richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

2 changed files:

Changes:

  • .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
    ... ... @@ -169,6 +169,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    169 169
     ### signing
    
    170 170
     - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
    
    171 171
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    172
    +  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
    
    172 173
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    173 174
         - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    174 175
           - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    ... ... @@ -215,6 +216,35 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    215 216
     
    
    216 217
     </details>
    
    217 218
     
    
    219
    +<details>
    
    220
    +  <summary>Signature verification</summary>
    
    221
    +
    
    222
    +  <details>
    
    223
    +    <summary>Check whether the .exe files got properly signed and timestamped</summary>
    
    224
    +    ```
    
    225
    +    # Point OSSLSIGNCODE to your osslsigncode binary
    
    226
    +    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    227
    +    OSSLSIGNCODE=/path/to/osslsigncode
    
    228
    +    ../../../tools/authenticode_check.sh
    
    229
    +    popd
    
    230
    +    ```
    
    231
    +  </details>
    
    232
    +  <details>
    
    233
    +    <summary>Check whether the MAR files got properly signed</summary>
    
    234
    +    ```
    
    235
    +    # Point NSSDB to your nssdb containing the mar signing certificate
    
    236
    +    # Point SIGNMAR to your signmar binary
    
    237
    +    # Point LD_LIBRARY_PATH to your mar-tools directory
    
    238
    +    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    239
    +    NSSDB=/path/to/nssdb
    
    240
    +    SIGNMAR=/path/to/mar-tools/signmar
    
    241
    +    LD_LIBRARY_PATH=/path/to/mar-tools/
    
    242
    +    ../../../tools/marsigning_check.sh
    
    243
    +    popd
    
    244
    +    ```
    
    245
    +  </details>
    
    246
    +</details>
    
    247
    +
    
    218 248
     <details>
    
    219 249
       <summary>Publishing</summary>
    
    220 250
     
    
    ... ... @@ -233,6 +263,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    233 263
     ### blog: https://gitlab.torproject.org/tpo/web/blog.git
    
    234 264
     
    
    235 265
     - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
    
    266
    +    - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
    
    236 267
         - [ ] Update Tor Browser version numbers
    
    237 268
         - [ ] Note any ESR rebase
    
    238 269
         - [ ] Link to any Firefox security updates from ESR upgrade
    

  • .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
    ... ... @@ -166,6 +166,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    166 166
     ### signing
    
    167 167
     - **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
    
    168 168
     - [ ] On `$(STAGING_SERVER)`, ensure updated:
    
    169
    +  - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N) && git checkout tbb-$(TOR_BROWSER_VERSION)-$(TOR_BROWSER_BUILD_N)`
    
    169 170
       - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
    
    170 171
         - `ssh_host_builder` : ssh hostname of machine with unsigned builds
    
    171 172
           - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
    
    ... ... @@ -212,6 +213,35 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    212 213
     
    
    213 214
     </details>
    
    214 215
     
    
    216
    +<details>
    
    217
    +  <summary>Signature verification</summary>
    
    218
    +
    
    219
    +  <details>
    
    220
    +    <summary>Check whether the .exe files got properly signed and timestamped</summary>
    
    221
    +    ```
    
    222
    +    # Point OSSLSIGNCODE to your osslsigncode binary
    
    223
    +    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    224
    +    OSSLSIGNCODE=/path/to/osslsigncode
    
    225
    +    ../../../tools/authenticode_check.sh
    
    226
    +    popd
    
    227
    +    ```
    
    228
    +  </details>
    
    229
    +  <details>
    
    230
    +    <summary>Check whether the MAR files got properly signed</summary>
    
    231
    +    ```
    
    232
    +    # Point NSSDB to your nssdb containing the mar signing certificate
    
    233
    +    # Point SIGNMAR to your signmar binary
    
    234
    +    # Point LD_LIBRARY_PATH to your mar-tools directory
    
    235
    +    pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    236
    +    NSSDB=/path/to/nssdb
    
    237
    +    SIGNMAR=/path/to/mar-tools/signmar
    
    238
    +    LD_LIBRARY_PATH=/path/to/mar-tools/
    
    239
    +    ../../../tools/marsigning_check.sh
    
    240
    +    popd
    
    241
    +    ```
    
    242
    +  </details>
    
    243
    +</details>
    
    244
    +
    
    215 245
     <details>
    
    216 246
       <summary>Publishing</summary>
    
    217 247
     
    
    ... ... @@ -230,6 +260,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    230 260
     ### blog: https://gitlab.torproject.org/tpo/web/blog.git
    
    231 261
     
    
    232 262
     - [ ] Duplicate previous Stable or Alpha release blog post as appropriate to new directory under `content/blog/new-release-tor-browser-$(TOR_BROWSER_VERSION)` and update with info on release :
    
    263
    +    - [ ] Run `tools/signing/create-blog-post` which should create the new blog post from a template (edit set-config.blog to set you local blog directory)
    
    233 264
         - [ ] Update Tor Browser version numbers
    
    234 265
         - [ ] Note any ESR rebase
    
    235 266
         - [ ] Link to any Firefox security updates from ESR upgrade