privKey);
+ if (!*ctx) {
+ fprintf(stderr, "ERROR: Could not create signature context\n");
+ return -1;
+ }
+
+ if (SGN_Begin(*ctx) != SECSuccess) {
+ fprintf(stderr, "ERROR: Could not begin signature\n");
+ return -1;
+@@ -988,18 +988,18 @@ mar_repackage_and_sign(const char *NSSCo
+ "num signatures")) {
+ goto failure;
+ }
+ numSignatures = ntohl(numSignatures);
+
+ signaturePlaceholderOffset = ftello(fpDest);
+
+ for (k = 0; k < certCount; k++) {
+- /* Write out the signature algorithm ID, Only an ID of 1 is supported */
+- signatureAlgorithmID = htonl(1);
++ /* Write out the signature algorithm ID, Only an ID of 2 is supported */
++ signatureAlgorithmID = htonl(2);
+ if (WriteAndUpdateSignatures(fpDest, &signatureAlgorithmID,
+ sizeof(signatureAlgorithmID),
+ ctxs, certCount, "num signatures")) {
+ goto failure;
+ }
+ signatureAlgorithmID = ntohl(signatureAlgorithmID);
+
+ /* Write out the signature length */
+diff --git a/modules/libmar/tests/unit/xpcshell.ini b/modules/libmar/tests/unit/xpcshell.ini
+--- a/modules/libmar/tests/unit/xpcshell.ini
++++ b/modules/libmar/tests/unit/xpcshell.ini
+@@ -1,8 +1,9 @@
+ [DEFAULT]
++tags = libmar
+ head = head_libmar.js
+ tail =
+ support-files = data/**
+
+ [test_create.js]
+ [test_extract.js]
+ [test_sign_verify.js]
+diff --git a/modules/libmar/verify/MacVerifyCrypto.cpp b/modules/libmar/verify/MacVerifyCrypto.cpp
+--- a/modules/libmar/verify/MacVerifyCrypto.cpp
++++ b/modules/libmar/verify/MacVerifyCrypto.cpp
+@@ -151,33 +151,63 @@ CryptoMac_VerifySignature(CryptoX_Signat
+ }
+
+ CFErrorRef error;
+ SecTransformRef verifier =
+ SecVerifyTransformCreatePtr((SecKeyRef)*aPublicKey,
+ signatureData,
+ &error);
+ if (!verifier || error) {
++ if (error) {
++ CFRelease(error);
++ }
+ CFRelease(signatureData);
+ return CryptoX_Error;
+ }
+
+ SecTransformSetAttributePtr(verifier,
++ kSecDigestTypeAttribute,
++ kSecDigestSHA2,
++ &error);
++ if (error) {
++ CFRelease(error);
++ CFRelease(signatureData);
++ CFRelease(verifier);
++ return CryptoX_Error;
++ }
++
++ int digestLength = 384;
++ CFNumberRef dLen = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &digestLength);
++ SecTransformSetAttributePtr(verifier,
++ kSecDigestLengthAttribute,
++ dLen,
++ &error);
++ CFRelease(dLen);
++ if (error) {
++ CFRelease(error);
++ CFRelease(signatureData);
++ CFRelease(verifier);
++ return CryptoX_Error;
++ }
++
++ SecTransformSetAttributePtr(verifier,
+ kSecTransformInputAttributeName,
+ (CFDataRef)*aInputData,
+ &error);
+ if (error) {
++ CFRelease(error);
+ CFRelease(signatureData);
+ CFRelease(verifier);
+ return CryptoX_Error;
+ }
+
+ CryptoX_Result result = CryptoX_Error;
+ CFTypeRef rv = SecTransformExecutePtr(verifier, &error);
+ if (error) {
++ CFRelease(error);
+ CFRelease(signatureData);
+ CFRelease(verifier);
+ return CryptoX_Error;
+ }
+
+ if (CFGetTypeID(rv) == CFBooleanGetTypeID() &&
+ CFBooleanGetValue((CFBooleanRef)rv) == true) {
+ result = CryptoX_Success;
+diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c
+--- a/modules/libmar/verify/cryptox.c
++++ b/modules/libmar/verify/cryptox.c
+@@ -4,16 +4,17 @@
+
+ #ifdef XP_WIN
+ #ifndef WIN32_LEAN_AND_MEAN
+ #define WIN32_LEAN_AND_MEAN
+ #endif
+ #endif
+
+ #include <stdlib.h>
++#include <stdio.h>
+ #include "cryptox.h"
+
+ #if defined(MAR_NSS)
+
+ /**
+ * Loads the public key for the specified cert name from the NSS store.
