May 2023 - tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser-update-responses][main] release: new version, 12.0.6
by richard (＠richard) 12 May '23

12 May '23

richard pushed to branch main at The Tor Project / Applications / Tor Browser update responses Commits: 4792e4f8 by Richard Pospesel at 2023-05-12T16:42:40+00:00 release: new version, 12.0.6 - - - - - 30 changed files: - update_3/release/.htaccess - − update_3/release/12.0.4-12.0.5-linux32-ALL.xml - − update_3/release/12.0.4-12.0.5-linux64-ALL.xml - − update_3/release/12.0.4-12.0.5-macos-ALL.xml - − update_3/release/12.0.4-12.0.5-win32-ALL.xml - − update_3/release/12.0.4-12.0.5-win64-ALL.xml - + update_3/release/12.0.4-12.0.6-linux32-ALL.xml - + update_3/release/12.0.4-12.0.6-linux64-ALL.xml - + update_3/release/12.0.4-12.0.6-macos-ALL.xml - + update_3/release/12.0.4-12.0.6-win32-ALL.xml - + update_3/release/12.0.4-12.0.6-win64-ALL.xml - + update_3/release/12.0.5-12.0.6-linux32-ALL.xml - + update_3/release/12.0.5-12.0.6-linux64-ALL.xml - + update_3/release/12.0.5-12.0.6-macos-ALL.xml - + update_3/release/12.0.5-12.0.6-win32-ALL.xml - + update_3/release/12.0.5-12.0.6-win64-ALL.xml - − update_3/release/12.0.5-linux32-ALL.xml - − update_3/release/12.0.5-linux64-ALL.xml - − update_3/release/12.0.5-macos-ALL.xml - − update_3/release/12.0.5-win32-ALL.xml - − update_3/release/12.0.5-win64-ALL.xml - + update_3/release/12.0.6-linux32-ALL.xml - + update_3/release/12.0.6-linux64-ALL.xml - + update_3/release/12.0.6-macos-ALL.xml - + update_3/release/12.0.6-win32-ALL.xml - + update_3/release/12.0.6-win64-ALL.xml - update_3/release/download-android-aarch64.json - update_3/release/download-android-armv7.json - update_3/release/download-android-x86.json - update_3/release/download-android-x86_64.json The diff was not included because it is too large. View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build] Pushed new tag tbb-12.0.6-build1
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed new tag tbb-12.0.6-build1 at The Tor Project / Applications / tor-browser-build -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/tree/tbb… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0] Bug 40820: Prepare stable release 12.0.6
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build Commits: 6b72e634 by Pier Angelo Vendrame at 2023-05-10T09:57:03+02:00 Bug 40820: Prepare stable release 12.0.6 - - - - - 8 changed files: - projects/browser/Bundle-Data/Docs/ChangeLog.txt - projects/browser/allowed_addons.json - projects/firefox/config - projects/geckoview/config - projects/go/config - projects/manual/config - projects/translation/config - rbm.conf Changes: ===================================== projects/browser/Bundle-Data/Docs/ChangeLog.txt ===================================== @@ -1,3 +1,89 @@ +Tor Browser 12.0.6 - May 09 2023 + * All Platforms + * Updated Translations + * Updated Go to 11.9.9 + * Bug 41728: Pin bridges.torproject.org domains to Let's Encrypt's root cert public key [tor-browser] + * Bug 41756: Rebase Tor Browser Stable to 102.11.0esr [tor-browser] + * Windows + macOS + Linux + * Updated Firefox to 102.11esr + * Bug 40501: High CPU load after tor exits unexpectedly [tor-browser] + * Windows + * Bug 41683: Disable the network process on Windows [tor-browser] + * Android + * Updated GeckoView to 102.11esr + * Build System + * Windows + macOS + Linux + * Bug 41730: Bridge lines in tools/torbrowser/bridges.js out of date [tor-browser] + * macOS + * Bug 40844: Fix DMG reproducibility problem on 12.0.5 [tor-browser-build] + +Tor Browser 12.5a5 - April 18 2023 + * All Platforms + * Updated Translations + * Updated NoScript to 11.4.21 + * Updated Go to 11.9.8 + * Bug 40833: base-browser nightly is using the default channel instead of nightly [tor-browser-build] + * Bug 41687: Rebase Tor Browser Alpha to 102.10.0esr [tor-browser] + * Bug 41689: Remove startup.homepage_override_url from Base Browser [tor-browser] + * Bug 41704: Immediately return on remoteSettings.pollChanges [tor-browser] + * Windows + macOS + Linux + * Updated Firefox to 102.10esr + * Bug 165: Fix maximization warning x button and preference [mullvad-browser] + * Bug 40501: High CPU load after tor exits unexpectedly [tor-browser] + * Bug 40701: Improve security