Bug 1409091 - Signing servers: Support focus-jar r=aki
MozReview-Commit-ID: 9sGeUhxRNJk
--- a/release/signing/signing.ini.template
+++ b/release/signing/signing.ini.template
@@ -54,17 +54,17 @@ max_token_age = 3600
[paths]
# Where we store signed files
signed_dir = signed-files
# Where we store unsigned files
unsigned_dir = unsigned-files
[signing]
# What signing formats we support
-formats = mar,mar_sha384,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher,widevine,widevine_blessed
+formats = mar,mar_sha384,gpg,sha2signcode,sha2signcodestub,signcode,osslsigncode,emevoucher,widevine,widevine_blessed,jar,focus-jar
# Which script to run to sign files
signscript = python ./signscript.py -c signing.ini
# How many files to sign at once
concurrency = 4
# Test files for the various signing formats
# signscript will be run on each of these on startup to test that passphrases
# have been entered correctly
testfile_signcode = test.exe
@@ -81,16 +81,24 @@ testfile_widevine_blessed = test.exe
[signscript]
# Various settings for signscript. signing-server.py doesn't look in here
# Where are MozAuthenticode.{pvk,spc} located
signcode_keydir = /path/to/keys
osslsigncode_keydir = /path/to/keys
sha2signcode_keydir = /path/to/keys
# Where is the gpg directory with our private key
gpg_homedir = /path/to/.gpg
+jar_keystore = /path/to/jar/keystore
+jar_keyname = some-name
+jar_digestalg = SHA1
+jar_sigalg = SHA1withRSA
+focus_jar_keystore = /path/to/jar/keystore
+focus_jar_keyname = some-name
+focus_jar_digestalg = SHA-256
+focus_jar_sigalg = SHA256withRSA
# Where is the eme voucher private key
emevoucher_key = /path/to/cert.pem
emevoucher_chain = /path/to/chain.pem
# How to run mar
mar_cmd = /path/to/signmar -d /path/to/nsscerts -n keyname -s
mar_sha384_cmd = /path/to/signmar-sha384 -d /path/to/nsscerts -n keyname -s
# widevine info
widevine_key = /path/to/key.pem
--- a/release/signing/signscript.py
+++ b/release/signing/signscript.py
@@ -27,16 +27,20 @@ if __name__ == '__main__':
configfile=None,
mar_cmd=None,
mar_sha384_cmd=None,
signcode_timestamp=None,
jar_keystore=None,
jar_keyname=None,
jar_sigalg=None,
jar_digestalg=None,
+ focus_jar_keystore=None,
+ focus_jar_keyname=None,
+ focus_jar_sigalg=None,
+ focus_jar_digestalg=None,
emevoucher_key=None,
emevoucher_chain=None,
widevine_key=None,
widevine_cert=None,
widevine_cmd=None,
)
parser.add_option("--keydir", dest="signcode_keydir",
help="where MozAuthenticode.spc, MozAuthenticode.spk can be found")
@@ -55,16 +59,24 @@ if __name__ == '__main__':
parser.add_option("--jar_keystore", dest="jar_keystore",
help="keystore for signing jar_")
parser.add_option("--jar_keyname", dest="jar_keyname",
help="which key to use from jar_keystore")
parser.add_option("--jar_digestalg", dest="jar_digestalg",
help="which digest algorithm to use for signing jar files")
parser.add_option("--jar_sigalg", dest="jar_sigalg",
help="which signature algorithm to use for signing jar files")
+ parser.add_option("--focus_jar_keystore", dest="focus_jar_keystore",
+ help="keystore for signing Firefox Focus")
+ parser.add_option("--focus_jar_keyname", dest="focus_jar_keyname",
+ help="which key to use from focus_jar_keystore")
+ parser.add_option("--focus_jar_digestalg", dest="focus_jar_digestalg",
+ help="which digest algorithm to use for signing Firefox Focus")
+ parser.add_option("--focus_jar_sigalg", dest="focus_jar_sigalg",
+ help="which signature algorithm to use for signing Firefox Focus")
parser.add_option("--emevoucher_key", dest="emevoucher_key",
help="The certificate to use for signing the eme voucher")
parser.add_option("--emevoucher_chain", dest="emevoucher_chain",
help="Certificate chain to include in EME voucher signatures")
parser.add_option("--widevine_key", dest="widevine_key",
help="The key to use for signing widevine files")
parser.add_option("--widevine_cert", dest="widevine_cert",
help="Certificate to use for signing widevine files")
@@ -163,25 +175,33 @@ if __name__ == '__main__':
inputfile, tmpfile, options.mar_sha384_cmd, options.fake, passphrase)
elif format_ == "dmg":
if not options.dmg_keychain:
parser.error("dmg_keychain required when format is dmg")
if not options.mac_id:
parser.error("mac_id required when format is dmg")
safe_unlink(tmpfile)
dmg_signpackage(inputfile, tmpfile, options.dmg_keychain, options.mac_id, options.mac_cert_subject_ou, options.fake, passphrase)
- elif format_ == "jar":
- if not options.jar_keystore:
- parser.error("jar_keystore required when format is jar")
- if not options.jar_keyname:
- parser.error("jar_keyname required when format is jar")
+ elif format_ in ("jar", "focus-jar"):
+ if format_ == "jar":
+ keystore, keystore_config_name, keyname, keyname_config_name, digestalg, sigalg = (
+ options.jar_keystore, "jar_keystore", options.jar_keyname, "jar_keyname",
+ options.jar_digestalg, options.jar_sigalg
+ )
+ else:
+ keystore, keystore_config_name, keyname, keyname_config_name, digestalg, sigalg = (
+ options.focus_jar_keystore, "focus_jar_keystore", options.focus_jar_keyname, "focus_jar_keystore",
+ options.focus_jar_digestalg, options.focus_jar_sigalg
+ )
+ if not keystore:
+ parser.error("%s required when format is %s" % (keystore_config_name, format_))
+ if not keyname:
+ parser.error("%s required when format is %s" % (keyname_config_name, format_))
copyfile(inputfile, tmpfile)
- jar_signfile(tmpfile, options.jar_keystore,
- options.jar_keyname, options.jar_digestalg, options.jar_sigalg,
- options.fake, passphrase)
+ jar_signfile(tmpfile, keystore, keyname, digestalg, sigalg, options.fake, passphrase)
elif format_ in ("widevine", "widevine_blessed"):
safe_unlink(tmpfile)
if not options.widevine_key:
parser.error("widevine_key required when format is %s" % format_)
blessed = "0"
if format_ == "widevine_blessed":
blessed = "1"
widevine_signfile(
--- a/release/signing/signtool.py
+++ b/release/signing/signtool.py
@@ -37,17 +37,18 @@ def is_authenticode_signed(filename):
finally:
if p:
p.close()
def main():
allowed_formats = ("sha2signcode", "sha2signcodestub", "signcode",
"osslsigncode", "gpg", "mar", "mar_sha384", "dmg",
- "dmgv2", "macapp", "jar", "emevoucher",
+ # "jar" alone is to sign Fennec
+ "dmgv2", "macapp", "jar", "focus-jar" "emevoucher",
"widevine", "widevine_blessed")
from optparse import OptionParser
import random
parser = OptionParser(__doc__)
parser.set_defaults(
hosts=[],
cert=None,