Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
96045df2 by Dan Ballard at 2023-05-29T08:02:10+00:00
Bug 40858: Add a script for MacOS to selfsign an unsigned browser (so it can run on ARM Mx macs)
- - - - -
1 changed file:
- + tools/browser-self-sign-macos.sh
Changes:
=====================================
tools/browser-self-sign-macos.sh
=====================================
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+CERTNAME=my-codesign-cert-tor
+BROWSERPATH=.
+
+if [ $# -ge 1 ]
+then
+ BROWSERPATH=$1
+fi
+
+
+security find-certificate -c $CERTNAME > /dev/null
+
+if [ $? -ne 0 ]
+then
+ echo ""
+ echo "ERROR: Self Signing Certificate not found, please create:"
+ echo " 1. In the Keychain Access app on your Mac, choose Keychain Access > Certificate Assistant > Create a Certificate."
+ echo " 2. Enter the name '$CERTNAME' for the certificate"
+ echo " 3. Choose an identity type: Self Signed Root"
+ echo " 4. Certificate Type > Code Signing"
+ echo " 5. Check 'Let me override defaults' & click Continue."
+ echo " 6. Enter a unique Serial Number. (123 is fine)"
+ echo " 7. Enter a big Validity Period (days), like 3560 & click Continue."
+ echo " 8. Fill in your personal information & click Continue."
+ echo " 9. Accept defaults for the rest of the dialog boxes. (Continue several times)"
+ echo " 10. Certificate Created! Click Done."
+ echo ""
+ echo "For additional help see:"
+ echo " https://support.apple.com/en-ca/guide/keychain-access/kyca8916/mac"
+ echo " https://stackoverflow.com/questions/58356844/what-are-the-ways-or-technolog…"
+
+ echo ""
+ read -n 1 -r -s -p $'Press enter to launch "Keychain Access"...\n'
+ open /System/Applications/Utilities/Keychain\ Access.app
+
+ exit -1
+fi
+
+echo "Found $CERTNAME, looking for browser to sign..."
+
+if [ ! -f "$BROWSERPATH/XUL" ]
+then
+ TESTPATH="$BROWSERPATH/Contents/MacOS"
+ if [ -f "$TESTPATH/XUL" ]
+ then
+ BROWSERPATH=$TESTPATH
+ else
+ echo "Error: browser files not detected in $BROWSERPATH!"
+ echo " This script needs to be run in the 'Contents/MacOS' directory of a SomeBrowser.app directory"
+ exit -1
+ fi
+fi
+
+echo "Mozilla based browser found, signing..."
+echo ' Will be asked for password to certificate for all the things that need to be signed. Click "Always Allow" to automate'
+
+cd "$BROWSERPATH"
+
+codesign -s $CERTNAME *.dylib
+codesign -s $CERTNAME plugin-container.app
+
+if [ -d Tor ]
+then
+ codesign -s $CERTNAME Tor/PluggableTransports/*
+ codesign -s $CERTNAME Tor/libevent-2.1.7.dylib
+ if [ -f Tor/tor.real ]
+ then
+ codesign -s $CERTNAME Tor/tor.real
+ fi
+ if [ -f Tor/tor ]
+ then
+ codesign -s $CERTNAME Tor/tor
+ fi
+fi
+
+codesign -s $CERTNAME XUL
+
+if [ -d updater.app ]
+then
+ codesign -s $CERTNAME updater.app
+fi
+
+# mullvadbrowser
+if [ -f mullvadbrowser ]
+then
+ codesign -s $CERTNAME mullvadbrowser
+fi
+
+# BB or TB
+if [ -f firefox ]
+then
+ codesign -s $CERTNAME firefox
+fi
+
+echo ""
+echo "Browser signing step done!"
+echo ""
+
+echo "App still needs one more override to be easily opened with double click in Finder"
+echo "Alternatively you can right click it, select 'Open' and then select 'Open' from the override popup"
+echo "Or to enable it to be double clicked to open perform the following"
+echo ""
+echo "Double click the app and select either 'Ok' or 'Cancel' from the warning popup depending on which you get (Do Not 'Move to Trash')"
+echo 'Go to Preferences -> Security & Privacy and click on padlock to allow changes. '
+echo ' Then in "Allow appications downloaded from" select either:'
+echo ' - App Store and identified developers'
+echo ' - Anywhere'
+echo ' Below that may be a notice about your specific app saying it was blocked because it was not from an identified developer. Click "Open Anyways" and "Open"'
+
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/9…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/9…
You're receiving this email because of your account on gitlab.torproject.org.