warning when downloading a file [tor-browser] + * Bug 40788: Tor Browser 11.0.4-11.0.6 phoning home [tor-browser] + * Bug 40811: Make testing the updater easier [tor-browser-build] + * Bug 40831: Fix update URL for base-browser nightly [tor-browser-build] + * Bug 40958: The number of relays displayed for an onion site can be misleading [tor-browser] + * Bug 41038: Update "Click to Copy" button label in circuit display [tor-browser] + * Bug 41109: "New circuit..." button gets cut-off when onion name wraps [tor-browser] + * Bug 41350: Move the implementation of Bug 19273 out of Torbutton [tor-browser] + * Bug 41521: Improve localization notes [tor-browser] + * Bug 41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted [tor-browser] + * Bug 41600: Some users have difficulty finding the circuit display [tor-browser] + * Bug 41617: Improve the UX of the built-in bridges dialog [tor-browser] + * Bug 41668: Move part of the updater patches to base browser [tor-browser] + * Bug 41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser [tor-browser] + * Bug 41695: Port warning on maximized windows without letterboxing from torbutton [tor-browser] + * Bug 41699: Tighten up the tor onion alias regular expression [tor-browser] + * Bug 41701: Reporting an extension does not work [tor-browser] + * Bug 41702: The connection pill needs to be centered vertically [tor-browser] + * Bug 41709: sendCommand should not try to send a command forever [tor-browser] + * Bug 41711: Race condition when opening a new window in New Identity [tor-browser] + * Bug 41713: “Remove All Bridges” button only appears after hitting “Show All Bridges" [tor-browser] + * Bug 41714: “Show Fewer Bridges” button missing from refactored remove all bridges UI [tor-browser] + * Bug 41719: Update title and button strings in the new circuit display to sentence case [tor-browser] + * Bug 41722: Regression: window maximization warning cannot be closed by the X button [tor-browser] + * Bug 41725: Stray connectionPane.xhtml patch [tor-browser] + * Windows + * Bug 41459: WebRTC fails to build under mingw [tor-browser] + * Bug 41678: WebRTC build fix patches incorrectly defining pid_t [tor-browser] + * Bug 41683: Disable the network process on Windows [tor-browser] + * Linux + * Bug 40830: The fontconfig directory is missing in Base Browser [tor-browser-build] + * Bug 41163: Many bundled fonts are blocked in Ubuntu/Fedora because of RFP [tor-browser] + * Android + * Updated GeckoView to 102.10esr + * Bug 41724: Backport Android-specific security fixes from Firefox 112 to ESR 102.10-based Tor Browser [tor-browser] + * Build System + * All Platforms + * Bug 40828: Use http://archive.debian.org/debian-archive/ for jessie [tor-browser-build] + * Bug 40837: Rebase mullvad-browser build changes onto main [tor-browser-build] + * Windows + macOS + Linux + * Bug 40823: Update appname_* variables in projects/release/update_responses_config.yml [tor-browser-build] + * Bug 40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml [tor-browser-build] + * Bug 40827: MAR generation uses (mostly) hard-coded MAR update channel [tor-browser-build] + * Bug 41730: Bridge lines in tools/torbrowser/bridges.js out of date [tor-browser] + * Windows + * Bug 40822: The Tor Browser installer doesn't run with mandatory ASLR on (0xc000007b) [tor-browser-build] + * macOS + * Bug 40824: dmg2mar script using hardcoded project names for paths [tor-browser-build] + * Bug 40844: DMG reproducibility problem on 12.0.5 [tor-browser-build] + * Linux + * Bug 40835: Update faketime URLs in projects/container-image/config [tor-browser-build] + * Android + * Bug 41684: Android improvements for local dev builds [tor-browser] + Tor Browser 12.0.5 - April 12 2023 * All Platforms * Updated Translations ===================================== projects/browser/allowed_addons.json ===================================== @@ -17,7 +17,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/34/9734/13299734/13299734.pn…" } ], - "average_daily_users": 989098, + "average_daily_users": 976883, "categories": { "android": [ "experimental", @@ -31,7 +31,7 @@ "contributions_url": "https://opencollective.com/darkreader?utm_content=product-page-contribute&u…", "created": "2017-09-19T07:03:00Z", "current_version": { - "id": 5509244, + "id": 5550694, "compatibility": { "firefox": { "min": "54.0", @@ -42,7 +42,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/darkreader/versions/55092…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/darkreader/versions/55506…", "is_strict_compatibility_enabled": false, "license": { "id": 22, @@ -53,22 +53,22 @@ "url": "http://www.opensource.org/license/mit" }, "release_notes": { - "en-US": "- Fixed a edge case with extracting color numbers, it's now able to extract `rgb(0 0 0/0.04)`.