--- a/manifests/moco-nodes.pp
+++ b/manifests/moco-nodes.pp
@@ -921,16 +921,26 @@ node /^tb-signing-\d*\.srv\.releng\..*\.
node /^tb-depsigning-worker.*\.srv\.releng\..*\.mozilla\.com$/ {
$aspects = [ 'maximum-security' ]
$signing_scriptworker_env = 'comm-thunderbird-dep'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::signingscriptworker
}
+# https://github.com/mozilla-mobile workers. The "e" in mobile was stripped out
+# in order to leave up to 100 workers instead of 10.
+node /^mobil-signing-linux-\d*\.srv\.releng\..*\.mozilla\.com$/ {
+ $aspects = [ 'maximum-security' ]
+ $signing_scriptworker_env = 'mobile-prod'
+ $timezone = 'UTC'
+ $only_user_ssh = true
+ include toplevel::server::signingscriptworker
+}
+
# Addon scriptworkers
node /^addonworker-\d*\.srv\.releng\..*\.mozilla\.com$/ {
$aspects = [ 'maximum-security' ]
$addon_scriptworker_env = 'prod'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::addonscriptworker
}
@@ -1040,16 +1050,26 @@ node /^dep-pushapkworker-.*\.srv\.releng
node /^pushapkworker-.*\.srv\.releng\..*\.mozilla\.com$/ {
$aspects = [ 'maximum-security' ]
$pushapk_scriptworker_env = 'prod'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::pushapkscriptworker
}
+# https://github.com/mozilla-mobile workers. The "e" in mobile was stripped out
+# in order to leave up to 100 workers instead of 10.
+node /^mobil-pushapkworker-\d*\.srv\.releng\..*\.mozilla\.com$/ {
+ $aspects = [ 'maximum-security' ]
+ $pushapk_scriptworker_env = 'mobile-prod'
+ $timezone = 'UTC'
+ $only_user_ssh = true
+ include toplevel::server::pushapkscriptworker
+}
+
# PushSnap scriptworkers
node /^dep-pushsnapworker-.*\.srv\.releng\..*\.mozilla\.com$/ {
$aspects = [ 'maximum-security' ]
$pushsnap_scriptworker_env = 'dep'
$timezone = 'UTC'
$only_user_ssh = true
include toplevel::server::pushsnapscriptworker
}
new file mode 100644
--- /dev/null
+++ b/modules/pushapk_scriptworker/files/focus.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpjCCAo6gAwIBAgIEWTpt0zANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+HDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2Ug
+RW5naW5lZXJpbmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwHhcNMTcw
+NjA5MDk0MzQ3WhcNNDQxMDI1MDk0MzQ3WjCBlDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoT
+E01vemlsbGEgQ29ycG9yYXRpb24xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJp
+bmcxHDAaBgNVBAMTE1JlbGVhc2UgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCxa1amhSf93ooT/RMVgvN/96v6RbwDH5+p1PwqrJg9
+A95oyIkL3ihPpec6zOy6Z4bwds9m8PcJVRXYYzvMgX5vrh4TstX5tzVRCBp2saqh
+19lN1E2tgZNUx2VypMyQwr0GdhZTBXiGbOFNLfNWpgxVnI/H7eKnLm+QxPX04Ixm
+oDpaJ20zdgErkuFB/sGDIMK3R5drW4RHmQGerPMvRBz3WJ44vE6QhiBevoibIxWn
+X2SorsFHYa5R9yu5GmusZjok6WgB9AkNOk2DQh87tJfz0TQzyytNaQ1Sc34dHYjv
+/TJrV8w0l3Mn5NhBNV37pfHKZi6Yg7orM912SUPojZJxAgMBAAEwDQYJKoZIhvcN
+AQELBQADggEBAGmtBmN47bKyJHEjlwRWauKLKFtAV17hcD0aoBmMEw72KDQRSW0+
+FPelIygIdgG4L42RIqLVMBzZDq0y2XkaBMOQ8PYb1DnSr5DR+jvfeUkL+hEzSRQh
+A4clH6ZQhqHisWdDB6m9bOkVtV08U8734eITy7Qs1+uy12tyhuR6ltrhpxPM0GB7
+vD4CthxTNYKjcH+noKC6VpB8imC2vkYkBNFKlwPc/11k+PM5eBjQpqhfE536JaC8
+ueJwAMW6vTzHk/6h47DBzT0e9Dsf4ns9v6CUSccEKZKC3Ax+9tgKVeR0yIi78JE6
+TgP6E/XHTPV50c8a8wyV59yHeBIZfwq6Gxc=
+-----END CERTIFICATE-----
--- a/modules/pushapk_scriptworker/files/requirements.txt
+++ b/modules/pushapk_scriptworker/files/requirements.txt
@@ -29,17 +29,17 @@ ipython==6.4.0
ipython_genutils==0.2.0
jedi==0.12.0
json-e==2.5.0
jsonschema==2.6.0
