[tor-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 41030: Add script to download a torbrowser/mullvadbrowser release

richard (@richard) git at gitlab.torproject.org
Thu Nov 30 12:46:29 UTC 2023 


richard pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
07898fd4 by Nicolas Vigier at 2023-11-30T11:59:45+01:00
Bug 41030: Add script to download a torbrowser/mullvadbrowser release

- - - - -
93819f81 by Nicolas Vigier at 2023-11-30T11:59:49+01:00
Bug 41030: Add make targets to unsign and compare exe files

- - - - -


6 changed files:

- Makefile
- doc/MAKEFILE.txt
- + projects/release/compare_windows_signed_unsigned_exe
- projects/release/config
- + tools/download-mullvadbrowser
- + tools/download-torbrowser


Changes:

=====================================
Makefile
=====================================
@@ -229,6 +229,12 @@ torbrowser-dmg2mar-alpha: submodule-update
 	tools/update-responses/download_missing_versions alpha
 	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
 
+torbrowser-compare-windows-signed-unsigned-release: submodule-update
+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser
+
+torbrowser-compare-windows-signed-unsigned-alpha: submodule-update
+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser
+
 
 ########################
 # Base Browser Targets #
@@ -557,6 +563,12 @@ mullvadbrowser-dmg2mar-alpha: submodule-update
 	tools/update-responses/download_missing_versions alpha
 	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
 
+mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update
+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser
+
+mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update
+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser
+
 
 ############################
 # Toolchain Update Targets #


=====================================
doc/MAKEFILE.txt
=====================================
@@ -136,3 +136,8 @@ Create update responses xml files for a signed build in the release or
 alpha channel. The files can be found in a tar in the directory
 torbrowser/{release,alpha}/update-responses.
 
+torbrowser-compare-windows-signed-unsigned-{release,alpha}
+----------------------------------------------------------
+Unsign exe files from directory torbrowser/{release,alpha}/signed/$version
+and compare them with the checksum from sha256sums-unsigned-build.txt.
+


=====================================
projects/release/compare_windows_signed_unsigned_exe
=====================================
@@ -0,0 +1,30 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+[% IF c("var/nightly") -%]
+  build_dir=[% shell_quote(path(dest_dir)) %]/[%  c("version") %]
+[% ELSE -%]
+  build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
+[% END -%]
+
+if ! test -d "$build_dir"
+then
+  echo "Error: Directory $build_dir does not exist" 1>&2
+  echo "You can download it with this command:" 1>&2
+  echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2
+  exit 1
+fi
+
+cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt .
+
+tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %]
+
+for file in *.exe
+do
+  ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null
+  mv -f "unsigned-$file" "$file"
+  echo "Unsigned $file"
+done
+
+grep '\.exe$' sha256sums-unsigned-build.txt | sha256sum -c
+
+echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt"


=====================================
projects/release/config
=====================================
@@ -263,3 +263,11 @@ steps:
     debug: 0
     input_files: []
     upload_sha256sums: '[% INCLUDE upload_sha256sums %]'
+  compare_windows_signed_unsigned_exe:
+    build_log: '-'
+    debug: 0
+    input_files:
+      - project: osslsigncode
+        name: osslsigncode
+        pkg_type: build
+    compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'


=====================================
tools/download-mullvadbrowser
=====================================
@@ -0,0 +1 @@
+download-torbrowser
\ No newline at end of file


=====================================
tools/download-torbrowser
=====================================
@@ -0,0 +1,100 @@
+#!/usr/bin/perl -w
+
+# This script downloads a torbrowser or mullvadbrowser release, checking
+# its signature
+
+use strict;
+use English;
+use LWP::Simple;
+use IO::CaptureOutput qw(capture_exec);
+use File::Temp;
+use File::Basename qw(fileparse);
+use FindBin;
+use File::Path qw(make_path);
+use File::Copy;
+use Path::Tiny;
+use Digest::SHA qw(sha256_hex);
+
+
+sub exit_error {
+  print STDERR "Error: ", $_[0], "\n";
+  chdir '/';
+  exit (exists $_[1] ? $_[1] : 1);
+}
+
+sub gpg_verify_file {
+  my ($file) = @_;
+  if (system('gpg', '--no-default-keyring', '--keyring',
+      "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify',
+      "$file.asc",
+      $file)) {
+    exit_error "Error checking gpg signature for file $file";
+  }
+}
+
+my $progname = fileparse($PROGRAM_NAME);
+my ($projectname) = $progname =~ m/^download-(.+)$/;
+if (@ARGV != 1) {
+  print STDERR "usage: $progname <version>\n";
+  exit 1;
+}
+
+my $version = $ARGV[0];
+my $version_type = $version =~ m/a/ ? 'alpha' : 'release';
+my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version";
+my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version";
+
+make_path($destdir);
+my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp");
+
+foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc
+                     sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) {
+  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
+    exit_error "Error downloading $urldir/$file";
+  }
+}
+gpg_verify_file("$tmpdir/sha256sums-signed-build.txt");
+move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc";
+move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt";
+gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt");
+move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc";
+move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt";
+
+foreach my $file (qw(sha256sums-signed-build.incrementals.txt
+                     sha256sums-signed-build.incrementals.txt.asc
+                     sha256sums-unsigned-build.incrementals.txt
+                     sha256sums-unsigned-build.incrementals.txt.asc)) {
+  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
+    last;
+  }
+}
+if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") {
+  gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt");
+  move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc";
+  move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt";
+}
+if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") {
+  gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt");
+  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc";
+  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt";
+}
+
+my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines;
+push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines
+    if -f "$destdir/sha256sums-signed-build.incrementals.txt";
+my %sums = map { chomp; reverse split '  ', $_ } @sha256_lines;
+
+foreach my $file (sort keys %sums) {
+  if (-f "$destdir/$file") {
+    print "Not downloading $file (already there)\n";
+    next;
+  }
+  print "Downloading $file\n";
+  exit_error "Error downloading $urldir/$file\n"
+    unless getstore("$urldir/$file", "$tmpdir/$file") == 200;
+  exit_error "Wrong checksum for $file"
+    unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp);
+  move "$tmpdir/$file", "$destdir/$file";
+}
+
+print "Finished downloading $projectname $version in $destdir\n";



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/95fcf1388a6e8f6d5ce8a9bacf854c1d5bd972d0...93819f811d7dc40fb08a6ada55754b1dfb0c89dc

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/95fcf1388a6e8f6d5ce8a9bacf854c1d5bd972d0...93819f811d7dc40fb08a6ada55754b1dfb0c89dc
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20231130/cafc9386/attachment-0001.htm>

More information about the tor-commits mailing list