\n- Improved IPv6 check.\n- Faster UI loading.\n- Users' fixes for websites." + "en-US": "- Site toggle panel (detect dark theme and shortcut).\n- App toggle panel (automation and shortcut).\n- Improved Site List indexing.\n- Users' fixes for websites." }, - "reviewed": "2023-01-09T12:25:16Z", - "version": "4.9.62", + "reviewed": "2023-04-13T13:17:06Z", + "version": "4.9.63", "files": [ { - "id": 4053589, - "created": "2023-01-08T17:15:31Z", - "hash": "sha256:e537a2cee45ed7c26f79ecd3ed362620e3f00d24c158532a58e163a63a3d60cc", + "id": 4095037, + "created": "2023-04-10T09:52:02Z", + "hash": "sha256:16ba6337fcff7ad85e08ad51b384ba26ff751b2b2ded12309f75e8337ace925a", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 636487, + "size": 658318, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/4053589/darkreader-4.9.62…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4095037/darkreader-4.9.63…", "permissions": [ "alarms", "contextMenus", @@ -146,7 +146,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2023-01-09T12:25:16Z", + "last_updated": "2023-04-13T13:17:06Z", "name": { "ar": "Dark Reader", "bn": "Dark Reader", @@ -221,10 +221,10 @@ "category": "recommended" }, "ratings": { - "average": 4.5565, - "bayesian_average": 4.5553226794282615, - "count": 4938, - "text_count": 1565 + "average": 4.5607, + "bayesian_average": 4.559531365183289, + "count": 4987, + "text_count": 1578 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/reviews/", "requires_payment": false, @@ -321,7 +321,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/versions/", - "weekly_downloads": 27115 + "weekly_downloads": 24385 }, "notes": null }, @@ -337,7 +337,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/56/7656/6937656/6937656.png?…" } ], - "average_daily_users": 264748, + "average_daily_users": 258784, "categories": { "android": [ "security-privacy" @@ -553,10 +553,10 @@ "category": "recommended" }, "ratings": { - "average": 4.817, - "bayesian_average": 4.812343801154484, - "count": 1333, - "text_count": 235 + "average": 4.8166, + "bayesian_average": 4.811948101281903, + "count": 1336, + "text_count": 237 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/reviews/", "requires_payment": false, @@ -641,7 +641,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/versions/", - "weekly_downloads": 3669 + "weekly_downloads": 3623 }, "notes": null }, @@ -657,7 +657,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/73/4073/5474073/5474073.png?…" } ], - "average_daily_users": 1152290, + "average_daily_users": 1128787, "categories": { "android": [ "security-privacy" @@ -1180,10 +1180,10 @@ "category": "recommended" }, "ratings": { - "average": 4.7999, - "bayesian_average": 4.797100778126469, - "count": 2209, - "text_count": 428 + "average": 4.8012, + "bayesian_average": 4.79841359051625, + "count": 2223, + "text_count": 426 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/reviews/", "requires_payment": false, @@ -1207,7 +1207,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/versions/", - "weekly_downloads": 39372 + "weekly_downloads": 18076 }, "notes": null }, @@ -1223,7 +1223,7 @@ "picture_url": null } ], - "average_daily_users": 6459771, + "average_daily_users": 6319454, "categories": { "android": [ "security-privacy" @@ -1235,7 +1235,7 @@ "contributions_url": "", "created": "2015-04-25T07:26:22Z", "current_version": { - "id": 5547815, + "id": 5558705, "compatibility": { "firefox": { "min": "78.0", @@ -1246,7 +1246,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/ublock-origin/versions/55…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/ublock-origin/versions/55…", "is_strict_compatibility_enabled": false, "license": { "id": 6, @@ -1257,22 +1257,22 @@ "url": "http://www.gnu.org/licenses/gpl-3.0.html" }, "release_notes": { - "en-US": "See complete release notes for <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/9ba5436deff955b8634d3a…" rel=\"nofollow\">1.48.4</a>.