+ *
+ * @param certData The DER-encoded X509 certificate to extract the key from.
+@@ -60,17 +61,17 @@ NSS_VerifyBegin(VFYContext **ctx,
+ if ((SECKEY_PublicKeyStrength(*publicKey) * 8) <
+ XP_MIN_SIGNATURE_LEN_IN_BYTES) {
+ fprintf(stderr, "ERROR: Key length must be >= %d bytes\n",
+ XP_MIN_SIGNATURE_LEN_IN_BYTES);
+ return CryptoX_Error;
+ }
+
+ *ctx = VFY_CreateContext(*publicKey, NULL,
+- SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, NULL);
++ SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION, NULL);
+ if (*ctx == NULL) {
+ return CryptoX_Error;
+ }
+
+ status = VFY_Begin(*ctx);
+ return SECSuccess == status ? CryptoX_Success : CryptoX_Error;
+ }
+
+@@ -194,33 +195,33 @@ CryptoAPI_LoadPublicKey(HCRYPTPROV provi
+ * @param provider Out parameter containing the provider handle.
+ * @return CryptoX_Success on success, CryptoX_Error on error.
+ */
+ CryptoX_Result
+ CryptoAPI_InitCryptoContext(HCRYPTPROV *provider)
+ {
+ if (!CryptAcquireContext(provider,
+ NULL,
+- MS_ENHANCED_PROV,
+- PROV_RSA_FULL,
++ MS_ENH_RSA_AES_PROV,
++ PROV_RSA_AES,
+ CRYPT_VERIFYCONTEXT)) {
+ if (!CryptAcquireContext(provider,
+ NULL,
+- MS_ENHANCED_PROV,
+- PROV_RSA_FULL,
++ MS_ENH_RSA_AES_PROV,
++ PROV_RSA_AES,
+ CRYPT_NEWKEYSET | CRYPT_VERIFYCONTEXT)) {
+ if (!CryptAcquireContext(provider,
+ NULL,
+ NULL,
+- PROV_RSA_FULL,
++ PROV_RSA_AES,
+ CRYPT_VERIFYCONTEXT)) {
+ if (!CryptAcquireContext(provider,
+ NULL,
+ NULL,
+- PROV_RSA_FULL,
++ PROV_RSA_AES,
+ CRYPT_NEWKEYSET | CRYPT_VERIFYCONTEXT)) {
+ *provider = CryptoX_InvalidHandleValue;
+ return CryptoX_Error;
+ }
+ }
+ }
+ }
+ return CryptoX_Success;
+@@ -237,17 +238,17 @@ CryptoX_Result
+ CryptoAPI_VerifyBegin(HCRYPTPROV provider, HCRYPTHASH* hash)
+ {
+ BOOL result;
+ if (!provider || !hash) {
+ return CryptoX_Error;
+ }
+
+ *hash = (HCRYPTHASH)NULL;
+- result = CryptCreateHash(provider, CALG_SHA1,
++ result = CryptCreateHash(provider, CALG_SHA_384,
+ 0, 0, hash);
+ return result ? CryptoX_Success : CryptoX_Error;
+ }
+
+ /**
+ * Updates a signature verification hash context
+ *
+ * @param hash The hash context to udpate
+@@ -263,11 +264,8 @@ CryptoAPI_VerifyUpdate(HCRYPTHASH* hash,
+ return CryptoX_Error;
+ }
+
+ result = CryptHashData(*hash, buf, len, 0);
+ return result ? CryptoX_Success : CryptoX_Error;
+ }
+
+ #endif
+-
+-
+-
+diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c
+--- a/modules/libmar/verify/mar_verify.c
++++ b/modules/libmar/verify/mar_verify.c
+@@ -269,17 +269,17 @@ mar_extract_and_verify_signatures_fp(FIL
+ fprintf(stderr, "ERROR: Could not read extracted signature.\n");
+ for (i = 0; i < signatureCount; ++i) {
+ free(extractedSignatures[i]);
+ }
+ return CryptoX_Error;
+ }
+