kiwisolver==1.0.1
lxml==4.2.1
matplotlib==2.2.2
mohawk==0.3.4
-mozapkpublisher==0.7.1
+mozapkpublisher==0.7.2
multidict==4.3.1
networkx==2.1
numpy==1.14.3
oauth2client==4.1.2
parso==0.2.0
pexpect==4.5.0
pickleshare==0.7.4
prompt_toolkit==1.0.15
@@ -49,20 +49,20 @@ pyasn1==0.4.2
pyasn1-modules==0.2.1
pycparser==2.18
pyparsing==2.2.0
python-dateutil==2.7.3
python-gnupg==0.4.2
pytz==2018.4
requests==2.18.4
rsa==3.4.2
-scriptworker==11.0.0
+scriptworker==11.1.0
simplegeneric==0.8.1
slugid==1.0.7
taskcluster==3.0.1
traitlets==4.3.2
uritemplate==3.0.0
urllib3==1.22
virtualenv==15.2.0
voluptuous==0.11.1
wcwidth==0.1.7
yarl==1.2.4
-pushapkscript==0.6.0
+pushapkscript==0.7.0
--- a/modules/pushapk_scriptworker/manifests/init.pp
+++ b/modules/pushapk_scriptworker/manifests/init.pp
@@ -46,16 +46,17 @@ class pushapk_scriptworker {
group => $pushapk_scriptworker::settings::group,
taskcluster_client_id => $pushapk_scriptworker::settings::taskcluster_client_id,
taskcluster_access_token => $pushapk_scriptworker::settings::taskcluster_access_token,
worker_group => $pushapk_scriptworker::settings::worker_group,
worker_type => $pushapk_scriptworker::settings::worker_type,
cot_job_type => 'pushapk',
+ cot_product => $pushapk_scriptworker::settings::cot_product,
sign_chain_of_trust => $pushapk_scriptworker::settings::sign_chain_of_trust,
verify_chain_of_trust => $pushapk_scriptworker::settings::verify_chain_of_trust,
verify_cot_signature => $pushapk_scriptworker::settings::verify_cot_signature,
verbose_logging => $pushapk_scriptworker::settings::verbose_logging,
}
@@ -87,13 +88,19 @@ class pushapk_scriptworker {
$google_play_config['aurora']['certificate_target_location']:
content => $google_play_config['aurora']['certificate'];
$google_play_config['beta']['certificate_target_location']:
content => $google_play_config['beta']['certificate'];
$google_play_config['release']['certificate_target_location']:
content => $google_play_config['release']['certificate'];
}
}
+ 'mobile-prod': {
+ file {
+ $google_play_config['focus']['certificate_target_location']:
+ content => $google_play_config['focus']['certificate'];
+ }
+ }
default: {
fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
}
}
}
--- a/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
+++ b/modules/pushapk_scriptworker/manifests/jarsigner_init.pp
@@ -46,13 +46,25 @@ class pushapk_scriptworker::jarsigner_in
java_ks {
'nightly':
certificate => $nightly;
'release':
certificate => $release;
}
}
+ 'mobile-prod': {
+ $focus = $pushapk_scriptworker::settings::jarsigner_all_certificates['focus']
+ file {
+ $focus:
+ source => 'puppet:///modules/pushapk_scriptworker/focus.pem';
+ }
+
+ java_ks {
+ 'focus':
+ certificate => $focus;
+ }
+ }
default: {
fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
}
}
}
--- a/modules/pushapk_scriptworker/manifests/settings.pp
+++ b/modules/pushapk_scriptworker/manifests/settings.pp
@@ -12,27 +12,44 @@ class pushapk_scriptworker::settings {
$_env_configs = {
'dep' => {
worker_group => 'dep-pushapk',
worker_type => 'dep-pushapk',
verbose_logging => true,
taskcluster_client_id => secret('pushapk_scriptworker_taskcluster_client_id_dep'),
taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_dep'),
+ scope_prefix => 'project:releng:googleplay:',
+ cot_product => 'firefox',
sign_chain_of_trust => false,
verify_chain_of_trust => true,
verify_cot_signature => false,
},
'prod' => {
worker_group => 'pushapk-v1',
worker_type => 'pushapk-v1',