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
ee633476 by Nicolas Vigier at 2023-05-25T20:28:24+00:00
Bug 40850: Use obfs4 main branch in nightly
In 076ffcf14d8f51d1837889c25a0fddc0afc42796 we stopped using the main
branch, because the build of tpo/anti-censorship/pluggable-transports/obfs4#40011.
Since this is now fixed, we can use the main branch again.
- - - - -
1 changed file:
- projects/obfs4/config
Changes:
=====================================
projects/obfs4/config
=====================================
@@ -11,14 +11,13 @@ container:
var:
go_vendor_sha256sum: 5d2d82d00afc5fe044ee6df718ffe066b7d9e5446944c0ee0870e060e4e6bcc8
-# Stop using `main` on nightly, until tor-browser-build#40850 is fixed
-#targets:
-# nightly:
-# git_hash: main
-# version: '[% c("abbrev") %]'
-# tag_gpg_id: 0
-# var:
-# go_vendor_sha256sum: ad5cbcb09580c74b02b230b4fad7d2362c3b2f4537cdefd4abdeb0c3c4e97adb
+targets:
+ nightly:
+ git_hash: main
+ version: '[% c("abbrev") %]'
+ tag_gpg_id: 0
+ var:
+ go_vendor_sha256sum: 8b7e04a43bfbcdc829ea5093d8ee0a50eddefad543acd201b25424b33a7f882b
steps:
build:
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/e…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/e…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
b37e2ebd by Pier Angelo Vendrame at 2023-05-25T18:28:35+02:00
Bug 40777: Update Go to 1.20.4 and create a Go bootstrap project
The Go compiler is written in Go, but it is possible to bootstrap it
from C wiht Go 1.4.
Before this commit, we used to build Go 1.4 for all our platforms,
so we built a compiler to throw it away several times.
Starting from Go 1.20, the team decided to require Go V-3 to bootstrap
(i.e., Go 1.17 to bootrastrap Go 1.20).
Bootstrapping is still feasible, but throwing away two compilers is
not a good idea. So, we decided to create a Go bootstrap project, and
build it only once (for Linux amd64) until it will be able to build
more recent Go compilers.
- - - - -
5 changed files:
- + projects/go-bootstrap/build
- + projects/go-bootstrap/config
- projects/go/0001-Use-fixed-go-build-tmp-directory.patch
- projects/go/build
- projects/go/config
Changes:
=====================================
projects/go-bootstrap/build
=====================================
@@ -0,0 +1,38 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+
+# This project is expected to be built only on Linux.
+# Then the actual Go compiler will be built for each platform.
+
+distdir=/var/tmp/dist/[% project %]
+mkdir -p /var/tmp/build /var/tmp/dist
+
+# Building go 1.4.x
+# This is needed to bootstrap the go that we actually use
+# https://golang.org/doc/install/source#go14
+tar -C /var/tmp/build --transform='s,^go\>,go1.4,' -xf $rootdir/[% c('input_files_by_name/go14') %]
+cd /var/tmp/build/go1.4/src
+# Disable cgo to avoid conflicts with newer GCC. cgo is not needed for the bootstrap go.
+# https://github.com/golang/go/issues/13114#issuecomment-186922245
+# Disable CC etc. that are set up for cross builds.
+CGO_ENABLED=0 CC= CFLAGS= LDFLAGS= ./make.bash
+export GOROOT_BOOTSTRAP="/var/tmp/build/go1.4"
+
+cd $rootdir
+
+tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/go') %]
+export GOROOT="$distdir"
+mv /var/tmp/dist/go $distdir
+cd $distdir/src
+
+./make.bash
+
+# This directory is non-reproducible and doesn't exist in official Go releases,
+# so remove it to preserve reproducibility of the output.