+ /* We don't try to verify signatures we don't know about */
+- if (signatureAlgorithmIDs[i] != 1) {
++ if (signatureAlgorithmIDs[i] != 2) {
+ fprintf(stderr, "ERROR: Unknown signature algorithm ID.\n");
+ for (i = 0; i < signatureCount; ++i) {
+ free(extractedSignatures[i]);
+ }
+ return CryptoX_Error;
+ }
+ }
+
copy from modules/packages/manifests/mozilla/signmar.spec
copy to modules/packages/manifests/mozilla/signmar-sha384.spec
--- a/modules/packages/manifests/mozilla/signmar.spec
+++ b/modules/packages/manifests/mozilla/signmar-sha384.spec
@@ -1,61 +1,83 @@
-Summary: signmar tool from mozilla-central
-Name: signmar
-Version: 19.0
+%define realname firefox
+%define debug_package %{nil}
+# Do not strip the binaries, it breaks patchelf
+%define __spec_install_post %{nil}
+# Do not generate debug RPMs
+%define __os_install_post %{_dbpath}/brp-compress
+
+Summary: signmar tool from Firefox (SHA384)
+Name: signmar-sha384
+Version: 53.0a1
Release: 1%{?dist}
URL: http://www.mozilla.org/projects/firefox/
-License: MPLv1.1 or GPLv2+ or LGPLv2+
+License: MPLv2.0
Group: mozilla
-Source0: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/%{version}/source/firefox-%{version}.source.tar.bz2
-# this may need to be different if you're building from a nightly
-%define tarballdir mozilla-release
+Source0: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/%{version}/source/%{realname}-%{version}.source.tar.xz
+# The following patch has to be applied explicitly, because we need to deploy
+# signmar changes to the signing servers before we can land it to
+# mozilla-central
+Patch0: signmar-sha384.diff
-BuildRequires: zip gtk2 gtk2-devel glib dbus dbus-devel dbus-glib-devel yasm libXt-devel mesa-libGL-devel curl-devel alsa-lib-devel
+BuildRequires: zip yasm patchelf freetype-devel libpng-devel libXrender-devel
+BuildRequires: autoconf213 libXext-devel libXinerama-devel libXi-devel libXrandr-devel
+BuildRequires: libXcursor-devel libXcomposite-devel libXdamage-devel gtk2-devel libXt-devel
+BuildRequires: mozilla-python27
%description
-
-This is the signmar tool, used to sign Mozilla Archives.
+This is the signmar tool (SHA384 version), used to sign Mozilla Archives.
%prep
-%setup -q -c
+%setup -q -n %{realname}-%{version}
+%patch0 -p1
+# Fetch required GCC, rustc, GTK3
+taskcluster/docker/recipes/tooltool.py fetch --unpack -m browser/config/tooltool-manifests/linux64/releng.manifest
+
+# HACK: to make the build work properly, I had to copy gtk3/usr/local contents
+# to /usr/local, because the pc files use absolute references to the headers
+# and libraries. This is why the mozconfig below references /usr/local. None of
+# the GTK3 libraries are required by signmar, they are just required by the
+# build system.