verbose_logging => true,
taskcluster_client_id => secret('pushapk_scriptworker_taskcluster_client_id_prod'),
taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_prod'),
+ scope_prefix => 'project:releng:googleplay:',
+ cot_product => 'firefox',
+
+ sign_chain_of_trust => true,
+ verify_chain_of_trust => true,
+ verify_cot_signature => true,
+ },
+ 'mobile-prod' => {
+ worker_group => 'mobile-pushapk-v1',
+ worker_type => 'mobile-pushapk-v1',
+ verbose_logging => true,
+ taskcluster_client_id => 'project/mobile/focus/releng/scriptworker/pushapk/production',
+ taskcluster_access_token => secret('pushapk_scriptworker_taskcluster_access_token_mobile'),
+ scope_prefix => 'project:mobile:focus:releng:googleplay:product:',
+ cot_product => 'mobile',
sign_chain_of_trust => true,
verify_chain_of_trust => true,
verify_cot_signature => true,
},
}
$_env_config = $_env_configs[$pushapk_scriptworker_env]
@@ -46,16 +63,17 @@ class pushapk_scriptworker::settings {
$taskcluster_client_id = $_env_config['taskcluster_client_id']
$taskcluster_access_token = $_env_config['taskcluster_access_token']
$worker_group = $_env_config['worker_group']
$worker_type = $_env_config['worker_type']
$sign_chain_of_trust = $_env_config['sign_chain_of_trust']
$verify_chain_of_trust = $_env_config['verify_chain_of_trust']
$verify_cot_signature = $_env_config['verify_cot_signature']
+ $cot_product = $_env_config['cot_product']
$_google_play_all_accounts = hiera_hash('pushapk_scriptworker_google_play_accounts')
$_google_play_accounts = $_google_play_all_accounts[$fqdn]
# TODO: Replace this cumbersome logic by an `each` loop once we switch to Puppet 4
case $pushapk_scriptworker_env {
'dep': {
$google_play_config = {
@@ -108,35 +126,56 @@ class pushapk_scriptworker::settings {
},
}
$jarsigner_certificate_aliases_content = {
'aurora' => 'nightly',
'beta' => 'release',
'release' => 'release',
}
}
+ 'mobile-prod': {
+ $google_play_config = {
+ 'focus' => {
+ service_account => $_google_play_accounts['focus']['service_account'],
+ certificate => $_google_play_accounts['focus']['certificate'],
+ certificate_target_location => "${root}/focus.p12",
+ },
+ }
+ $google_play_accounts_config_content = {
+ 'focus' => {
+ 'service_account' => $google_play_config['focus']['service_account'],
+ 'certificate' => $google_play_config['focus']['certificate_target_location'],
+ }
+ }
+ $jarsigner_certificate_aliases_content = {
+ 'focus' => 'focus',
+ }
+ }
default: {
fail("Invalid pushapk_scriptworker_env given: ${pushapk_scriptworker_env}")
}
}
$jarsigner_keystore = "${root}/mozilla-android-keystore"
$jarsigner_keystore_password = secret('pushapk_scriptworker_jarsigner_keystore_password')
$jarsigner_all_certificates = {
'nightly' => "${root}/nightly.cer",
'release' => "${root}/release.cer",
'dep' => "${root}/dep.cer",
+ 'focus' => "${root}/focus.cer",
}
$verbose_logging = $_env_config['verbose_logging']
$script_config = "${root}/script_config.json"
$script_config_content = {
'work_dir' => $work_dir,
'schema_file'=> $schema_file,
'verbose' => $verbose_logging,
'google_play_accounts' => $google_play_accounts_config_content,
'jarsigner_key_store' => $jarsigner_keystore,
'jarsigner_certificate_aliases' => $jarsigner_certificate_aliases_content,
+
+ 'taskcluster_scope_prefix' => $_env_config['scope_prefix'],
}
}
--- a/modules/signing_scriptworker/files/requirements.txt
+++ b/modules/signing_scriptworker/files/requirements.txt