+rm -rf $distdir/pkg/obj/go-build/
+
+cd /var/tmp/dist
+[% c('tar', {
+ tar_src => [ project ],
+ tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+ }) %]
=====================================
projects/go-bootstrap/config
=====================================
@@ -0,0 +1,14 @@
+# vim: filetype=yaml sw=2
+version: 1.19.9
+filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
+container:
+ use_container: 1
+
+input_files:
+ - project: container-image
+ - URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz'
+ name: go
+ sha256sum: 131190a4697a70c5b1d232df5d3f55a3f9ec0e78e40516196ffb3f09ae6a5744
+ - URL: https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
+ name: go14
+ sha256sum: f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52
=====================================
projects/go/0001-Use-fixed-go-build-tmp-directory.patch
=====================================
@@ -1,4 +1,4 @@
-From 958f724b1b434702c3d44ceaca646791674d07b1 Mon Sep 17 00:00:00 2001
+From 2c1c98d6404284df744a194dd23bd3660f365387 Mon Sep 17 00:00:00 2001
From: Georg Koppen <gk(a)torproject.org>
Date: Fri, 17 Apr 2020 10:24:23 +0000
Subject: [PATCH] Use fixed go-build tmp directory
@@ -6,15 +6,18 @@ Subject: [PATCH] Use fixed go-build tmp directory
Use fixed go-build tmp directory, when the directory does not exist, in
order to avoid some reproducibility issues where build directory gets
embedded in generated binaries.
+---
+ src/cmd/go/internal/work/action.go | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/cmd/go/internal/work/action.go b/src/cmd/go/internal/work/action.go
-index 33b7818fb2..5e369d0f53 100644
+index 8beb1345d0..dccf39c1c1 100644
--- a/src/cmd/go/internal/work/action.go
+++ b/src/cmd/go/internal/work/action.go
-@@ -252,9 +252,13 @@ func (b *Builder) Init() {
- if cfg.BuildN {
- b.WorkDir = "$WORK"
- } else {
+@@ -279,9 +279,13 @@ func NewBuilder(workDir string) *Builder {
+ if !buildInitStarted {
+ panic("internal error: NewBuilder called before BuildInit")
+ }
- tmp, err := os.MkdirTemp(cfg.Getenv("GOTMPDIR"), "go-build")
- if err != nil {
- base.Fatalf("go: creating work dir: %v", err)
@@ -29,5 +32,5 @@ index 33b7818fb2..5e369d0f53 100644
if !filepath.IsAbs(tmp) {
abs, err := filepath.Abs(tmp)
--
-2.26.1
+2.39.2
=====================================
projects/go/build
=====================================
@@ -3,27 +3,8 @@
distdir=/var/tmp/dist/[% project %]
mkdir -p /var/tmp/dist
-[% IF c("var/linux") %]
- # Config options for hardening-wrapper
- export DEB_BUILD_HARDENING=1
- export DEB_BUILD_HARDENING_STACKPROTECTOR=1
- export DEB_BUILD_HARDENING_FORTIFY=1
- export DEB_BUILD_HARDENING_FORMAT=1
- export DEB_BUILD_HARDENING_PIE=1
-[% END %]
-
-mkdir -p /var/tmp/build
-
-# Building go 1.4.x
-# This is needed to bootstrap the go that we actually use
-# https://golang.org/doc/install/source#go14
-tar -C /var/tmp/build --transform='s,^go\>,go1.4,' -xf $rootdir/[% c('input_files_by_name/go14') %]
-cd /var/tmp/build/go1.4/src
-# Disable cgo to avoid conflicts with newer GCC. cgo is not needed for the bootstrap go.
-# https://github.com/golang/go/issues/13114#issuecomment-186922245
-# Disable CC etc. that are set up for cross builds.
