diff --git a/signingscript/src/signingscript/data/gpg_pubkey_dep.asc b/signingscript/src/signingscript/data/gpg_pubkey_dep.asc index db31ae355..f08ec3b1d 100644 --- a/signingscript/src/signingscript/data/gpg_pubkey_dep.asc +++ b/signingscript/src/signingscript/data/gpg_pubkey_dep.asc @@ -1 +1,100 @@ -This is a fake KEY file that needs to exist for automation, but it is not used by automation, so it doesn't need real contents. +This file contains the public PGP key that is used to sign non-release +builds and artifacts of Mozilla projects. + +THIS IS A TEST KEY AND SHOULD NOT BE CONSIDERED TRUSTED + +gpg --show-keys < KEY + +pub rsa4096 2018-12-19 [SC] + 1D02D42C7C2086373E2B7D8ED01EF1FA33C6BAEB +uid autograph test subkey +sub rsa4096 2018-12-19 [E] +sub rsa4096 2018-12-19 [S] + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFwaoDMBEAC0FVHFLTVYFSr8ZpCWOKyF+Xrpcr032pOr3p3rBH6Ld9ZTpaLS +5Vsx/u+utJ2Ci3vYde0DG07MS7RBky+rGgf4E1qwTCJb08s5mP0N6sg+J1Jmk03K +8jmXvnRO3208xMkbUdgIt7hbB7/2M85PwkQUaTsRdLM8WltDPl32fJS6HDk2jQsm +CR6u4yt4eZiRIo7k7G70j006kRRBvWgZO6v7DuF/umu1blLmKJdH8bP8WwPwUY0c +PRTVWYS3jFeqxqE95q5OFDsym8SkFUmZa0ftmSfqrvySRPC9HS09tkUHM2sIPPw2 +thE+7RPrTRtiUIL1rkiEiyCWUSMoI1wfms5MrYV1uFqcEHdNmU9wEvfZz+IEGqM6 +MhSjCJpXONOOefL9ovaMBoZrCm8W8LNvY8pYnwtYVcEeUq1aVS9JvWBzxzcijFSb +Pmzg/GhPbNOccreQpYA1Apk2PTfSmOYutSEUsDjj0mNwnMW7QTWrGidFwl8bRnKK +pPitNpLoLeWgikW9U6pHPX4Op5L2ptBq3PmWRoI7qPiYyaK5fv27aCVE7eWWODu/ +dxubwZAfbsZzmE25+HAZkhDHGHbRVIw0Tklmq/VQw6UjNqxZ7zeiKbc0mddfgbyg +WnyNyROr/hlH3TOKU3S2TVUHoMevcxO2KvjzgCQ/9g1mtbs17vVMczrPIQARAQAB +tD1hdXRvZ3JhcGggdGVzdCBzdWJrZXkgPGF1dG9ncmFwaF90ZXN0X3N1YmtleV9n +cGdAZXhhbXBsZS5jb20+iQJOBBMBCgA4FiEEHQLULHwghjc+K32O0B7x+jPGuusF +AlwaoDMCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ0B7x+jPGuus6vhAA +ozEgbzhhANLp69YZGsS6cs1Z4PwG9o3dNTVpagg50s63KMwbPA/7LN5N9WelZ0hZ +W3snSpTiCm2GY7VZpZ4TdQFfZaEPcYt5lhVcb2HbAcbl3aadH20cbdUnTNKMQv6D +lUP48iODA8CQsiZNQJk1yTqfEKjP7rm1t8Jc/bv2cYmcqeZgBP8+QgG9v8ENJRc5 +ZYXNDxtJKz6kgFKxxEUgQCSBwcHFK3aJnY0LNeZB8+wAnJ5/em0dUu3dsG3Xy49j +dFHx3I7KSR6qnOL0IuL+FJNMXtIe57LLsP2f8i6aCCySWWqhnU1HQ9vw8hrjqyZ0 +XU93odZymtFvMhjSJ8tyv2p86Lhm/ZpNVCiR/r7rR7iqBWE+VviXgXWUEQ8rLF/G +tUImZw0zgJIO7rqftgClfX86TPVIq8DJ435nnOroYckgVOi5aRTwS4InUhhoiJ98 +7TqQvnhQnHey1MIxWWoEEAg3i2kHjJME1XKkowEyjm9zRn0+Iuxudc3Yp4f0/Hzt +xkMUvtnzZ9PItbCd5DC63pm1dbF8K4pfAscYV3JR11pAO3/S7JtdQMdhT8GEPDPK +y9qqpFktC6UhN7tJjsqVOMrz5sZAtD5pkFUlpwyj4z6W+7mm9nxsXB3nduSDhfNd +fq2sYi3RaBIYETcxF3L8yDDyrDhh8hkR3bgdTyPbcYW5Ag0EXBqgMwEQAKfHtl6V +buxXVMdpCluEfBbwGEYOGz4UjmM/iv39K7+XAkYtaYRlwYHREZDJ08M0NyU5PWr8 +4u1BkqF2KkdTm0GmhxiDNFdSOO4MTI/hEjcS6EX16RtP3ZiLuu85w2+1Kh9m87EG +6MKz8N3d88Mc/nBsmMYn8h65FgmZZFttk5JU1RKQBoDRT2TTba+EPZmAmxplPSKt +1Bnfc9vERQ2eCKrhNEHAtfCY/HMqHEfwLwo2NycR3aEDCFxGh2OQCIuChgzewOpY +zhgN8q+WNo2XZad3J5cMefZNZI6rj1Ta2IVaiO2DJ1mbEtQzF3AzVrFvBiM3XaO4 ++1f2puK2yCbdgzsgfsn3F/J2U0TW5Z0cps8LTSh7ODlsTvaSMxEexbZY8jlDajHn +9UM0h4ILhvgOsLnuey+3FEIkr5WqniHzWCbyy0xF5uAveGP2hYltvRkvdyRs3+Cs +N4b+iHyU53/pOf0Q5o8/96f+2gH3P263ncf92atfSOSXshzVfrVTb1ByEBmFEZE9 +Roya/YR5RuK0r8q6kPHUhn4VxvSPWnSZHg7uKqe+YTLEp1x7rIyem/We0cp1n3t7 +LL9FON9/8TwIM1HbSgxolyAtkzHHd4nH53I1nn3XGdeG310T6PEGvZ+Pd4XOIz0C +HVvN4aJIKk9sLHlGDOq8iy2izPrQyhmZE0PrABEBAAGJAjYEGAEKACAWIQQdAtQs +fCCGNz4rfY7QHvH6M8a66wUCXBqgMwIbDAAKCRDQHvH6M8a662G+D/0VOjTuXVtt +cSxjU8tCNu9Rji/6QC8FRuHIJHVdA/Yy9be7IhDdsxI3lojMK2Y1J6pI1rUYQrsg +noaWuRGeJ49LeWdGRNNtjSR82EtnxDcllm9XKKleaqbVqa+0X6Aqq9bb8Xm53sKA +UWmokgpCV3yRcIDkRE44+iXqtkrQeYqba8vqPnEj0aU1PS6aODK3nzQAu6hymC9y +hoUTQB9G4snQjZj2d7USbeYF9KQWjvxtl6HrGm4yS4gSZ0n1b9w8ZGSUfqk/k1yU +NqtDybxpewpbAWyii4SZuvpsXYEZz9oDokUg3OA6hWinCqf6S5LmaMGBo2lX8zDL +PWYn0IQEIROk6lvyW7cHL7BdappKWQVH4avjpZCy1XVDFzRZrxOoYsRWy8PV0dzF +aff3hVAp8jovHRHAAeB84ga3c3RuDrVyE9t4OM5F+mXZ5/LhRrKmec/ZjwRclnKF +MQV/OZfeVMDDahC9fyoG/gmH/SYisAtQ5gZZbwS/v8KaPhK/9KTChb+IdFsHph6w +ik9aaOSW7nF13OSH/ozngaxr3FwL15yGqMl25IZfqrGfwPaVmMlM7/CkC6wm/7FR +5j8xl6Xvpl1S+C7kUOvjGWHlbglWchNVm0oY+p6MHzKdlwE+nRiubKGGpeI6jUXp +XsQIdRxkBDLwpOQivdxTR3K8kL5KHE4nc7kCDQRcGqDZARAAz7L0YdcqxsBh6Skh +21HsH1N2hc9nYtK295JwCCLpcgM6z22JknDU4+5zwQhRrNUYxNrwkZTk2SHpEUbZ +NfZbtdXbJTvxm8YHYJcCX+wJPEpTlgMBsDcM6QV8vhBvUysgXdvORB8LynLHgU8V +OPpfQfCn3hLLbcycoDY17e9cgdLP9nnY5XGxXXefLUbFzih0n5/IWw7UgcNIoP7O +O+CAsfwrbQXH4PeveNJn1AAR4YtjFSz+emwlThgWc4uJhDopXZUdb93G0Di+CpNs +fk9vv4dtT/RCUD7uEAzMWWv/NVDdVyfL/fMb/HBE9gtpCC8XtOnc1dSog3OeOsEX +/wWidsUNyP5CIAkTegbi8YAiV52xjicXtYqdnjisD08YCziEs6ze2itmCWCCd81s +JRMGDlCcjsj/eO0K1KK3Vc9ET20dcg5AHtIpekEcvst77b8ZofN3JmgiaHQfRfGY +C4ovnq0ePERJ0DtnulVPRhZgbkin36go2ASnrgHGA/vjNecoQlUiSW2F3cMPi6v9 +XW/v1VkeVWxk/91gGQ7xPdD5/RVKCqAWL6X0eVY/vmwmoi6+Bxj38Opy99D4zQZn +YgRr6C1/EUns0CUu8QZYcht+iWpxN9jbjbH0BskuLm55Igdi3VqIK8SW4ddsCeN3 ++WCDeCz4iLScyDQ9VWsvZelHPr0AEQEAAYkEbAQYAQoAIBYhBB0C1Cx8IIY3Pit9 +jtAe8fozxrrrBQJcGqDZAhsCAkAJENAe8fozxrrrwXQgBBkBCgAdFiEEQw+hF5tf +sLeq16ge4J9rT55v3MsFAlwaoNkACgkQ4J9rT55v3Ms82Q//ZE1fAtJR8qCfFoqA +53HECBvhGRnMbZWAjfwUVt6zN6x/rVJEg3HKNgk/R18EVFNJsNXLyShEYsvoVVE8 +Rjd3IE3J7jhlfvEObuEmMq2sOG8W0Uc5BC0wJ3gln2MRnhRXqwW6UqnCZ354l3eu +09eU9q9qd86oPu3eVJWgLHCJIYLr4jEYR5p1/CrTmpDs8dzCTUMPQl3VRPsuk6E8 +c5NbOkSb+g45YeeWy+Yc8G4qCQJr6oa3SxGRFGbVTMf0Gem17u+BD3Of62bzP0ah +v95atqWAJGhxx6ql1vbvBU8suRSKGTvMfZ5KjPvX4gsk7Xp/p/pmjnW26/Wk6dJr +oRpgpU/Am38IvvOYvU/GvhFTF0SVaKt2s8W+DSN5iDvC896wzPy2d+V5R2y0las/ +4bw3LsYRjcEoNJGPgJglNCLlT0qb1VNEdrgi5BrhpYVW0Ez59U9wWYOKJZpt5/qT +vvUyt+qDToMxyWTcY7sCiVKnFHwUfFm44M+8bbkREZjfhLzyR3K7eYnI4WCJVzbb +C+Po0xANvj9P1l3izqjppkIQXBVVXlAGZZY7Xx0alG6DtzKy0XBeDkJCDOm1WKb5 +XmeJG+eLwXkfrVWtkETDj7iKFnwZxvT2mll/SsYoH5r5olg1ZLaBAidNysyf8wrS +AsV5LIY/mBNg4rGj7jBZ22RFBEKjDBAAi6kjiSDnJYEWRfCkCuCiMl3mLh+F0J/U +WI+1zE865d9X86nFPMUaxMvxWICU83FWWXqO7RVHj3eeX+UU7ngW7MTw4k2eDLN4 +IajSqyatX+ALcPesa+LgSv5sAiOJLaj29kd43aP/yRvNzQW8aojXcoUDmeUCVwZv +nOKxCqDxkeEW58m3rLaq9cDqFjGXs5E4HLz73+6gKkN2DI0KC7z69AT7ECwal/0g +6VFGt8cyGjwx0RThXEbsdqMvNIr+Vqh1w9amkLMzWwqAXXK3+fycU/KKd43/UPii +hs/hI+7LYjxbms1omGkKWE1ajf15fm1p41d6v6tTA495kx6yalPhjmV4YDwbJx+o +Ij2Jw8Lh+B9lKvQvqaveUaTW7qFBWTDSuWkN20ArgcdgdqlIsmFWWUUNBuuwx9WJ +X7HVqYTfUHHQdTuvCPy8q+1NPhPvbfJM8ryM+rp8rsVZg4roCgM+jIaULE/y+9W3 +0ckHQOgAbxhaHAQSZucbZqvyUSvLnVRT/0TKgm2NSDUOgrweyq5BqiFOE2god3Of +yXzryWWsW8amj8pJ+5MoBN6BRkcI1HnBXv4DvRPzn/qxiZLgAHgdeTn9pu+RLYJu +OmYJJhR27YQ3SV4rdRRyiP7Ipobshhglh/xZWCcVXYQIXFF3vsKi2HTJvMo5MA+2 +gAAPg+05bWI= +=459B +-----END PGP PUBLIC KEY BLOCK----- diff --git a/signingscript/src/signingscript/script.py b/signingscript/src/signingscript/script.py index f4c8a4fe8..a8d226800 100755 --- a/signingscript/src/signingscript/script.py +++ b/signingscript/src/signingscript/script.py @@ -1,6 +1,7 @@ #!/usr/bin/env python """Signing script.""" +import asyncio import json import logging import os @@ -32,6 +33,7 @@ async def async_main(context): raise Exception("GPG format is enabled but gpg_pubkey is not defined") if not os.path.exists(context.config["gpg_pubkey"]): raise Exception("gpg_pubkey ({}) doesn't exist!".format(context.config["gpg_pubkey"])) + await set_up_gpg_keyring(context) if {"autograph_widevine", "gcp_prod_autograph_widevine", "stage_autograph_widevine"}.intersection(all_signing_formats): if not context.config.get("widevine_cert"): @@ -82,6 +84,18 @@ async