@@ -21,17 +21,18 @@ multidict==4.3.1
pexpect==4.5.0
ptyprocess==0.5.2
pyasn1==0.4.2
python-dateutil==2.7.3
python-gnupg==0.4.2
python-jose==3.0.0
requests==2.18.4
rsa==3.4.2
-scriptworker==11.0.0
+scriptworker==11.1.0
+signingscript==6.1.0
signtool==3.2.0
simplejson==3.14.0
six==1.11.0
slugid==1.0.7
taskcluster==3.0.1
urllib3==1.22
virtualenv==15.2.0
yarl==1.2.4
--- a/modules/signing_scriptworker/manifests/settings.pp
+++ b/modules/signing_scriptworker/manifests/settings.pp
@@ -78,10 +78,24 @@ class signing_scriptworker::settings {
scope_prefix => 'project:comm:thunderbird:releng:signing:',
sign_chain_of_trust => true,
verify_chain_of_trust => true,
verify_cot_signature => true,
cot_product => 'thunderbird',
datadog_api_key => secret('scriptworker_datadog_api_key'),
gpg_keyfile => 'KEY_prod',
},
+ 'mobile-prod' => {
+ worker_type => 'mobile-signing-v1',
+ worker_group => 'mobile-signing-v1',
+ taskcluster_client_id => 'project/mobile/focus/releng/scriptworker/signing/production',
+ taskcluster_access_token => secret('mobile_focus_signing_scriptworker_taskcluster_access_token'),
+ passwords_template => 'passwords-mobile.json.erb',
+ scope_prefix => 'project:mobile:focus:releng:signing:',
+ sign_chain_of_trust => true,
+ verify_chain_of_trust => true,
+ verify_cot_signature => true,
+ cot_product => 'mobile',
+ datadog_api_key => secret('scriptworker_datadog_api_key'),
+ gpg_keyfile => 'KEY_dep',
+ },
}
}
new file mode 100644
--- /dev/null
+++ b/modules/signing_scriptworker/templates/passwords-mobile.json.erb
@@ -0,0 +1,7 @@
+{
+ "<%= @env_config['scope_prefix'] %>cert:release-signing": [
+ ["signing4.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]],
+ ["signing5.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]],
+ ["signing6.srv.releng.scl3.mozilla.com:9120", "<%= scope.function_secret(["signing_server_username"]) %>", "<%= scope.function_secret(["signing_server_release_password"]) %>", ["focus-jar"]]
+ ]
+}
--- a/modules/signingserver/manifests/instance.pp
+++ b/modules/signingserver/manifests/instance.pp
@@ -5,16 +5,17 @@
define signingserver::instance(
$listenaddr, $port, $code_tag,
$token_secret, $token_secret0,
$new_token_auth, $new_token_auth0,
$mar_key_name, $mar_sha384_key_name,
$jar_key_name, $jar_digestalg, $jar_sigalg,
$formats, $mac_cert_subject_ou,
$ssl_cert, $ssl_private_key,
+ $focus_jar_key_name = '', $focus_jar_digestalg = '', $focus_jar_sigalg = '',
$signcode_timestamp = 'yes',
$concurrency = 4,
$signcode_maxsize = 157286400) {
include config
include signingserver::base
include users::signer
# verify non-empty secrets first
@@ -38,16 +39,17 @@ define signingserver::instance(
$secrets_dir = "${basedir}/secrets"
$signcode_keydir = "${secrets_dir}/signcode"
$sha2signcode_keydir = "${secrets_dir}/sha2signcode"
$gpg_homedir = "${secrets_dir}/gpg"
$mar_keydir = "${secrets_dir}/mar"
$mar_sha384_keydir = "${secrets_dir}/mar-sha384"
$jar_keystore = "${secrets_dir}/jar"
+ $focus_jar_keystore = "${secrets_dir}/focus-jar"
$server_certdir = "${secrets_dir}/server"
$emevoucher_key = "${secrets_dir}/emevouch.pem"
$emevoucher_chain = "${secrets_dir}/emechain.pem"
$dmg_keydir = "${secrets_dir}/dmg"
$dmg_keychain = "${dmg_keydir}/signing.keychain"
$full_private_ssl_cert = "${server_certdir}/signing.server.key"
$full_public_ssl_cert = "${server_certdir}/signing.server.cert"
--- a/modules/signingserver/templates/signing.ini.erb
+++ b/modules/signingserver/templates/signing.ini.erb