-CGO_ENABLED=0 CC= CFLAGS= LDFLAGS= ./make.bash
-export GOROOT_BOOTSTRAP="/var/tmp/build/go1.4"
+tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/go-bootstrap') %]
+export GOROOT_BOOTSTRAP="/var/tmp/dist/go-bootstrap"
cd $rootdir
[% IF ! c("var/linux") %]
=====================================
projects/go/config
=====================================
@@ -1,12 +1,10 @@
# vim: filetype=yaml sw=2
-version: 1.19.9
-filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
+version: 1.20.4
+filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
container:
use_container: 1
var:
- go14_version: 1.4.3
-
setup: |
mkdir -p /var/tmp/dist
tar -C /var/tmp/dist -xf $rootdir/[% c("go_tarfile") %]
@@ -121,9 +119,10 @@ input_files:
enable: '[% ! c("var/linux") %]'
- URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz'
name: go
- sha256sum: 131190a4697a70c5b1d232df5d3f55a3f9ec0e78e40516196ffb3f09ae6a5744
- - URL: 'https://golang.org/dl/go[% c("var/go14_version") %].src.tar.gz'
- name: go14
- sha256sum: 9947fc705b0b841b5938c48b22dc33e9647ec0752bae66e50278df4f23f64959
+ sha256sum: 9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6
+ - project: go-bootstrap
+ name: go-bootstrap
+ target_replace:
+ '^.*browser-.*': 'basebrowser-linux-x86_64'
- filename: 0001-Use-fixed-go-build-tmp-directory.patch
enable: '[% c("var/android") %]'
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/b…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/b…
You're receiving this email because of your account on gitlab.torproject.org.
ma1 pushed to branch tor-browser-102.11.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits:
dbec6cf6 by cypherpunks1 at 2023-05-24T09:21:07-08:00
fixup! Bug 23247: Communicating security expectations for .onion
Bug 41785: Show http onion resources as secure in network monitor
- - - - -
1 changed file:
- devtools/shared/webconsole/network-helper.js
Changes:
=====================================
devtools/shared/webconsole/network-helper.js
=====================================
@@ -600,6 +600,9 @@ var NetworkHelper = {
// The request did not contain any security info.
if (!securityInfo) {
+ if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
+ info.state = "secure";
+ }
return info;
}
@@ -651,7 +654,11 @@ var NetworkHelper = {
// schemes other than https and wss are subject to
// downgrade/etc at the scheme level and should always be
// considered insecure
- info.state = "insecure";
+ if (httpActivity.hostname && httpActivity.hostname.endsWith(".onion")) {
+ info.state = "secure";
+ } else {
+ info.state = "insecure";
+ }
} else if (state & wpl.STATE_IS_SECURE) {
// The connection is secure if the scheme is sufficient
info.state = "secure";
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/dbec6cf…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/dbec6cf…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
d94b4545 by Nicolas Vigier at 2023-05-24T13:24:07+02:00
Bug 40866: Remove ansible from README
- - - - -
1 changed file:
- README
Changes:
=====================================
README
=====================================
@@ -156,18 +156,9 @@ Automated builds using tbb-testsuite
------------------------------------
The Tor Browser testsuite scripts can also be used to do nightly builds
-and publish the build logs. The recommended way to do that is to use
-the ansible roles from the tools/ansible directory. See next section
-for details.
-
-
-Using ansible to set up a nightly build machine
------------------------------------------------
-
-The directory tools/ansible contains some ansible roles to set up a
-nightly build machine. You can look at the playbook defined in
-boklm-tbb-nightly-build.yml and variables in group_vars/boklm-tbb-nightly/
-for an example of how it can be used.
+and publish the build logs. This page has some information about the
+setup we use for nightly builds:
+https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Nightly_Builds_Setup
Signing builds
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d…
You're receiving this email because of your account on gitlab.torproject.org.
Pier Angelo Vendrame pushed to branch tor-browser-102.11.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits:
4c0986cb by cypherpunks1 at 2023-05-23T14:06:01-08:00
fixup! Bug 23247: Communicating security expectations for .onion
Bug 33298: Warn when submitting form data from http onion sites over an insecure connection
- - - - -
1 changed file:
- dom/html/HTMLFormElement.cpp
Changes:
=====================================
dom/html/HTMLFormElement.cpp
=====================================
@@ -893,7 +893,10 @@ nsresult HTMLFormElement::DoSecureToInsecureSubmitCheck(nsIURI* aActionURL,
formIsHTTPS = OwnerDoc()->GetDocumentURI()->SchemeIs("https");
}
if (!formIsHTTPS) {
- return NS_OK;
+ bool formIsOnion = nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(OwnerDoc()->GetDocumentURI());
+ if (!formIsOnion) {
+ return NS_OK;
+ }
}
if (nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(aActionURL)) {
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4c0986c…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/4c0986c…
You're receiving this email because of your account on gitlab.torproject.org.