1 files changed, 88 insertions, 0 deletions

diff --git a/comm/taskcluster/comm_taskgraph/transforms/signing.py b/comm/taskcluster/comm_taskgraph/transforms/signing.py
new file mode 100644
index 0000000000..297fec0d2e
--- /dev/null
+++ b/comm/taskcluster/comm_taskgraph/transforms/signing.py
@@ -0,0 +1,88 @@
+#  This Source Code Form is subject to the terms of the Mozilla Public
+#  License, v. 2.0. If a copy of the MPL was not distributed with this
+#  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from taskgraph.transforms.base import TransformSequence
+
+from gecko_taskgraph.util.signed_artifacts import is_notarization_kind
+
+transforms = TransformSequence()
+
+
+def check_notarization(dependencies):
+    """
+    Determine whether a signing job is the last step of a notarization
+    by looking at its dependencies.
+    """
+    for dep in dependencies:
+        if is_notarization_kind(dep):
+            return True
+
+
+@transforms.add
+def remove_widevine(config, jobs):
+    """
+    Remove references to widevine signing.
+
+    This is to avoid adding special cases for handling signed artifacts
+    in mozilla-central code. Artifact signature formats are determined in
+    gecko_taskgraph.util.signed_artifacts. There's no override mechanism so we
+    remove the autograph_widevine format here.
+    """
+    for job in jobs:
+        task = job["task"]
+        payload = task["payload"]
+
+        widevine_scope = "project:comm:thunderbird:releng:signing:format:autograph_widevine"
+        if widevine_scope in task["scopes"]:
+            task["scopes"].remove(widevine_scope)
+        if "upstreamArtifacts" in payload:
+            for artifact in payload["upstreamArtifacts"]:
+                if "autograph_widevine" in artifact.get("formats", []):
+                    artifact["formats"].remove("autograph_widevine")
+
+        yield job
+
+
+@transforms.add
+def no_sign_langpacks(config, jobs):
+    """
+    Remove langpacks from signing jobs after they are automatically added.
+    """
+    for job in jobs:
+        task = job["task"]
+        payload = task["payload"]
+
+        if "upstreamArtifacts" in payload:
+            for artifact in payload["upstreamArtifacts"]:
+                if "autograph_langpack" in artifact.get("formats", []):
+                    artifact["formats"].remove("autograph_langpack")
+
+                # Make sure that there are no .xpi files in the artifact list
+                if all([p.endswith("target.langpack.xpi") for p in artifact["paths"]]):
+                    payload["upstreamArtifacts"].remove(artifact)
+
+        yield job
+
+
+@transforms.add
+def check_for_no_formats(config, jobs):
+    """
+    Check for signed artifacts without signature formats and remove them to
+    avoid scriptworker errors.
+    Signing jobs that use macOS notarization do not have formats, so keep
+    those.
+    """
+    for job in jobs:
+        if not check_notarization(job["dependencies"]):
+            task = job["task"]
+            payload = task["payload"]
+
+            if "upstreamArtifacts" in payload:
+                for artifact in payload["upstreamArtifacts"]:
+                    if "formats" in artifact and not artifact["formats"]:
+                        for remove_path in artifact["paths"]:
+                            job["release-artifacts"].remove(remove_path)
+
+                        payload["upstreamArtifacts"].remove(artifact)
+        yield job