\n\n<b>Fixes / changes</b>\n\n<ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/2881e29d212046e14a4f20…" rel=\"nofollow\">Fix presumed network filter not being a valid network filter</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/1d29de8f605dc6f4b7684f…" rel=\"nofollow\">Avoid using ! toolbar icon badge when inconsequential</a><ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/04728b2f874e135c8736ae…" rel=\"nofollow\">Clear unprocessed requests status on webNavigation reload event</a></li></ul></li></ul>\n<a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/e34f62492a00e2b8a221ca…" rel=\"nofollow\">Commits history since last version</a>." + "en-US": "See complete release notes for <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/24794abbbc5c8930eafab3…" rel=\"nofollow\">1.49.2</a>.\n\n<b>Fixes</b>\n\n<ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/812da480d7e6e2fa7d6fd1…" rel=\"nofollow\">Reverse usage of browser.alarms</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/53eab9764901466ecb7c1c…" rel=\"nofollow\">Mind rejected promises from vAPI.storage API</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/58bde6ecd0ff76608c1456…" rel=\"nofollow\">Properly handle promise rejection from webext.storage.local API</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/3f0e0640ef4983e8fd2352…" rel=\"nofollow\">Add more checks against unexpected conditions re. assets.json</a></li></ul>\n<a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/deebdaa7a15172babdad3e…" rel=\"nofollow\">Commits history since last version</a>." }, - "reviewed": "2023-04-05T17:12:25Z", - "version": "1.48.4", + "reviewed": "2023-05-03T16:26:03Z", + "version": "1.49.2", "files": [ { - "id": 4092158, - "created": "2023-04-01T21:20:42Z", - "hash": "sha256:d7666b963c2969b0014937aae55472eea5098ff21ed3bea8a2e1f595f62856c1", + "id": 4103048, + "created": "2023-04-26T14:37:33Z", + "hash": "sha256:39266486f720cd31d291d2fdad78625b079782a05517e1936eec7e780bc2a84d", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 3343703, + "size": 3383174, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/4092158/ublock_origin-1.4…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4103048/ublock_origin-1.4…", "permissions": [ "dns", "menus", @@ -1388,7 +1388,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2023-04-05T17:12:25Z", + "last_updated": "2023-05-08T12:35:48Z", "name": { "ar": "uBlock Origin", "bg": "uBlock Origin", @@ -1533,10 +1533,10 @@ "category": "recommended" }, "ratings": { - "average": 4.78, - "bayesian_average": 4.7795951137081945, - "count": 15206, - "text_count": 3956 + "average": 4.7808, + "bayesian_average": 4.780398687268275, + "count": 15366, + "text_count": 3994 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/reviews/", "requires_payment": false, @@ -1598,7 +1598,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/versions/", - "weekly_downloads": 138089 + "weekly_downloads": 131497 }, "notes": null }, @@ -1614,19 +1614,20 @@ "picture_url": null } ], - "average_daily_users": 159972, + "average_daily_users": 167016, "categories": { "android": [ "photos-media" ], "firefox": [ - "games-entertainment" + "games-entertainment", + "photos-music-videos" ] }, "contributions_url": "", "created": "2017-05-03T08:36:43Z", "current_version": { - "id": 5220332, + "id": 5560463, "compatibility": { "firefox": { "min": "42.0", @@ -1637,7 +1638,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", "is_strict_compatibility_enabled": false, "license": { "id": 22, @@ -1648,24 +1649,24 @@ "url": "http://www.opensource.org/license/mit" }, "release_notes": { - "de": "Experimentelle Verbesserungen der Handhabung von Youtube.", - "en-US": "Experimental improvement of Youtube handling.", - "ro": "Îmbunătățiri experimentale pentru Youtube." + "de": "Neue Übersetzungen ergänzt", + "en-US": "Added new translations", + "ro": "Adăugat traduceri noi" }, - "reviewed": "2021-04-23T07:50:05Z", - "version": "1.6.0", + "reviewed": "2023-05-05T14:25:10Z", + "version": "1.7.0", "files": [ { - "id": 