def async_main(context): log.info("Done!") +async def set_up_gpg_keyring(context): + with open(context.config["gpg_pubkey"], "rb") as pubkey, open(os.path.join(context.config["work_dir"], "trustedkeys.gpg"), "wb") as keyring: + p = await asyncio.create_subprocess_exec("gpg", "--dearmor", stdin=pubkey, stdout=keyring) + try: + ret = await asyncio.wait_for(p.wait(), timeout=2) + except TimeoutError: + p.kill() + ret = await p.wait() + if ret != 0: + raise SigningScriptError("Could not make gpg trusted keyring") + + def get_default_config(base_dir=None): """Create the default config to work from. diff --git a/signingscript/src/signingscript/sign.py b/signingscript/src/signingscript/sign.py index 4c66dd3a9..1845a5a94 100644 --- a/signingscript/src/signingscript/sign.py +++ b/signingscript/src/signingscript/sign.py @@ -1060,6 +1060,11 @@ async def sign_file_with_autograph(context, from_, fmt, to=None, extension_id=No return to +async def verify_gpg(context, from_, signature): + keyring = os.path.join(context.config["work_dir"], "trustedkeys.gpg") + await utils.execute_subprocess(["gpgv", "--keyring", str(keyring), str(signature), str(from_)]) + + @time_async_function async def sign_gpg_with_autograph(context, from_, fmt, **kwargs): """Signs file with autograph and writes the results to a file. @@ -1084,6 +1089,7 @@ async def sign_gpg_with_autograph(context, from_, fmt, **kwargs): signature = await sign_with_autograph(context.session, a, input_file, fmt, "data") with open(to, "w") as fout: fout.write(signature) + await verify_gpg(context, from_, to) return [from_, to] diff --git a/signingscript/tests/data/SHA256SUMS b/signingscript/tests/data/SHA256SUMS new file mode 100644 index 000000000..6b107aee9 --- /dev/null +++ b/signingscript/tests/data/SHA256SUMS @@ -0,0 +1,139 @@ +9dd74a7c38c59dcb24fcbb054ddab08623dc3e1a58b7aa6a6750f7bc3100f5d5 jsshell/jsshell-linux-aarch64.zip +8cd9069770e9d21e181fdf48d256ecd3a9f8a41baa54027596fbe9c8861fe5ec jsshell/jsshell-linux-x86_64.zip +2f7b2fbf18dfd8a638d71ad17b315e5718d4a5e5df2000fbca825c4498f41593 jsshell/jsshell-mac.zip +2a66a92a474fc74edb9318c991723652a8d5d08cc2cfee9b8f4bd2cba9831566 jsshell/jsshell-win32.zip +ed7e00c4f806aa9c47a0aedda138c1a2d90b590bc47c6dce5ec5e5d18cf03f80 jsshell/jsshell-win64-aarch64.zip +9c6aec0f0c2c54f2ebdcce8e3cc2287911157cbc88b14b923e9352c0089dbc29 jsshell/jsshell-win64.zip +9ca8b9ada6a490baf96a6c269c9c28311b52f3438c1dd06d92fa93cb547ea7b0 linux-aarch64/ar/firefox-149.0.tar.xz +e6ba106b67400a2ac110291081a04e26ada7dd30a0957bf3cc5871c7685fea94 linux-aarch64/en-CA/firefox-149.0.tar.xz +aa359626762ec0467979609f5603d3b5f90cd2fb2d08b790258aa10e5d043af6 linux-aarch64/en-US/firefox-149.0.tar.xz +99412c484a9541cae023c55ade6f2fc2c72f2d4842dc3b5af6b0518a360504d4 linux-aarch64/he/firefox-149.0.tar.xz +a6bcc8d4089f2a0d713aa05b03d6938c50dd8e655308dbf210cf0ba38f470dc2 linux-aarch64/it/firefox-149.0.tar.xz +8e8140df509f999dbb83ada7ef10c791eeb2a6ffcf8f87f2fd9c7e97a77a6642 linux-aarch64/ja/firefox-149.0.tar.xz +cbbf22ab67da5c71cd45bfd6b00b10c0baef724bc2e0f5cb8533d1ccac0e755e linux-aarch64/xpi/ar.xpi +55f49ff92fd168cdd7b6fab47488aef411bbc55b376e1cbf41e410643d00903e linux-aarch64/xpi/en-CA.xpi +1d25a37d7b3b4321ba11fc442f34bbb164ff721c6e101a656592d69f193c54b9 linux-aarch64/xpi/en-US.xpi +e8830f39c25c27d4a043cd1af0c9cce3a7b521810bbbaac19bc7594130687f18 linux-aarch64/xpi/he.xpi +9d8f8c6501f29aad30ce577c8f4360ed42ac8a94e9b0876595f7c97af8530161 linux-aarch64/xpi/it.xpi +68f4db4a3a5b7cb2434004daecf5640c50ff6f42d04d48890f4b6de6dadc2e89 linux-aarch64/xpi/ja.xpi +13ade67355eb5d968d86d1292e5b44575a2c60e218614c0dc8e8281d6115a9e9 linux-x86_64/ar/firefox-149.0.tar.xz +3e32d3df5ae6e768d67348ba2b51ce6a41512a0f0920941ad723125e0f4e1713 linux-x86_64/en-CA/firefox-149.0.tar.xz +5e984add74acd37649cee30e70c34bc3a0a31c0b50c7829d57179d3ff7e9e28e linux-x86_64/en-US/firefox-149.0.tar.xz +32245ca33e0e826745c279e022340065ddcc23bd9268745309d2bd131f437e8d linux-x86_64/he/firefox-149.0.tar.xz +53e2a9e7ad6731a6f0da433d4fe5aff2b69b06d717aa12bfa789d8409c41d1c0 linux-x86_64/it/firefox-149.0.tar.xz +c3e82fdf3779a9340d8228ded76ba696a2330ab0538c07d3cdf69a46c6024fd3 linux-x86_64/ja/firefox-149.0.tar.xz +cbbf22ab67da5c71cd45bfd6b00b10c0baef724bc2e0f5cb8533d1ccac0e755e linux-x86_64/xpi/ar.xpi +55f49ff92fd168cdd7b6fab47488aef411bbc55b376e1cbf41e410643d00903e linux-x86_64/xpi/en-CA.xpi +1d25a37d7b3b4321ba11fc442f34bbb164ff721c6e101a656592d69f193c54b9 linux-x86_64/xpi/en-US.xpi +e8830f39c25c27d4a043cd1af0c9cce3a7b521810bbbaac19bc7594130687f18 linux-x86_64/xpi/he.xpi +9d8f8c6501f29aad30ce577c8f4360ed42ac8a94e9b0876595f7c97af8530161 linux-x86_64/xpi/it.xpi +68f4db4a3a5b7cb2434004daecf5640c50ff6f42d04d48890f4b6de6dadc2e89 linux-x86_64/xpi/ja.xpi +411e3d7d863314be59073cf46165e6dca6af2ad0eb7350a56000dafae9a20719 mac-EME-free/en-US/Firefox 149.0.dmg +8d4ff34fa4efbb7c7cdcccfa872c0e9f38fd3538b2d30435866238622aafd0b7 mac-EME-free/ja-JP-mac/Firefox 149.0.dmg +1a49d1111482af342350282417616ae161b7c9967fad4a5527279cace976efce mac/ar/Firefox 149.0.dmg +d5a2af120a7dd1b6883af734c6884658cab3d046066e8857ce98d0a82f8d1b09 mac/ar/Firefox 149.0.pkg +9c4d3c2b618397f08b37948440636468bc6ec4dda3212f44e7d1f28ab9edd3c9 mac/en-CA/Firefox 149.0.dmg +5320dc3a815d178f1e39157944c696612c5da72b292287c8e14f96b0bbe96c09 mac/en-CA/Firefox 149.0.pkg +edbee825ff7596831dd785c38f4953485465b892752c9c6e2e5cfeaf10ead111 mac/en-US/Firefox 149.0.dmg +fbfb452c049842b11ed4e7273a4dcdda92e08133da9ab922fc7d2d1f6c79dfab mac/en-US/Firefox 149.0.pkg +d4b205ae44faef1486e37fa11ebf2b012dc8f901f6bb34f9a75983366e62037b mac/he/Firefox 149.0.dmg +69be38b3eb468367d23a9b55d6ffdfa2eb0153356c3ad85cb3181a211279f824 mac/he/Firefox 149.0.pkg +b8776f14e5810214c5381a4775e30649b861672679090d844dbdaef1d2b706b6 mac/it/Firefox 149.0.dmg +2c0497d487326fbf20572ec3b2e7976c140c2596fda5a1d749e99310c70b0cfd mac/it/Firefox 149.0.pkg +2838daca92a01854e81e6ed89dd82ecee16317f77fe7daaac1bb450970218444 mac/ja-JP-mac/Firefox 149.0.dmg +135bf03793962761dfd2ac79b07c67f57764b5b946e5ad586d1b07a11219bf78 mac/ja-JP-mac/Firefox 149.0.pkg +cbbf22ab67da5c71cd45bfd6b00b10c0baef724bc2e0f5cb8533d1ccac0e755e mac/xpi/ar.xpi +55f49ff92fd168cdd7b6fab47488aef411bbc55b376e1cbf41e410643d00903e mac/xpi/en-CA.xpi +1d25a37d7b3b4321ba11fc442f34bbb164ff721c6e101a656592d69f193c54b9 mac/xpi/en-US.xpi +e8830f39c25c27d4a043cd1af0c9cce3a7b521810bbbaac19bc7594130687f18 mac/xpi/he.xpi +9d8f8c6501f29aad30ce577c8f4360ed42ac8a94e9b0876595f7c97af8530161 mac/xpi/it.xpi +3e84b9e4c19c31d9cb128f823760a4b084edfe16ef154da7813cd00635d7c39c mac/xpi/ja-JP-mac.xpi +334c30c990911186bd575c87b07306855182b1522368255f9c50940d38356694 source/firefox-149.0.source.tar.xz +cba11111a76c208cf0aadbbfd54d9276ab8ecc93d914a70b33748ff4b02f64d6 update/linux-aarch64/ar/firefox-149.0.complete.mar +935030886ac0f47322ac88a8f7bc97dbf27c224cf84c4915892774fc07d777ab update/linux-aarch64/en-CA/firefox-149.0.complete.mar +587575dc1ec4584fab1127d658a07519165a6154a6cf468ddcb0f5512c3e9146 update/linux-aarch64/en-US/firefox-149.0.complete.mar +b874c0c12855be56c36a6ee863a65c470e134bd080ae233639bd92ffe0cb4b57 update/linux-aarch64/he/firefox-149.0.complete.mar +8c40f9226bb1416ba9ce24a66f34572754b5f58a9c3c94f12e0f6f723b2d79ad update/linux-aarch64/it/firefox-149.0.complete.mar +3347ab69fa134011fb4e7035f7c73bb963e92a371900b7c3bcfe08d74cd2a5a8 update/linux-aarch64/ja/firefox-149.0.complete.mar +635e201414166aae08f021d28e00637f2c37e1c6010020f1c5c2b5f6e0b96185 update/linux-x86_64/ar/firefox-149.0.complete.mar +1c07ffc3147c326fb40f7f67327c109f671f8a92def3dba52352a2785e330aa2 update/linux-x86_64/en-CA/firefox-149.0.complete.mar +20ff5b46bf54136cc12cf250c667f811785b9433827c8635ac8d4b57b57b1ff3 update/linux-x86_64/en-US/firefox-149.0.complete.mar +97df5b67e9e723f1a0cc78b10a092f2f988f9e6d7a99d6f8b05319bea0c674d3 update/linux-x86_64/he/firefox-149.0.complete.mar +ab10ecd2702675e0856560162e081e6d0650ceea3492831882ad09df9ab1c079 update/linux-x86_64/it/firefox-149.0.complete.mar +e4c25105b864d69a789b07238ae3883f452f83d1da74173021fb6ba27a0c1bc8 update/linux-x86_64/ja/firefox-149.0.complete.mar +12fcc65c200a7ac451acefefcc64f20e6be58429b701c120dc3e02ed961b3ad7 update/mac/ar/firefox-149.0.complete.mar +661bbdfc40b9d5cda068a586959368165d88741a7622bcd172aeadc3d89921f3 update/mac/en-CA/firefox-149.0.complete.mar +0a36ecf3a687785b96318854ddc3d54efbb0d1be83d851846f19ecbfe0d0b505 update/mac/en-US/firefox-149.0.complete.mar +54b641ddc24f4e5ba8e9cd292290580976c73569517466829761b8c53d904ce9 update/mac/he/firefox-149.0.complete.mar +22b49352f3f0a377424fb229181d00d95fe2d9951e6eb02a79c856ab4ec47e95 update/mac/it/firefox-149.0.complete.mar +01e482b736e6d25f9292eb0eea607c27a0ebe366f1b9965a449bdbdbb5bfd7ac update/mac/ja-JP-mac/firefox-149.0.complete.mar +a1646bc679bb46b098fbdce4d042f3dd2954f2460e7f724b29de5ae10d6b383f update/win32/ar/firefox-149.0.complete.mar +920257b083389d1a22f93fee912f5a5ceb5222f7981b5248378d53a388015241 update/win32/en-CA/firefox-149.0.complete.mar +bcee438dcb264f0c5956ccd775f0d1b97ba0e8b1630484ddb8371be8ad7b311b update/win32/en-US/firefox-149.0.complete.mar +737a22e07b7d584325ca8af42577a3a1b6e76e95e306f190d85fcd8f3b867734 update/win32/he/firefox-149.0.complete.mar +b09da85259760ed131a17f4aa28c01d595af71447ee8fa801eda64f64ae45c59 update/win32/it/firefox-149.0.complete.mar +85e5a9b71ac39113251f2f8af005ff4676794ba4de5544bbb421f198966b06bc update/win32/ja/firefox-149.0.complete.mar +6e29c69173c7596c58d04f3121db94a63bd7ef8dde8afed60d7b45f7c02ffb07 update/win64-aarch64/ar/firefox-149.0.complete.mar +24b7dfb0509a1822616271cc1581f4fef6a4a2388a9e5ee40b9183e303daec95 update/win64-aarch64/en-CA/firefox-149.0.complete.mar +44d2419db71e076e71a6acf0d0ec6878ee336e21a0ff9bbfdd2b96bbc6959c6e update/win64-aarch64/en-US/firefox-149.0.complete.mar +cea649e65e70439f075e292c567b5b94e55ed7ef36c69e247d6dd128eea5ee79 update/win64-aarch64/he/firefox-149.0.complete.mar +c56193da0227267e463ec9122feca0d96df6b6d16b0f0e5486d0c000733e58cc update/win64-aarch64/it/firefox-149.0.complete.mar +948ec02892da54b35d29fcdaee712314f82c3a77496693f0ca3155b4a931e83f update/win64-aarch64/ja/firefox-149.0.complete.mar +2794248a7594e4725e8b7ba264c32ad2ed6626341bbd1ef0b16e1500819054b0 update/win64/ar/firefox-149.0.complete.mar +128de1a3b3a3d7c63eb97b3c9aa2c6d5044c6d6fd12b7a4f7766e50d79b6e031 update/win64/en-CA/firefox-149.0.complete.mar +311ac828fbe11edb88a168a73d0472f3555a45c87a8998af2301b771799f4eb2 update/win64/en-US/firefox-149.0.complete.mar +ac6544e115082fd4ce5fd852bca37430cd93a445d8932151e28614514c23a3ab update/win64/he/firefox-149.0.complete.mar +d9b62d303937f836add3b477e38aa8b68275c9f9d2d407b53f0fbc394fc2c424 update/win64/it/firefox-149.0.complete.mar +6d709c78302b0b747d6fb5e11ff6edf456c6e783ab768a0c3fc48ef0463df505 