[signingscript] Add apple notarization support

[hneiva]

DO NOT MERGE

Secrets still need to be added to SOPS

It's ready to roll

[bhearsum]

This looks quite good overall! I'd like to see a few things before this lands:

• Agreement on what pool(s) we're going to use for these new workers
• Reworking the creds to set-up the files at init (instead of with each task)
• Some testing through dev before this lands (perhaps through adhoc-signing as we discussed before?).

[bhearsum]

This causes rcodesign to block on notarization completing. This is a notable change from our current process, and will tie up available workers in whatever pool this runs in.

I think this is OK to do, however, this argues for creating a new pool that is exclusively responsible for notarization and stapling (to avoid other signing types getting blocked or delayed if there's a spike in notarization requests, or Apple is slow, etc, etc.). This will end up being a nice simplification and clean up of the current graph (where we have the confusing "sign1" -> "poll" -> "sign3" flow).

(I don't think we need to use the current model of separate workers for notarization and stapling, as long as we do use a separate worker type here, and make sure its maxCapacity is set fairly high.)

In an ideal world, each signingscript that is handling notarization would be able to claim multiple tasks (since most of its work is just sleeping and waiting on Apple) -- but that is well into the realm of future improvements, and absolutely not part of this initial work.

[hneiva]

Let's get some measurements on how quick this goes with adhoc, then we'll have a better idea of how bad it could be.

[bhearsum]

Is there a reason we can't simply deploy creds as this, rather than write them out with each task? We do this, for example, with Google credentials in pushapk workers: creating files as part of init, setting the file path as part of the worker config

[hneiva]

I'm not sure I love the idea of either:
a. Having the credentials in SOPS base64'd
b. Having to construct the json file in init_worker.sh

What if we moved the credentials creation to async_main? (if !credential.exist, create it sort of deal)

[bhearsum]

It will have to be in SOPS either way, no? (I don't think we have any other place to put secrets that these workers need?)

As far as init_worker vs. async_main - I don't feel terribly strongly either way. Although requiring an intermediary format to async_main makes local testing a bit more annoying? I'm not going to block on either approach - as long as it's not being done per-task I'm pretty happy.

[hneiva]

Tested on dev pool: mozilla-releng/adhoc-signing#152

[bhearsum]

This code path means that this function doesn't do what it claims ("write credentials"), and also doesn't throw an error. Why does it exist, and what can we do to improve this? Is it a remnant from when this was being called per task?

[hneiva]

Basically it will write the first time, and skip for any subsequent tasks.
The function still checks for scope issues, so there's a reason for it to exist.
Any specific suggestions on improving it?

[bhearsum]

In that case, it ought to have a different name, or move the scope checks out :).

[bhearsum]

Is there a particular reason we're sending these back as tarballs instead of pkg or apps (as we do with authenticode signing)?

[hneiva]

.apps are not compressed at all.
Since this is a "new" type of task, defaulting to a compressed output seems reasonable.
That being said, we might adjust it later if required 🙃

[bhearsum]

Ah right - I totally lost the plot on .app format 😆 . This is fine.

[bhearsum]

I'm good with this with the write_credentials function renamed (or the scope check moved out).