Bug 1346968: Parameterize signing and digest algorithsm for jar signing r=aki
MozReview-Commit-ID: FATZOVcx8KQ
--- a/lib/python/signing/utils.py
+++ b/lib/python/signing/utils.py
@@ -243,26 +243,26 @@ def jar_unsignfile(filename):
# it returns with 12 if it has nothing to do
if proc.wait() not in (0, 12):
stdout.seek(0)
data = stdout.read()
log.error("zip output: %s", data)
raise ValueError("Couldn't remove previous signature")
-def jar_signfile(filename, keystore, keyname, fake=False, passphrase=None):
+def jar_signfile(filename, keystore, keyname, digestalg, sigalg, fake=False, passphrase=None):
"""Sign a jar file
"""
# unsign first
jar_unsignfile(filename)
command = [
"jarsigner",
"-keystore", keystore,
- "-digestalg", "SHA1",
- "-sigalg", "SHA1withDSA",
+ "-digestalg", digestalg,
+ "-sigalg", sigalg,
filename
]
if keyname:
command.append(keyname)
stdout = tempfile.TemporaryFile()
try:
log.debug("running %s", command)
proc = Popen(command, stdout=stdout, stderr=STDOUT, stdin=PIPE)
--- a/release/signing/signscript.py
+++ b/release/signing/signscript.py
@@ -25,16 +25,18 @@ if __name__ == '__main__':
gpg_homedir=None,
loglevel=logging.INFO,
configfile=None,
mar_cmd=None,
mar_sha384_cmd=None,
signcode_timestamp=None,
jar_keystore=None,
jar_keyname=None,
+ jar_sigalg=None,
+ jar_digestalg=None,
emevoucher_key=None,
emevoucher_chain=None,
)
parser.add_option("--keydir", dest="signcode_keydir",
help="where MozAuthenticode.spc, MozAuthenticode.spk can be found")
parser.add_option("--gpgdir", dest="gpg_homedir",
help="where the gpg keyrings are")
parser.add_option("--mac_id", dest="mac_id",
@@ -46,16 +48,20 @@ if __name__ == '__main__':
parser.add_option("-c", "--config", dest="configfile",
help="config file to use")
parser.add_option("--signcode_disable_timestamp",
dest="signcode_timestamp", action="store_false")
parser.add_option("--jar_keystore", dest="jar_keystore",
help="keystore for signing jar_")
parser.add_option("--jar_keyname", dest="jar_keyname",
help="which key to use from jar_keystore")
+ parser.add_option("--jar_digestalg", dest="jar_digestalg",
+ help="which digest algorithm to use for signing jar files")
+ parser.add_option("--jar_sigalg", dest="jar_sigalg",
+ help="which signature algorithm to use for signing jar files")
parser.add_option("--emevoucher_key", dest="emevoucher_key",
help="The certificate to use for signing the eme voucher")
parser.add_option("--emevoucher_chain", dest="emevoucher_chain",
help="Certificate chain to include in EME voucher signatures")
parser.add_option(
"-v", action="store_const", dest="loglevel", const=logging.DEBUG)
options, args = parser.parse_args()
@@ -154,11 +160,13 @@ if __name__ == '__main__':
dmg_signpackage(inputfile, tmpfile, options.dmg_keychain, options.mac_id, options.mac_cert_subject_ou, options.fake, passphrase)
elif format_ == "jar":
if not options.jar_keystore:
parser.error("jar_keystore required when format is jar")
if not options.jar_keyname:
parser.error("jar_keyname required when format is jar")
copyfile(inputfile, tmpfile)
jar_signfile(tmpfile, options.jar_keystore,
- options.jar_keyname, options.fake, passphrase)
+ options.jar_keyname,
+ digestalg=options.jar_digestalg, sigalg=options.jar_sigalg,
+ options.fake, passphrase)
os.rename(tmpfile, destfile)