Bug 1774273 - Add mac notarization on signingscript r=bhearsum

Created a separate kind for only signing with iscript, and another for notarization.
Once we validate this is good, we need to add it to l10n/emfree/etc and point repackage kind at it.

Differential Revision: https://phabricator.services.mozilla.com/D173967

Author: hneiva

taskcluster/ci/build-mac-notarization/kind.yml

@@ -0,0 +1,26 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: gecko_taskgraph.loader.single_dep:loader
+
+transforms:
+    - gecko_taskgraph.transforms.name_sanity:transforms
+    - gecko_taskgraph.transforms.signing:transforms
+    - gecko_taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build-mac-signing
+
+only-for-attributes:
+    - shippable
+
+job-template:
+    treeherder:
+        symbol: BMN
+    upstream-artifacts:
+        - taskType: signing
+          paths: ["public/build/target.tar.gz"]
+          formats: ["apple_notarization"]
+          taskId:
+              task-reference: <build-mac-signing>

taskcluster/ci/build-mac-signing/kind.yml

@@ -0,0 +1,26 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+---
+loader: gecko_taskgraph.loader.single_dep:loader
+
+transforms:
+    - gecko_taskgraph.transforms.name_sanity:transforms
+    - gecko_taskgraph.transforms.build_signing:transforms
+    - gecko_taskgraph.transforms.signing:transforms
+    - gecko_taskgraph.transforms.task:transforms
+
+kind-dependencies:
+    - build
+
+only-for-attributes:
+    - shippable
+
+only-for-build-platforms:
+    - macosx64-shippable/opt
+    - macosx64-devedition/opt
+
+job-template:
+    treeherder:
+        symbol: BMS
+    enable-signing-routes: false

taskcluster/docs/kinds.rst

@@ -46,6 +46,16 @@ build-notarization-poller
 
 We switched to a 3-part mac notarization workflow in bug 1562412. This is the second task, which polls Apple for notarization status. Because this is run in a separate, special notarization poller pool, we free up the mac notarization pool for actual signing work.
 
+build-mac-signing
+-----------------
+
+Mac signing without notarization
+
+build-mac-notarization
+----------------------
+
+Mac notarization on signinscript (linux) using rcodesign
+
 artifact-build
 --------------
 

taskcluster/gecko_taskgraph/transforms/signing.py

@@ -204,7 +204,11 @@ def make_task_description(config, jobs):
         if dep_job.kind in task["dependencies"]:
             task["if-dependencies"] = [dep_job.kind]
 
-        if "macosx" in build_platform:
+        # build-mac-notarization uses signingscript instead of iscript
+        if "macosx" in build_platform and config.kind == "build-mac-notarization":
+            task["worker"]["mac-behavior"] = "mac_sign"
+        elif "macosx" in build_platform:
+            # iscript overrides
             shippable = "false"
             if "shippable" in attributes and attributes["shippable"]:
                 shippable = "true"
@@ -223,9 +227,8 @@ def make_task_description(config, jobs):
                     mac_behavior = "mac_notarize_part_3"
                 else:
                     raise Exception(f"Unknown kind {config.kind} for mac_behavior!")
-            else:
-                if "part-1" in config.kind:
-                    continue
+            elif "part-1" in config.kind:
+                continue
             task["worker"]["mac-behavior"] = mac_behavior
             worker_type_alias_map = {
                 "linux-depsigning": "mac-depsigning",

taskcluster/gecko_taskgraph/transforms/task.py

@@ -850,6 +850,7 @@ def build_generic_worker_payload(config, task, task_def):
         Optional("mac-behavior"): Any(
             "mac_notarize_part_1",
             "mac_notarize_part_3",
+            "mac_sign",
             "mac_sign_and_pkg",
             "mac_geckodriver",
             "mac_notarize_geckodriver",