%build
-cd %{tarballdir}
cat <<EOF >.mozconfig
-ac_add_options --enable-build-app=none
-ac_add_options --without-system-ply
-ac_add_options --without-system-libxul
-ac_add_options --without-system-libevent
+CC="\$topsrcdir/gcc/bin/gcc"
+CXX="\$topsrcdir/gcc/bin/g++"
+LDFLAGS="-L/usr/local/lib \${LDFLAGS}"
+STRIP_FLAGS="--strip-debug"
+mk_add_options PATH="\$topsrcdir/gcc/bin:\$topsrcdir/rustc/bin:\$PATH"
+mk_add_options "export PANGO_LIBDIR=/usr/local/lib"
+
+ac_add_options --enable-signmar
+ac_add_options --enable-verify-mar
+ac_add_options --enable-stdcxx-compat
+
+ac_add_options --disable-crashreporter
+ac_add_options --disable-elf-hack
+ac_add_options --disable-printing
+ac_add_options --disable-system-sqlite
+ac_add_options --disable-tests
+ac_add_options --without-system-bz2
ac_add_options --without-system-nspr
ac_add_options --without-system-nss
-ac_add_options --without-system-jpeg
ac_add_options --without-system-zlib
-ac_add_options --without-system-bz2
-ac_add_options --without-system-png
-ac_add_options --disable-system-hunspell
-ac_add_options --disable-system-ffi
-ac_add_options --without-system-libvpx
-ac_add_options --disable-system-sqlite
-ac_add_options --disable-system-cairo
-ac_add_options --disable-system-pixman
-# any of these cause the build to fail
-#ac_add_options --disable-crashreporter
-#ac_add_options --disable-webm
-#ac_add_options --disable-ogg
-ac_add_options --disable-wave
-ac_add_options --enable-signmar
EOF
-make -f client.mk
+export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig
+rm -rf obj-*
+python2.7 mach build
%install
-cd %{tarballdir}/obj-*
+install -dm 755 $RPM_BUILD_ROOT/tools/%{name}/{bin,lib}
-install -dm 755 $RPM_BUILD_ROOT%{_bindir}
-install -m 755 dist/bin/signmar $RPM_BUILD_ROOT%{_bindir}/signmar
+cd obj-*
+install -m 755 dist/bin/signmar $RPM_BUILD_ROOT/tools/%{name}/bin
+install -m 755 dist/bin/{libmozsqlite3,libnspr4,libnss3,libnssutil3,libplc4,libplds4,libsmime3,libssl3}.so \
+ $RPM_BUILD_ROOT/tools/%{name}/lib
-# rpm should figure out the deps from ldd on signmar
+# Use our shared libraries, not the system wide installed ones
+patchelf --set-rpath /tools/%{name}/lib $RPM_BUILD_ROOT/tools/%{name}/bin/signmar
%files
%defattr(-,root,root,-)
-%{_bindir}/signmar
+/tools/%{name}
copy from modules/packages/manifests/mozilla/signmar.pp
copy to modules/packages/manifests/mozilla/signmar_sha384.pp
--- a/modules/packages/manifests/mozilla/signmar.pp
+++ b/modules/packages/manifests/mozilla/signmar_sha384.pp
@@ -1,33 +1,22 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-class packages::mozilla::signmar {
+class packages::mozilla::signmar_sha384 {
anchor {
- 'packages::mozilla::signmar::begin': ;
- 'packages::mozilla::signmar::end': ;
+ 'packages::mozilla::signmar_sha384::begin': ;
+ 'packages::mozilla::signmar_sha384::end': ;
}
case $::operatingsystem {
CentOS: {
- Anchor['packages::mozilla::signmar::begin'] ->
+ Anchor['packages::mozilla::signmar_sha384::begin'] ->
package {
- "signmar":
- # 19.0 is what was installed on the old systems
- ensure => '19.0-2.el6';
- } -> Anchor['packages::mozilla::signmar::end']
- }
- Darwin: {
- Anchor['packages::mozilla::signmar::begin'] ->
- packages::pkgdmg {
- signmar:
- # the old systems had 14.0 or something like that,
- # which we couldn't build. 19.0 didn't work, but
- # 23.0 did.
- version => "23.0";
- } -> Anchor['packages::mozilla::signmar::end']
+ 'signmar-sha384':
+ ensure => '53.0a1-1.el6';
+ } -> Anchor['packages::mozilla::signmar_sha384::end']
}
default: {
fail("cannot install on $::operatingsystem")
}
}
}
--- a/modules/signing_scriptworker/templates/passwords.json.erb
+++ b/modules/signing_scriptworker/templates/passwords.json.erb
@@ -1,35 +1,35 @@
{
"project:releng:signing:cert:nightly-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]]
],
"project:releng:signing:cert:dep-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]]
],
"project:releng:signing:cert:release-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]]
]