3764692, - "created": "2021-04-22T21:46:53Z", - "hash": "sha256:73cfa682e0398ca1b51890340e4a6df3fcea945f54e9e677e9db942152aa614d", + "id": 4104806, + "created": "2023-05-01T11:53:35Z", + "hash": "sha256:e8713a1720ffba236c40ebabd5ac1db88702d75c21edc23d61216a5897b3792a", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 12088, + "size": 12968, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/3764692/video_background_…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4104806/video_background_…", "permissions": [ "*://*.youtube.com/*", "*://*.youtube-nocookie.com/*", @@ -1678,9 +1679,9 @@ }, "default_locale": "en-US", "description": { - "de": "ACHTUNG: Im neuen Firefox für Android (Version 79 und neuer) funktioniert Videowiedergabe im Hintergrund erst <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">ab Firefox 82</a> korrekt.\n\nUnterstützt momentan folgende Seiten:\n<ul><li>Youtube</li><li>Vimeo (Wiedergabe nicht unterbrechen wenn Vollbildmodus beendet wird)</li></ul>", - "en-US": "ATTENTION: With the new Firefox on Android (Firefox 79 and newer), background playback only properly works starting <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">from Firefox 82</a>.\n\nThe following pages are currently supported:\n<ul><li>Youtube</li><li>Vimeo (don't stop playback when existing fullscreen)</li></ul>", - "ro": "ATENȚIE: În noul Firefox pentru Android (versiunea 79+), redarea video în fundal funcționează corect abia de la <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">Firefox 82</a>.\n\nÎn prezent este compatibil cu următoarele site-uri:\n<ul><li>Youtube</li><li>Vimeo (nu întrerupeți redarea atunci când ieșiți din modul fullscreen)</li></ul>" + "de": "Unterstützt momentan folgende Seiten:\n<ul><li>Youtube</li><li>Vimeo (Wiedergabe nicht unterbrechen wenn Vollbildmodus beendet wird)</li></ul>", + "en-US": "The following pages are currently supported:\n<ul><li>Youtube</li><li>Vimeo (don't stop playback when existing fullscreen)</li></ul>", + "ro": "În prezent este compatibil cu următoarele site-uri:\n<ul><li>Youtube</li><li>Vimeo (nu întrerupeți redarea atunci când ieșiți din modul fullscreen)</li></ul>" }, "developer_comments": null, "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", @@ -1698,7 +1699,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2021-04-23T07:50:05Z", + "last_updated": "2023-05-05T14:25:10Z", "name": { "de": "Videowiedergabe im Hintergrund", "en-US": "Video Background Play Fix", @@ -1712,10 +1713,10 @@ "category": "recommended" }, "ratings": { - "average": 4.5069, - "bayesian_average": 4.501656166558232, - "count": 1093, - "text_count": 405 + "average": 4.4874, + "bayesian_average": 4.4822747330216925, + "count": 1114, + "text_count": 416 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/re…", "requires_payment": false, @@ -1737,7 +1738,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/ve…", - "weekly_downloads": 386 + "weekly_downloads": 411 }, "notes": null }, @@ -1753,7 +1754,7 @@ "picture_url": null } ], - "average_daily_users": 90974, + "average_daily_users": 88255, "categories": { "android": [ "experimental", @@ -1867,9 +1868,9 @@ "promoted": null, "ratings": { "average": 4.3684, - "bayesian_average": 4.354634977381083, + "bayesian_average": 4.354580970236878, "count": 399, - "text_count": 113 + "text_count": 112 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/reviews/", "requires_payment": false, @@ -1891,7 +1892,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/versions/", - "weekly_downloads": 1200 + "weekly_downloads": 900 }, "notes": null }, @@ -1907,7 +1908,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/64/9064/12929064/12929064.pn…" } ], - "average_daily_users": 261805, + "average_daily_users": 259842, "categories": { "android": [ "photos-media", @@ -2126,9 +2127,9 @@ "category": "recommended" }, "ratings": { - "average": 4.653, - "bayesian_average": 4.6482048070516955, - "count": 1242, + "average": 4.6521, + "bayesian_average": 4.647356516825427, + "count": 1256, "text_count": 241 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/reviews/", @@ -2150,7 +2151,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/versions/", - "weekly_downloads": 7262 + "weekly_downloads": 4089 }, "notes": null }, @@ -2173,7 +2174,7 @@ "picture_url": null } ], - "average_daily_users": 110023, + "average_daily_users": 110772, "categories": { "android": [ "other" @@ -2456,10 +2457,10 @@ "category": "recommended" }, "ratings": { - "average": 4.4449, - "bayesian_average": 4.440238588001734, - "count": 1207, - "text_count": 321 + "average": 4.443, + "bayesian_average": 4.438340772354168, + "count": 1210, + "text_count": 322 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/reviews/", "requires_payment": false, @@ -2479,7 +2480,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/versions/", - "weekly_downloads": 34 + "weekly_downloads": 40 }, "notes": null }, @@ -2495,7 +2496,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/43/0143/143/143.png?modified…" } ], - "average_daily_users": 324182, + "average_daily_users": 313446, "categories": { "android": [ "performance", @@ -2685,10 +2686,10 @@ "category": "recommended" }, "ratings": { - "average": 4.4039, - "bayesian_average": 4.401185759316559, - "count": 2055, - "text_count": 801 + "average": 4.4106, + "bayesian_average": 4.407881097196251, + "count": 2058, + "text_count": 799 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/reviews/", "requires_payment": false, @@ -2732,7 +2733,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/", - "weekly_downloads": 7852 + "weekly_downloads": 7698 }, "notes": null }, @@ -2748,7 +2749,7 @@ "picture_url": null } ], - "average_daily_users": 148389, + "average_daily_users": 150188, "categories": { "android": [ "performance", @@ -2863,10 +2864,10 @@ "category": "recommended" }, "ratings": { - "average": 3.9106, - "bayesian_average": 3.906291934298175, - "count": 1119, - "text_count": 397 + "average": 3.9071, + "bayesian_average": 3.902833394829747, + "count": 1130, + "text_count": 402 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/revi…", "requires_payment": false, @@ -2885,7 +2886,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/vers…", - "weekly_downloads": 1519 + "weekly_downloads": 2266 }, "notes": null } ===================================== projects/firefox/config ===================================== @@ -12,10 +12,10 @@ container: use_container: 1 var: - firefox_platform_version: 102.10.0 + firefox_platform_version: 102.11.0 firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_branch: '12.0-1' - browser_build: 2 + browser_build: 1 branding_directory: 'browser/branding/alpha' copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' nightly_updates_osname: '[% c("var/osname") %]' ===================================== projects/geckoview/config ===================================== @@ -12,9 +12,9 @@ container: use_container: 1 var: - geckoview_version: 102.10.0esr + geckoview_version: 102.11.0esr torbrowser_branch: 12.0-1 - browser_build: 2 + browser_build: 1 copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' deps: - build-essential ===================================== projects/go/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: 1.19.8 +version: 1.19.9 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 @@ -121,7 +121,7 @@ input_files: enable: '[% ! c("var/linux") %]' - URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz' name: go - sha256sum: 1d7a67929dccafeaf8a29e55985bc2b789e0499cb1a17100039f084e3238da2f + sha256sum: 131190a4697a70c5b1d232df5d3f55a3f9ec0e78e40516196ffb3f09ae6a5744 - URL: 'https://golang.org/dl/go[% c("var/go14_version") %].src.tar.gz' name: go14 sha256sum: 9947fc705b0b841b5938c48b22dc33e9647ec0752bae66e50278df4f23f64959 ===================================== projects/manual/config ===================================== @@ -1,7 +1,7 @@ # vim: filetype=yaml sw=2 # To update, see doc/how-to-update-the-manual.txt # Remember to update also the package's hash, with the version! -version: 72637 +version: 74065 filename: 'manual-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 @@ -17,8 +17,8 @@ var: input_files: - project: container-image - - URL: 'https://people.torproject.org/~ma1/tbb_files/manual_[% c("version") %].zip' + - URL: 'https://people.torproject.org/~pierov/tbb_files/manual_[% c("version") %].zip' name: manual - sha256sum: 28379bdb31989d26a4cb735b9cbcd9ee52089f72153881f3802d291743b8cf06 + sha256sum: 788c2dc2bfacbc6961ce443c5639706cc23fbb7b7730ed7f71a26396511305be - filename: packagemanual.py name: package_script ===================================== projects/translation/config ===================================== @@ -6,19 +6,19 @@ version: '[% c("abbrev") %]' steps: base-browser: base-browser: '[% INCLUDE build %]' - git_hash: a7f7d59e21395ba563033060a55903f4f7163c02 + git_hash: 97c76d5183b16b069e66feaaf10e00c1d2c7d9e0 targets: nightly: git_hash: 'base-browser' base-browser-fluent: base-browser-fluent: '[% INCLUDE build %]' - git_hash: 32c09e1c5282cf3c7369d45fc199eb35c10a4fcc + git_hash: d473c4dd005325d1be40bae0f816974e195a972d targets: nightly: git_hash: 'basebrowser-newidentityftl' tor-browser: tor-browser: '[% INCLUDE build %]' - git_hash: a7be13f5b46a2bd3684146556390d62b1caa2f52 + git_hash: 267f3c208a323df636ed11e7143164956d3d9d9b targets: nightly: git_hash: 'tor-browser' @@ -26,7 +26,7 @@ steps: fenix: '[% INCLUDE build %]' # We need to bump the commit before releasing but just pointing to a branch # might cause too much rebuidling of the Firefox part. - git_hash: b2691020553c5e81bacfe3ed33cc66226754c98d + git_hash: 0deec2a78dea0013e8c4eaec1d40ef5aac4e43b0 targets: nightly: git_hash: 'fenix-torbrowserstringsxml' ===================================== rbm.conf ===================================== @@ -71,10 +71,13 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '12.0.5' - torbrowser_build: 'build2' + torbrowser_version: '12.0.6' + torbrowser_build: 'build1' torbrowser_incremental_from: + # Build incrementals also from 12.0.4 until we have a new certificate for + # Windows installers. - 12.0.4 + - 12.0.5 build_mar: 1 # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build] Pushed new tag mb-12.0.6-build1
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed new tag mb-12.0.6-build1 at The Tor Project / Applications / tor-browser-build -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/tree/mb-… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] Bug 40853: Prepare Mullvad Browser Release 12.0.6
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build Commits: 05a3e330 by Pier Angelo Vendrame at 2023-05-10T07:42:24+02:00 Bug 40853: Prepare Mullvad Browser Release 12.0.6 - - - - - 3 changed files: - projects/browser/config - projects/firefox/config - rbm.conf Changes: ===================================== projects/browser/config ===================================== @@ -106,9 +106,9 @@ input_files: - URL: https://addons.mozilla.org/firefox/downloads/file/4090970/noscript-11.4.21.… name: noscript sha256sum: 0fd3b66a2780d03a5b3cd460216105f3df2b27c6d3a552c1769c5de48c9e2338 - - URL: https://addons.mozilla.org/firefox/downloads/file/4092158/ublock_origin-1.4… + - URL: https://addons.mozilla.org/firefox/downloads/file/4103048/ublock_origin-1.4… name: ublock-origin - sha256sum: d7666b963c2969b0014937aae55472eea5098ff21ed3bea8a2e1f595f62856c1 + sha256sum: 39266486f720cd31d291d2fdad78625b079782a05517e1936eec7e780bc2a84d enable: '[% c("var/mullvad-browser") %]' - URL: https://github.com/mullvad/browser-extension/releases/download/v0.7.9-firef… name: mullvad-extension ===================================== projects/firefox/config ===================================== @@ -11,11 +11,11 @@ container: use_container: 1 var: - firefox_platform_version: 102.10.0 + firefox_platform_version: 102.11.0 firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '12.0' - browser_branch: '[% c("var/browser_series") %]-2' - browser_build: 2 + browser_branch: '[% c("var/browser_series") %]-1' + browser_build: 1 branding_directory_prefix: 'tb' copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' nightly_updates_publish_dir: '[% c("var/nightly_updates_publish_dir_prefix") %][% c("var/osname") %]' ===================================== rbm.conf ===================================== @@ -71,10 +71,13 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '12.0.5' + torbrowser_version: '12.0.6' torbrowser_build: 'build1' torbrowser_incremental_from: + # Build incrementals also from 12.0.4 until we have a new certificate for + # Windows installers. - 12.0.4 + - 12.0.5 updater_enabled: 1 build_mar: 1 mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]' View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] 2 