-
Notifications
You must be signed in to change notification settings - Fork 29
Testing iscript
Aki Sasaki edited this page Aug 6, 2019
·
31 revisions
This currently assumes we already have a manual testing environment (e.g. partner-repack-1) with an appropriately set up developer Apple account, a keychain with the appropriate pkg- and app-signing certs as well as the notarization account credentials, and python3.
These steps take us from testing manually via individual commands or bash scripts to testing via iscript.
- create a base directory. Currently I'm working in
/builds/notarization/aki.- the owner of this directory needs passwordless sudo (
/etc/sudoers)
- the owner of this directory needs passwordless sudo (
# chdir to base dir
cd /builds/notarization/aki
# clone iscript
git clone https://github.com/mozilla-releng/scriptworker-scripts
# create a python3 virtualenv.
/tools/python36/bin/python3.6 -mvenv venv
. venv/bin/activate
# install scriptworker_client and iscript via |python setup.py develop|
cd scriptworker-scripts/scriptworker_client
python setup.py develop
cd ../vendored/mozbuild
python setup.py develop
cd ../../iscript
python setup.py develop
cd ../..
# Now, `git pull` or local changes to these python files will change iscript's behavior.
This can be json or yaml, since yaml is a superset of json. I thought it easier to use yaml. Look, comments:
# the work will happen in this dir
work_dir: /tmp/work
# artifacts will be created in this dir. You may want to nuke this dir before running iscript
# manually, or you may have leftover artifacts from previous runs.
artifact_dir: /tmp/artifacts
taskcluster_scope_prefix: "project:releng:signing:"
# Debug logging?
verbose: true
# These are used for multi_account notarization. If there are fewer accounts than apps in
# upstreamArtifacts, then we only notarize len(local_notarization_accounts) at a time.
local_notarization_accounts: ["account1"]
# If we have more than one scriptworker instance per host, we want to avoid conflicting
# dmg mount points. We only need to specify this if we havemore than one scriptworker instance
# per host.
dmg_prefix: foo
# Limit async concurrency to this number, in places where we're using a semaphore.
# We should make sure we're actually saving time with this.
concurrency_limit: 2
# Default keychain search path. We update this with the signing keychain before signing.
# Defaults to ["$HOME/Library/Keychains/login.keychain-db", "/Library/Keychains/System.keychain"]
default_keychains:
- "/Users/cltbld/Library/Keychains/login.keychain-db"
- "/Library/Keychains/System.keychain"
# mac_config, as opposed to a future ios_config
mac_config:
# Currently dep is the only supported config.
dep:
# multi_account or single_zip
# these two should allow for all 3 setup configs:
# 1. single daemon, multi_account, multiple apps per task;
# 2. single daemon, single zip, multiple apps per task;
# 3. multiple daemons, single zip, single app per task
notarize_type: multi_account
# This is the path to the keychain
signing_keychain: /path/to/dep.keychain
# base of the notarization bundle id. We add some dots, TASK_ID, and timestamp
base_bundle_id: org.mozilla.firefox_dep
# supported behaviors. we can use this to prevent, say, notarization in dep or tb
supported_behaviors:
- mac_sign
- mac_sign_and_pkg
- mac_geckodriver
- mac_notarize
# sign with entitlements file? we'll want to set this to `False` for dep once we're done testing
sign_with_entitlements: true
# currently signature verification is broken for self-signed dep;
# set to `false` for dep, `true` for nightly and release
verify_mac_signature: true
# app signing identity
identity: ...
# keychain password
keychain_password: ...
# pkg signing cert. Set this to `""` or `null` to skip pkg signing (e.g. dep)
pkg_cert_id: ...
# apple notarization account info
apple_notarization_account: ...
apple_notarization_password: ...
# because our account is tied to multiple itunes providers, e.g. https://github.com/macmade/Notarize/issues/2
apple_asc_provider: ...
# max time we wait for apple to return `success` after submitting notarization
# requests.
notarization_poll_timeout: 900
# autograph url, username, password, and path to the public widevine cert to verify against
widevine_url: ...
widevine_user: ...
widevine_pass: ...
widevine_cert: /path/to/cert
# autograph url, username, password for omnija signing
omnija_url: ...
omnija_user: ...
omnija_pass: ...
# autograph url, username, password for langpack signing
langpack_url: ...
langpack_user: ...
langpack_pass: ...
# someday we'll support the above, with
nightly:
...
release:
...We may want to make changes or add more config items to the above; still easy to do. Most likely we want to disable notarization in dep before rollout.
iscript will read task.json from the path <work_dir>/task.json. It will look like this,
minus comments:
{
# The schema requires this, but we don't care what's in it at the script level
"dependencies": ["a"],
# We require a single valid `cert` signing scope
"scopes": ["project:releng:signing:cert:dep-signing"],
"payload": {
# The taskId/path combinations are the apps we will sign/notarize/pkg
# Currently, the paths after public/build/ need to be unique across all tasks
# i.e., task1 with public/build/target.tar.gz and task2 with public/build/target.tar.gz
# would result in one overwriting the other in the artifact dir
# Currently only .tar.gz tarballs and filenames are supported.
"upstreamArtifacts": [{
"taskId": "task1",
"taskType": "build",
"paths": ["public/build/1231-1/target.tar.gz", "public/build/0107-1/target-0107-enUS.tar.gz", "public/build/0107-1/target-0107-fr.tar.gz", "public/build/0101-1/target.tar.gz"]
}, {
"taskId": "task2",
"taskType": "build",
"paths": ["public/build/0101-2/target.tar.gz"]
}],
# to be implemented
"entitlements-url": "",
# this can be one of:
# mac_notarize: sign, notarize app, create and sign pkg
# mac_geckodriver: sign the geckodriver binary
# mac_sign: sign app
# mac_sign_and_pkg: sign app, create and sign pkg
"behavior": "mac_notarize"
}
}The artifact dir will contain artifacts after a successful run of iscript.
The work dir will need to be prepopulated with a task.json and cot artifacts, which match the task.json's upstreamArtifacts.
work/cot/task1/public/build/en-US/target.tar.gz
work/cot/task2/public/build/fr/target.tar.gz
work/cot/task2/public/build/de/target-de.tar.gz
work/task.json
We want to:
- nuke the artifact dir to avoid cruft
- redirect output to a log, ideally dated
So something like this works:
# after activating venv
rm -rf artifacts && iscript script_config.yaml 2>&1 | tee log.`date '+%Y%m%d%H%M'`