}
--- a/modules/signingserver/manifests/base.pp
+++ b/modules/signingserver/manifests/base.pp
@@ -17,16 +17,17 @@ class signingserver::base {
include packages::mozilla::py27_mercurial
include packages::libevent
include packages::mozilla::signing_test_files
include packages::gnupg
# note that signmar installs different versions on different operating
# systems; see signmar.pp for details.
include packages::mozilla::signmar
+ include packages::mozilla::signmar_sha384
$root = "/builds/signing"
case $::operatingsystem {
CentOS: {
include packages::mono
include packages::openssl
include packages::nss_tools
--- a/modules/signingserver/manifests/instance.pp
+++ b/modules/signingserver/manifests/instance.pp
@@ -1,17 +1,17 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
define signingserver::instance(
$listenaddr, $port, $code_tag,
$token_secret, $token_secret0,
$new_token_auth, $new_token_auth0,
- $mar_key_name, $jar_key_name,
+ $mar_key_name, $mar_sha384_key_name, $jar_key_name,
$formats, $mac_cert_subject_ou,
$ssl_cert, $ssl_private_key,
$signcode_timestamp="yes",
$concurrency=4) {
include config
include signingserver::base
include users::signer
@@ -34,40 +34,44 @@ define signingserver::instance(
$signed_dir = "${basedir}/signed-files"
$unsigned_dir = "${basedir}/unsigned-files"
$secrets_dir = "${basedir}/secrets"
$signcode_keydir = "${secrets_dir}/signcode"
$sha2signcode_keydir = "${secrets_dir}/sha2signcode"
$gpg_homedir = "${secrets_dir}/gpg"
$mar_keydir = "${secrets_dir}/mar"
+ $mar_sha384_keydir = "${secrets_dir}/mar-sha384"
$jar_keystore = "${secrets_dir}/jar"
$server_certdir = "${secrets_dir}/server"
$emevoucher_key = "${secrets_dir}/emevouch.pem"
$emevoucher_chain = "${secrets_dir}/emechain.pem"
$dmg_keydir = "${secrets_dir}/dmg"
$dmg_keychain = "${dmg_keydir}/signing.keychain"
$full_private_ssl_cert = "${server_certdir}/signing.server.key"
$full_public_ssl_cert = "${server_certdir}/signing.server.cert"
# paths in packages
$signmar = "/tools/signmar/bin/signmar"
+ $signmar_sha384 = "/tools/signmar-sha384/bin/signmar"
$testfile_dir = "/tools/signing-test-files"
$testfile_signcode = "${testfile_dir}/test.exe"
$testfile_osslsigncode = "${testfile_dir}/test64.exe"
$testfile_emevoucher = "${testfile_dir}/test.bin"
$testfile_mar = "${testfile_dir}/test.mar"
+ $testfile_mar_sha384 = "${testfile_dir}/test.mar"
$testfile_gpg = "${testfile_dir}/test.mar"
$testfile_dmg = "${testfile_dir}/test.tar.gz"
$testfile_jar = "${testfile_dir}/test.zip"
# commands
$signscript = "${basedir}/bin/python2.7 ${script_dir}/signscript.py -c ${basedir}/signscript.ini"
$mar_cmd = "${signmar} -d ${basedir}/secrets/mar -n ${mar_key_name} -s"
+ $mar_sha384_cmd = "${signmar_sha384} -d ${basedir}/secrets/mar-sha384 -n ${mar_sha384_key_name} -s"
# copy vars from config
$tools_repo = $config::signing_tools_repo
$mac_id = $config::signing_mac_id
$allowed_ips = $config::signing_allowed_ips
$new_token_allowed_ips = $config::signing_new_token_allowed_ips
$user = $users::signer::username
@@ -134,16 +138,17 @@ define signingserver::instance(
file {
[ $signed_dir,
$unsigned_dir,
$secrets_dir,
$signcode_keydir,
$sha2signcode_keydir,
$gpg_homedir,
$mar_keydir,
+ $mar_sha384_keydir,
$dmg_keydir,
$server_certdir]:
ensure => directory,
owner => $user,
group => $group,
require => Python::Virtualenv[$basedir];
"${basedir}/signing.ini":
content => template("signingserver/signing.ini.erb"),
--- a/modules/signingserver/templates/signing.ini.erb
+++ b/modules/signingserver/templates/signing.ini.erb
@@ -22,16 +22,17 @@ public_ssl_cert = <%=@full_public_ssl_ce
# ips that can connect at all
allowed_ips = <%= @allowed_ips.join(', ') %>
allowed_filenames = .*\.exe,.*\.mar,.*\.dll,.*\.bz2,.*\.zip,.*\.dmg,.*\.tar,.*\.checksums,.*\.bundle,.*SUMS,.*\.apk,.*\.bin
min_filesize = 10