update/win64/ja/firefox-149.0.complete.mar +150643c0335bd8ee3d98ba5d6a8cf851d81b54026263a68cb167533f6e1a0f43 win32-EME-free/en-US/Firefox Setup 149.0.exe +4886fa386266360aa9e9f4de6a00386d0d156a37585c0151ac913a4682bfb3ad win32-EME-free/ja/Firefox Setup 149.0.exe +da329a4eda89af943ebeddf196f2b9e074fd73b4d0fc3e4d92a90aa978b7d517 win32/ar/Firefox Installer.exe +becbb3c4a8d70578a16236ddc3333c6e46d7d3afb304bab2118047d141d50fe0 win32/ar/Firefox Setup 149.0.exe +f59a5f1699de62ad8a1282b8c6e09189ad7e43d03cd335b930aaed80d3136fc7 win32/ar/Firefox Setup 149.0.msi +f669cd0310a5735d919791a9ffa065b311afb10622710f245a5399f4d02a174d win32/en-CA/Firefox Installer.exe +dc07e8744a33fbd8f4b73b64d88b76989de55f174ecb9685618dcecda9dcb6c9 win32/en-CA/Firefox Setup 149.0.exe +731dd52831d2c2a141c2a6607815c8ea8a4605b03fe2ffac0e9b77aa089d567e win32/en-CA/Firefox Setup 149.0.msi +9dbdf9b9bce8feceed8aef742d600b3bf2aedb54b832914d8fe3b3821dd0583f win32/en-US/Firefox Installer.exe +726fae5c13aea37454e44188800928da41e9be6910df805a46891acc1d768839 win32/en-US/Firefox Setup 149.0.exe +2bf35c295689173e51701bf8b862001e1589420514b011debc9a5539ca6d12ab win32/en-US/Firefox Setup 149.0.msi +5a2ced245c38ef95146b343a3fcc9d92ddeb19f826b9766ac9f63cd863d4a7b8 win32/he/Firefox Installer.exe +3bb1c2e462d7d351dc248788fec06779ecddf23229f972d72d4cafd5bca6b229 win32/he/Firefox Setup 149.0.exe +22e6bf59958db7c2b73df72517b1c842c12a9a3f57a8dda394e1326e6f1bfe4c win32/he/Firefox Setup 149.0.msi +6963bdef4badf7d906239ad0b87d1092c0d94d76f1801131e4d471c5a5fdac3d win32/it/Firefox Installer.exe +777c084fec1b015d9f858f87f950b48e4831d7ea99f9509a5dbeeb720e860db1 win32/it/Firefox Setup 149.0.exe +bbecd66b75844e5eb83f9dd8f63966bbb167925f9f39c720c756b1677b9e7755 win32/it/Firefox Setup 149.0.msi +ffaf90910e5eb3987e13a7279a3639bdff81967369c2d5d81d8d237beedb0184 win32/ja/Firefox Installer.exe +85a709d8c77ece4a09f8a9d2fe856e8dbeca61351fd3980637955a154e0bfcd4 win32/ja/Firefox Setup 149.0.exe +22a20ff7d0afc0add8e76873a2db4fce3f0868eadeec56ea475c64071bd04d65 win32/ja/Firefox Setup 149.0.msi +cbbf22ab67da5c71cd45bfd6b00b10c0baef724bc2e0f5cb8533d1ccac0e755e win32/xpi/ar.xpi +55f49ff92fd168cdd7b6fab47488aef411bbc55b376e1cbf41e410643d00903e win32/xpi/en-CA.xpi +1d25a37d7b3b4321ba11fc442f34bbb164ff721c6e101a656592d69f193c54b9 win32/xpi/en-US.xpi +e8830f39c25c27d4a043cd1af0c9cce3a7b521810bbbaac19bc7594130687f18 win32/xpi/he.xpi +9d8f8c6501f29aad30ce577c8f4360ed42ac8a94e9b0876595f7c97af8530161 win32/xpi/it.xpi +68f4db4a3a5b7cb2434004daecf5640c50ff6f42d04d48890f4b6de6dadc2e89 win32/xpi/ja.xpi +677d2274964892823edf730e7c69d89af7aa68e6d8596d7f646325258c3b07f6 win64-EME-free/en-US/Firefox Setup 149.0.exe +ccadedcc4c95d4b38415264ac6e1e5cc16299a448c052acfac52c210306a72a6 win64-EME-free/ja/Firefox Setup 149.0.exe +10d2aa6a92672f1b268352ab7d4160b8c4bf7e16c1c26bfabc12790b5bfd2bc5 win64-aarch64/ar/Firefox Setup 149.0.exe +82f1a8c6d8eadd8c466d9873aa320d66ff3de62a3dabd7c3f1741645aef5f781 win64-aarch64/en-CA/Firefox Setup 149.0.exe +104f53f0e24533e6d5769bdf70b4f218e1088b712d84e53bfad5b49dcc0626f9 win64-aarch64/en-US/Firefox Setup 149.0.exe +8a6c48c57fd37e3274c6c3085d822938ff12d60587e0400dbcf30e5d41ecc68f win64-aarch64/he/Firefox Setup 149.0.exe +94746d148a45a2b20985b279cc27009cef74aab2f34ed7e46fab3ebdbc8c8c07 win64-aarch64/it/Firefox Setup 149.0.exe +6bd006282d451997a0075e271595cd3f57a367ca5932f85886a8b76357522a9b win64-aarch64/ja/Firefox Setup 149.0.exe +b2aa8776766dd600823e04a6cc858d447c07cfe2cd41b7670b524a2592a1ba80 win64/ar/Firefox Setup 149.0.exe +0f5f2c01f30fb593f6f7d5260b54a7debb014dc2c287bdb02a0bdd85273b06b2 