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build Commits: 42213fb6 by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 4875b3ec by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -87,7 +87,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,38 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 - fi - if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1 - fi -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -70,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \ || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \ || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME" +export SIGNING_PROJECTNAME + test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm" . "$script_dir/set-config.tbb-version" @@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: deb60089 by Nicolas Vigier at 2023-05-09T20:40:31+00:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 5adcbf38 by Nicolas Vigier at 2023-05-09T20:40:31+00:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -87,7 +87,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,38 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 - fi - if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1 - fi -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -70,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \ || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \ || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME" +export SIGNING_PROJECTNAME + test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm" . "$script_dir/set-config.tbb-version" @@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0] 3 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build Commits: 24c07ab6 by Nicolas Vigier at 2023-04-20T16:58:30+02:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 985f768a by Nicolas Vigier at 2023-04-20T16:58:32+02:00 Bug 40841: Set SIGNING_PROJECTNAME=torbrowser in signing scripts For compatibility with signing scripts on the main branch. - - - - - 43f474b4 by Nicolas Vigier at 2023-04-20T16:58:33+02:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -84,7 +84,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -193,10 +193,10 @@ do_step dmg2mar do_step sync-scripts-to-linux-signer do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,33 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -65,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -2,6 +2,7 @@ . "$script_dir/set-config.hosts" bundle_locales="ALL" +export SIGNING_PROJECTNAME=torbrowser signed_dir="$script_dir/../../$tbb_version_type/signed" signed_version_dir="$signed_dir/$tbb_version" @@ -15,3 +16,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.11.0esr-12.5-1] fixup! Bug 41600: Add a tor circuit display panel.
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch tor-browser-102.11.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 9f9de549 by Henry Wilkes at 2023-05-09T14:54:55+01:00 fixup! Bug 41600: Add a tor circuit display panel. Bug 41770 - Stop blocking event propagation of keydown events that we do not handle. This lets the arrow key events pass on to ToolbarKeyboardNavigator. - - - - - 1 changed file: - browser/components/torcircuit/content/torCircuitPanel.js Changes: ===================================== browser/components/torcircuit/content/torCircuitPanel.js ===================================== @@ -221,10 +221,10 @@ var gTorCircuitPanel = { // rather than a <html:button>, or <xul:toolbarbutton>, so we need to set up // listeners for both "click" and "keydown", and not for "command". this.toolbarButton.addEventListener("keydown", event => { - event.stopPropagation(); if (event.key !== "Enter" && event.key !== " ") { return; } + event.stopPropagation(); this.show(); }); this.toolbarButton.addEventListener("click", event => { View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9f9de54… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9f9de54… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag base-browser-102.11.0esr-12.5-1-build1
by Pier Angelo Vendrame (＠pierov) 09 May '23

09 May '23

Pier Angelo Vendrame pushed new tag base-browser-102.11.0esr-12.5-1-build1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/base-brow… You're receiving this email because of your account on gitlab.torproject.org.

1 0