<%# if these change frequently or differ per org, consider making them puppetagain config options -%>
max_filesize_gpg = 812646400
max_filesize_dmg = 125829120
max_filesize_mar = 125829120
+max_filesize_mar_sha384 = 125829120
max_filesize_signcode = 157286400
max_filesize_osslsigncode = 157286400
max_filesize_sha2signcode = 157286400
max_filesize_sha2signcodestub = 2097152
max_filesize_emevoucher = 2097152
token_secret = <%=@token_secret%>
<%- if @token_secret0 != '' -%>
token_secret0 = <%=@token_secret0%>
@@ -48,16 +49,17 @@ max_token_age = 25201
[paths]
signed_dir = <%=@signed_dir%>
unsigned_dir = <%=@unsigned_dir%>
[signing]
signscript = <%=@signscript%>
concurrency = <%=@concurrency%>
testfile_mar = <%=@testfile_mar%>
+testfile_mar_sha384 = <%=@testfile_mar_sha384%>
testfile_gpg = <%=@testfile_gpg%>
testfile_signcode = <%=@testfile_signcode%>
testfile_osslsigncode = <%=@testfile_osslsigncode%>
testfile_sha2signcode = <%=@testfile_osslsigncode%>
testfile_sha2signcodestub = <%=@testfile_osslsigncode%>
testfile_emevoucher = <%=@testfile_emevoucher%>
testfile_dmg = <%=@testfile_dmg%>
testfile_jar = <%=@testfile_jar%>
--- a/modules/signingserver/templates/signscript.ini.erb
+++ b/modules/signingserver/templates/signscript.ini.erb
@@ -2,16 +2,17 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
[signscript]
signcode_keydir = <%=@signcode_keydir%>
sha2signcode_keydir = <%=@sha2signcode_keydir%>
gpg_homedir = <%=@gpg_homedir%>
mar_cmd = <%=@mar_cmd%>
+mar_sha384_cmd = <%=@mar_sha384_cmd%>
dmg_keychain = <%=@dmg_keychain%>
mac_id = <%= @mac_id %>
mac_cert_subject_ou = <%=@mac_cert_subject_ou%>
signcode_timestamp = <%=@signcode_timestamp%>
jar_keystore = <%=@jar_keystore%>
jar_keyname = <%=@jar_key_name%>
emevoucher_key = <%=@emevoucher_key%>
emevoucher_chain = <%=@emevoucher_chain%>
--- a/modules/signingworker/templates/passwords.json.erb
+++ b/modules/signingworker/templates/passwords.json.erb
@@ -1,35 +1,35 @@
{
"project:releng:signing:cert:nightly-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9100", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_nightly_password"]) %>", ["dmgv2"]]
],
"project:releng:signing:cert:dep-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9110", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_dep_password"]) %>", ["dmgv2"]]
],
"project:releng:signing:cert:release-signing": [
- ["signing4.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing5.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
- ["signing6.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]],
+ ["signing4.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]],
["mac-v2-signing1.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]],
["mac-v2-signing2.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]],
["mac-v2-signing3.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]],
["mac-v2-signing4.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]],
["mac-v2-signing6.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]],
["mac-v2-signing7.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["dmgv2"]]
]
}
--- a/modules/toplevel/manifests/server/signing.pp
+++ b/modules/toplevel/manifests/server/signing.pp
@@ -15,17 +15,17 @@ class toplevel::server::signing inherits
'signing-server-maximum-security':
condition => $::security::maximum;
}
case $config::org {
moco: {
$signing_formats = $operatingsystem ? {
Darwin => ["dmg"],
- CentOS => ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "jar", "emevoucher"]
+ CentOS => ["gpg", "sha2signcode", "sha2signcodestub", "osslsigncode", "signcode", "mar", "mar_sha384", "jar", "emevoucher"]
}
$concurrency = $::macosx_productversion_major ? {
10.9 => 2,
default => 4
}
# This token auth is used for one-off partner repacks
$moco_signing_server_repack_password = secret('moco_signing_server_repack_password')