win64/ar/Firefox Setup 149.0.msi +8e11c76f803995b07b2d5b79bb1ebfb49575c94ae82a8379f4f9092c106e8b70 win64/en-CA/Firefox Setup 149.0.exe +7c00fc1e79ab0945089a3509e76f1226261d8fa691e00ad4662200a2016ea3ae win64/en-CA/Firefox Setup 149.0.msi +41bc0041947b98c9dae0ebbc86f861139092358b491461258e68d01ef8933e79 win64/en-US/Firefox Setup 149.0.exe +16e87264ac97b9f8ad4dc009c92e4e81fe0d55d57af8f5c7646f579c3167afea win64/en-US/Firefox Setup 149.0.msi +04a7049ac922422f12007acf13d2097bb5d19b2093f9669c286db26635c96880 win64/he/Firefox Setup 149.0.exe +7f3e82ce7f51690123191c9edc900ecd7437f7462c74a13be11467868ec46444 win64/he/Firefox Setup 149.0.msi +e453ad6050c1f21db2eb3fcc7bc42b16c891b131da4c1917f996f1b0ad66f6e1 win64/it/Firefox Setup 149.0.exe +69aee4e20a7a7ed037e4c044a58f6dc176b662382e3e76f1834574899b293f1e win64/it/Firefox Setup 149.0.msi +e1758ca4e0b48ec3a866a1949268c8d914045c304f554b36b9007d9211b717fc win64/ja/Firefox Setup 149.0.exe +4f4089b168b75edad3e98f21b58931a32e7b9e6dd7f6060020328a4c84db1894 win64/ja/Firefox Setup 149.0.msi +cbbf22ab67da5c71cd45bfd6b00b10c0baef724bc2e0f5cb8533d1ccac0e755e win64/xpi/ar.xpi +55f49ff92fd168cdd7b6fab47488aef411bbc55b376e1cbf41e410643d00903e win64/xpi/en-CA.xpi +1d25a37d7b3b4321ba11fc442f34bbb164ff721c6e101a656592d69f193c54b9 win64/xpi/en-US.xpi +e8830f39c25c27d4a043cd1af0c9cce3a7b521810bbbaac19bc7594130687f18 win64/xpi/he.xpi +9d8f8c6501f29aad30ce577c8f4360ed42ac8a94e9b0876595f7c97af8530161 win64/xpi/it.xpi +68f4db4a3a5b7cb2434004daecf5640c50ff6f42d04d48890f4b6de6dadc2e89 win64/xpi/ja.xpi diff --git a/signingscript/tests/data/SHA256SUMS.asc b/signingscript/tests/data/SHA256SUMS.asc new file mode 100644 index 000000000..0e7ec7cc7 --- /dev/null +++ b/signingscript/tests/data/SHA256SUMS.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQw+hF5tfsLeq16ge4J9rT55v3MsFAmmUqXsACgkQ4J9rT55v +3MsFnA//djEXovg/ARQThPJjnIGxkSAGx57DpNT+9cacSHzC0EnOI+5DFGJq6nXb +DJ7u2c1wqsnIfjYpr1gR/wlfQD/zKtc4cH8r9BzJl5cBL+cbBvMdLLrpTOYoOeXd +OC91bxmzTmhlK6JY2U52FUmteN4x1nrTW2k2Z/9x4zbsNTNTJgJ3R3lRG7jm2NdW +1pgusTIMkIrbZnN2D1VkCrlTuzdU7cSAunIeGu9tyynTiRMJhxftXPy0MmtH/AMo +ed13jgc8ma1D9WECzjTHfXARswL9t09QaS+LTen1NyRX0Rn799WCgvMIIRwmOGH+ +6nqjHOcKA0RViM3mI/0N1t7e1m2bfD3gHyYqwcyeua5B3kFGePje5/TE8PTjkQ77 +DwHM5PQKz0SmKg03d3Br/e2rq9S2hqiTh8KQr0uKwAd7V23B965OPyOhj3BkWES8 +w5EYTBTcWZrylRJDaKR5RK+m9X8Ue0N8Ab+4fvmtesHqs1q0JdCKtQATEddvn+OI +R2oBJnnPlCebyKMFT5g+9afwLvQuyAFrzPNicLDbB0xZVNSw6gObfi0KFM6etOgr +YMK0fapNjS8USmx3S1ufBMYdPQ5d1l1JeS2iiquG2FmaFmxNsr8QCfb/+e/P/vBG +GRaEUEDyoUUZT+N6UVIxnCXyavCVq/VLj/ewHMYNojACtcJ7r48= +=31Iz +-----END PGP SIGNATURE----- diff --git a/signingscript/tests/test_script.py b/signingscript/tests/test_script.py index 00b33d454..88593c09c 100644 --- a/signingscript/tests/test_script.py +++ b/signingscript/tests/test_script.py @@ -53,6 +53,7 @@ async def test_async_main_gpg(tmpdir, tmpfile, mocker): fake_gpg_pubkey = tmpfile mocked_copy_to_dir = mocker.Mock() mocker.patch.object(script, "copy_to_dir", new=mocked_copy_to_dir) + mocker.patch.object(script, "set_up_gpg_keyring") await async_main_helper(tmpdir, mocker, formats, {"gpg_pubkey": fake_gpg_pubkey}) for call in mocked_copy_to_dir.call_args_list: @@ -61,6 +62,8 @@ async def test_async_main_gpg(tmpdir, tmpfile, mocker): else: assert False, "couldn't find copy_to_dir call that created KEY" + script.set_up_gpg_keyring.assert_called_once() + @pytest.mark.asyncio async def test_async_main_gpg_no_pubkey_defined(tmpdir, mocker): diff --git a/signingscript/tests/test_sign.py b/signingscript/tests/test_sign.py index c53e95a68..2173ae35a 100644 --- a/signingscript/tests/test_sign.py +++ b/signingscript/tests/test_sign.py @@ -24,6 +24,7 @@ import signingscript.sign as sign import signingscript.utils as utils from signingscript.exceptions import SigningScriptError +from signingscript.script import set_up_gpg_keyring from signingscript.utils import get_hash # helper constants, fixtures, functions {{{1 @@ -861,12 +862,15 @@ async def test_gpg_autograph(context, mocker, tmp_path): ] } + mocker.patch.object(sign, "verify_gpg") + mocked_sign = mocker.patch.object(sign, "sign_with_autograph") mocked_sign.return_value = async_mock_return_value("--- FAKE SIG ---") result = await sign.sign_gpg_with_autograph(context, tmp, "autograph_gpg") assert result == [tmp, f"{tmp}.asc"] + sign.verify_gpg.assert_called_once_with(context, tmp, f"{tmp}.asc") with pytest.raises(SigningScriptError): result = await sign.sign_gpg_with_autograph(context, tmp, "gpg") @@ -1211,7 +1215,7 @@ async def mocked_winsign(infile, outfile, digest_algo, certs, signer, cafile, ** @pytest.mark.asyncio -async def test_authenticode_sign_gpg_temporary_error(tmpdir, mocker, context, caplog): +async def test_sign_gpg_temporary_error(tmpdir, mocker, context, caplog): context.autograph_configs = { TEST_CERT_TYPE: [ utils.Autograph(*["https://autograph-hsm.dev.mozaws.net", "alice", "fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu", ["autograph_gpg"]]) @@ -1231,11 +1235,13 @@ async def flaky_post(self, *args, **kwargs): mocked_session.post = mock.MagicMock(wraps=mocked_session.post) mocker.patch.object(context, "session", new=mocked_session) + mocker.patch.object(sign, "verify_gpg") test_file = tmpdir / "file.txt" test_file.write(b"hello world") await sign.sign_gpg_with_autograph(context, test_file, "autograph_gpg") + sign.verify_gpg.assert_called_once_with(context, f"{test_file}", f"{test_file}.asc") hashes = [] for call in mocked_session.post.call_args_list: auth = call[1]["headers"]["Authorization"] @@ -1579,3 +1585,13 @@ def test_encode_multiple_files(): } ] assert result == expected + + +@pytest.mark.asyncio +async def test_verify_gpg(context): + context.task = {"scopes": ["project:releng:signing:cert:dep-signing"]} + context.config["gpg_pubkey"] = os.path.join(BASE_DIR, "src/signingscript/data/gpg_pubkey_dep.asc") + await set_up_gpg_keyring(context) + from_ = os.path.join(TEST_DATA_DIR, "SHA256SUMS") + to = os.path.join(TEST_DATA_DIR, "SHA256SUMS.asc") + await sign.verify_gpg(context, from_, to) diff --git a/taskcluster/docker/signingscript/Dockerfile b/taskcluster/docker/signingscript/Dockerfile index 4dc596d00..486fe1a18 100644 --- a/taskcluster/docker/signingscript/Dockerfile +++ b/taskcluster/docker/signingscript/Dockerfile @@ -16,7 +16,7 @@ USER root # Install msix # Install rcodesign RUN apt-get update \ - && apt-get install -y osslsigncode cmake clang \ + && apt-get install -y osslsigncode cmake clang gpg gpgv \ && apt-get clean \ && chown -R app:app /app \ && cd /app/signingscript/docker.d \ diff --git a/taskcluster/kinds/docker-image/kind.yml b/taskcluster/kinds/docker-image/kind.yml index 8aec1cd59..2cf5c8535 100644 --- a/taskcluster/kinds/docker-image/kind.yml +++ b/taskcluster/kinds/docker-image/kind.yml @@ -108,7 +108,7 @@ tasks: definition: base-test args: PYTHON_VERSION: *py311 - APT_PACKAGES: osslsigncode cmake clang + APT_PACKAGES: osslsigncode cmake clang gpg gpgv pushapkscript-test-py313: definition: base-test @@ -127,4 +127,4 @@ tasks: definition: base-test args: PYTHON_VERSION: *py313 - APT_PACKAGES: osslsigncode cmake clang + APT_PACKAGES: osslsigncode cmake clang gpg gpgv