AUT-293: add stage formats for all dev/fake-prod signingscript formats

[bhearsum]

This is part 1 of the plan from this document. The latest version of this has been tested on dev scriptworkers in https://treeherder.mozilla.org/jobs?repo=try&revision=3856381ba7e5d539896bc5dca31aa7a4df43c7ed. There are a handful of failures that we can ignore:

• MAR signing tasks fail (but they get past the actual autograph communication part) due to not having the real dep MAR key on autograph stage. This will be fixed as part of https://mozilla-hub.atlassian.net/browse/AUT-339, but ought not to block this PR.
• linux64 signing failed due to a bad keyid, which I fixed and reran for.
• part of mac signing failed due to me not configuring stage_autograph_langpack on the dev mac signing worker. I could, theoretically, do this and rerun, but I honestly don't think it's worth the effort. All of the non ja-jP-mac signing worked fine, because we don't do langpacks for them. I have no reason to believe this will fail in fake-prod or prod.
• focus signing failed due to a bad secret. I fixed this and reran.

[bhearsum]

This PR is still in draft while we wait for all of the necessary keys to be populated in autograph stage. (I'll probably also do some sanity checking with scriptworker dev instances before having this reviewed and landed.)

[jcristau]

Oops, I only looked at the first commit initially.

[bhearsum]

https://treeherder.mozilla.org/jobs?repo=try&revision=09c0318c363c2043d61db910ba924de5c2a68e7c&searchStr=sign has my latest tests with this patch + up-to-date sops + cloudops-infra. I've also prepared the signingscript-fake-prod branch in the sops repo with the necessary secrets changes we'll need for fake-prod before this lands, as well as some tests to ensure that dev + fake-prod entries (where both exist) have the same autograph secrets.

[bhearsum]

I'm going to fix up the things you mentioned, I also want to note here that I'm looking at a strange failure in this linux l10n signing job. In just this one chunk, we ended up with:

aiohttp.client_exceptions.ClientConnectorDNSError: Cannot connect to host autograph-external.prod.autograph.services.mozaws.net:443 ssl:default [Name or service not known]

Normally I'd write this off as network gremlins, but the fact that it's trying to connect to autograph prod is very surprising, as it's configured only to use stage formats. I've pushed an additional change with some logging improvements to help diagnose this, and see if in fact all of the chunks are doing some signing against prod.

[bhearsum]

I'm going to fix up the things you mentioned, I also want to note here that I'm looking at a strange failure in this linux l10n signing job. In just this one chunk, we ended up with:

aiohttp.client_exceptions.ClientConnectorDNSError: Cannot connect to host autograph-external.prod.autograph.services.mozaws.net:443 ssl:default [Name or service not known]

Normally I'd write this off as network gremlins, but the fact that it's trying to connect to autograph prod is very surprising, as it's configured only to use stage formats. I've pushed an additional change with some logging improvements to help diagnose this, and see if in fact all of the chunks are doing some signing against prod.

This turned out to be another case of a format being hardcoded deep in the bowels of signingscript. I've fixed it, and found a bunch more along the way. I've also added some logging on the success cases. I'm kicking off some widespread testing again, and I'll verify that a) things continue to work, and b) everything is actually using stage when it should.

Regardless, this will need review again, as the changes I've made are not trivial.

[bhearsum]

My latest try push is still finishing up, but it's already done every type of signing AFAICT, and I'm quite confident it will turn out fine. (The scattered failures are DNS resolution issues, which I've reported back to the Autograph team about.)

[jcristau]

LGTM, just a couple of logging nits.

[jcristau]

That is going to be quite noisy...

[bhearsum]

Yeah, that's fair. It's probably not necessary to add this in the end; we already log the other path.

[jcristau]

"Found firefox/firefox-bin to sign False" is a bit of an odd message

[bhearsum]

You're right, this could be improved.

[jcristau]

Another failure on the try push is https://firefox-ci-tc.services.mozilla.com/tasks/FIpZBU_ZSUqWZ5KbKncx1g, where iscript doesn't know about stage_autograph_langpack; probably something to handle (or not) separately from this PR.

[bhearsum]

Another failure on the try push is https://firefox-ci-tc.services.mozilla.com/tasks/FIpZBU_ZSUqWZ5KbKncx1g, where iscript doesn't know about stage_autograph_langpack; probably something to handle (or not) separately from this PR.

Yeah. I did some best effort testing of stage with iscript, but that configuration and set-up is a whole other beast that I'm not prepared to tackle at the moment. (I did do enough testing and set-up to verify that iscript machines can route to the new autograph envs, and that the other types of signing they do with autograph works.)