@@ -38,16 +38,17 @@ class toplevel::server::signing inherits
# The OU on the Developer ID certificates is set to a random-ish string
# that is consistent for all certs from the same account.
mac_cert_subject_ou => "43AQ936H96",
token_secret => secret('moco_signing_server_nightly_token_secret'),
token_secret0 => secret('moco_signing_server_old_token_secret'),
new_token_auth => "${signing_server_username}:${signing_server_nightly_password}",
new_token_auth0=> "${signing_server_username}:${signing_server_nightly_password}",
mar_key_name => "nightly1",
+ mar_sha384_key_name => "nightly1",
jar_key_name => "nightly",
formats => $signing_formats,
ssl_cert => $config::signing_server_ssl_certs[$hostname],
ssl_private_key => $config::signing_server_ssl_private_keys[$hostname],
concurrency => $concurrency;
}
signingserver::instance {
@@ -56,16 +57,17 @@ class toplevel::server::signing inherits
port => "9110",
code_tag => "SIGNING_SERVER",
mac_cert_subject_ou => "Release Engineering",
token_secret => secret('moco_signing_server_dep_token_secret'),
token_secret0 => secret('moco_signing_server_old_token_secret'),
new_token_auth => "${signing_server_username}:${signing_server_dep_password}",
new_token_auth0=> "${signing_server_username}:${signing_server_dep_password}",
mar_key_name => "dep1",
+ mar_sha384_key_name => "dep1",
jar_key_name => "nightly",
formats => $signing_formats,
signcode_timestamp => "no",
ssl_cert => $config::signing_server_ssl_certs[$hostname],
ssl_private_key => $config::signing_server_ssl_private_keys[$hostname],
concurrency => $concurrency;
}
signingserver::instance {
@@ -76,40 +78,42 @@ class toplevel::server::signing inherits
# The OU on the Developer ID certificates is set to a random-ish string
# that is consistent for all certs from the same account.
mac_cert_subject_ou => "43AQ936H96",
token_secret => secret('moco_signing_server_release_token_secret'),
token_secret0 => secret('moco_signing_server_old_token_secret'),
new_token_auth => "${signing_server_username}:${signing_server_release_password}",
new_token_auth0=> "${signing_server_username}:${moco_signing_server_repack_password}",
mar_key_name => "rel1",
+ mar_sha384_key_name => "rel1",
jar_key_name => "release",
formats => $signing_formats,
ssl_cert => $config::signing_server_ssl_certs[$hostname],
ssl_private_key => $config::signing_server_ssl_private_keys[$hostname],
concurrency => $concurrency;
}
}
relabs: {
$signing_formats = $operatingsystem ? {
Darwin => ["gpg", "dmg", "mar"],
- CentOS => ["gpg", "signcode", "mar", "jar"]
+ CentOS => ["gpg", "signcode", "mar", "mar_sha384", "jar"]
}
signingserver::instance {
"relabs-signing-server-1":
listenaddr => "0.0.0.0",
port => "9100",
code_tag => "SIGNING_SERVER",
mac_cert_subject_ou => "RELABS RELABS RELABS",
token_secret => secret('relabs_signing_server_token_secret'),
token_secret0 => secret('relabs_signing_server_token_secret'),
new_token_auth => "${signing_server_username}:${signing_server_dep_password}",
new_token_auth0=> "${signing_server_username}:${signing_server_dep_password}",
mar_key_name => "relabs1",
+ mar_sha384_key_name => "relabs1",
jar_key_name => "relabs",
formats => $signing_formats,
ssl_cert => secret('relabs_signing_server_ssl_cert'),
ssl_private_key => secret('relabs_signing_server_ssl_private_key');
}
}
default: {
fail("no signing server organization defined for $org")