This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 01adb390c9198714b51c9a641d0137999c978929 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Sat Apr 30 10:57:10 2022 +0200
Bug 40476: Improve linux-signer-authenticode-signing
- Automatically change to ~/$tbb_version directory - Allow setting password with an environment variable (useful for tor-browser-build#40476) - Make it possible to run the script as any user, and only run the osslsigncode command as the yubishm user --- tools/signing/linux-signer-authenticode-signing | 28 ++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/tools/signing/linux-signer-authenticode-signing b/tools/signing/linux-signer-authenticode-signing index 68643ee..31943af 100755 --- a/tools/signing/linux-signer-authenticode-signing +++ b/tools/signing/linux-signer-authenticode-signing @@ -1,20 +1,34 @@ #!/bin/bash set -e
-export YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions"
-read -sp "Enter passphrase: " pass +cd ~/"$tbb_version" + +test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo + +tmpdir=$(mktemp -d) +chgrp yubihsm "$tmpdir" +chmod g+rwx "$tmpdir" + +cwd=$(pwd) for i in `find . -name "*.exe" -print` do - /home/yubihsm/osslsigncode/osslsigncode \ + echo "Signing $i" + echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' ; \ + /home/yubihsm/osslsigncode/osslsigncode \ -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "$pass" \ + -pass "'$YUBIPASS'" \ -h sha256 \ -certs /home/yubihsm/tpo-cert.crt \ -key 1c40 \ - $i $i-signed + "$cwd/$i" "$tmpdir/$i" \ + | sudo su - yubihsm + mv -vf "$tmpdir/$i" "$cwd/$i" done -unset pass -rename -f 's/-signed//' *-signed + +unset YUBIPASS +rmdir "$tmpdir"