@@ -58,11 +58,12 @@ testfile_mar_sha384 = <%=@testfile_mar_s
testfile_gpg = <%=@testfile_gpg%>
testfile_signcode = <%=@testfile_signcode%>
testfile_osslsigncode = <%=@testfile_osslsigncode%>
testfile_sha2signcode = <%=@testfile_osslsigncode%>
testfile_sha2signcodestub = <%=@testfile_osslsigncode%>
testfile_emevoucher = <%=@testfile_emevoucher%>
testfile_dmg = <%=@testfile_dmg%>
testfile_jar = <%=@testfile_jar%>
+testfile_focus-jar = <%=@testfile_jar%>
testfile_widevine = <%=@testfile_widevine%>
testfile_widevine_blessed = <%=@testfile_widevine_blessed%>
formats = <%=@formats.join(",")%>
--- a/modules/signingserver/templates/signscript.ini.erb
+++ b/modules/signingserver/templates/signscript.ini.erb
@@ -11,13 +11,17 @@ mar_sha384_cmd = <%=@mar_sha384_cmd%>
dmg_keychain = <%=@dmg_keychain%>
mac_id = <%= @mac_id %>
mac_cert_subject_ou = <%=@mac_cert_subject_ou%>
signcode_timestamp = <%=@signcode_timestamp%>
jar_keystore = <%=@jar_keystore%>
jar_keyname = <%=@jar_key_name%>
jar_digestalg = <%=@jar_digestalg%>
jar_sigalg = <%=@jar_sigalg%>
+focus_jar_keystore = <%=@focus_jar_keystore%>
+focus_jar_keyname = <%=@focus_jar_key_name%>
+focus_jar_digestalg = <%=@focus_jar_digestalg%>
+focus_jar_sigalg = <%=@focus_jar_sigalg%>
emevoucher_key = <%=@emevoucher_key%>
emevoucher_chain = <%=@emevoucher_chain%>
widevine_key = <%=@widevine_key%>
widevine_cert = <%=@widevine_cert%>
widevine_cmd = <%=@widevine_cmd%>
--- a/modules/toplevel/manifests/server/signing.pp
+++ b/modules/toplevel/manifests/server/signing.pp
@@ -80,16 +80,27 @@ class toplevel::server::signing inherits
signcode_timestamp => 'no',
ssl_cert => $signing_server_ssl_cert,
ssl_private_key => $signing_server_ssl_private_key,
concurrency => $concurrency,
# We need to allow very large files to be signed for code
# coverage builds
signcode_maxsize => 786432000;
}
+
+ $release_signing_formats = $::operatingsystem ? {
+ Darwin => $signing_formats,
+ # Linux release signing servers can handle focus signing.
+ # XXX Sadly in puppet, there is no way to append to an existing array defined in the same scope.
+ # That's why the array is duplicated with the added formats on the second line.
+ CentOS => [
+ 'gpg', 'sha2signcode', 'sha2signcodestub', 'osslsigncode', 'signcode', 'mar', 'mar_sha384', 'jar', 'emevoucher', 'widevine', 'widevine_blessed',
+ 'focus-jar',
+ ],
+ }
signingserver::instance {
'rel-key-signing-server':
listenaddr => '0.0.0.0',
port => '9120',
code_tag => 'SIGNING_SERVER',
# The OU on the Developer ID certificates is set to a random-ish string
# that is consistent for all certs from the same account.
mac_cert_subject_ou => '43AQ936H96',
@@ -97,17 +108,20 @@ class toplevel::server::signing inherits
token_secret0 => secret('moco_signing_server_old_token_secret'),
new_token_auth => "${signing_server_username}:${signing_server_release_password}",
new_token_auth0 => "${signing_server_username}:${moco_signing_server_repack_password}",
mar_key_name => 'rel1',
mar_sha384_key_name => 'rel1',
jar_key_name => 'release',
jar_digestalg => 'SHA1',
jar_sigalg => 'SHA1withRSA',
- formats => $signing_formats,
+ focus_jar_key_name => 'focus',
+ focus_jar_digestalg => 'SHA-256',
+ focus_jar_sigalg => 'SHA256withRSA',
+ formats => $release_signing_formats,
ssl_cert => $signing_server_ssl_cert,
ssl_private_key => $signing_server_ssl_private_key,
concurrency => $concurrency;
}
}
relabs: {
$signing_formats = $::operatingsystem ? {
Darwin => ['gpg', 'dmg', 'mar'],