+# vim: filetype=yaml sw=2

+#

+# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine

+# to fetch mar-tools for signing machine setup

+#

+version: 12.0.4

+filename: 'mar-tools-linux64.zip'

+container:

+  use_container: 0

+gpg_keyring: torbrowser.gpg

+tag_gpg_id: 1

+input_files:

+  - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'

+    sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584

+

+steps:

+  fetch_martools:

+    fetch_martools: |

+      #!/bin/bash

+      echo ok

+version: '[% c("git_hash").substr(0, 12) %]'

+  - filename: '[% c("var/srcfile") %]'

+    enable: '[% c("var/no-git") %]'

+

+targets:

+  no-git:

+    git_url: ''

+    var:

+      no-git: 1

+      srcfile: '[% project %]-[% c("version") %].tar.gz'

+#!/bin/bash

+[% c("var/set_default_env") -%]

+distdir=$(pwd)/dist

+tar xf [% project %]-[% c('version') %].tar.gz

+cd [% project %]-[% c('version') %]

+dpkg-buildpackage -us -uc

+mkdir -p "$distdir"

+mv ../*.deb "$distdir"

+dest=[% dest_dir _ '/' _ c('filename') %]

+rm -Rf "$dest"

+mv "$distdir" "$dest"

+# vim: filetype=yaml sw=2

+version: 2.4.0

+filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'

+container:

+  use_container: 0

+var:

+  src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'

+input_files:

+  - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'

+    sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0

+

+steps:

+  fetch_src:

+    fetch_src: |

+      #!/bin/bash

+      echo ok

+    [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]

+#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||

+#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS

+#echo

+#do_step linux-signer-authenticode-signing

+#do_step sync-after-authenticode-signing

+#do_step authenticode-timestamping

+#do_step sync-after-authenticode-timestamping

+  sudo -u signing-win -- "$wrappers_dir/sign-exe" \

+                 "$YUBIPASS" \

+                 "$cwd/$i"

+  cp /home/signing-win/last-signed-file.exe "$cwd/$i"

+currentdir=$(pwd)

+  i="$currentdir/$i"

+  tmpsig=$(mktemp)

+  echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"

+  mv -f "$tmpsig" "${i}.asc"

+martools_dir=/home/signing-mar/mar-tools

+if ! test -d "$martools_dir"; then

+  >&2 echo "Please create $martools_dir"

+  exit 3

+export LD_LIBRARY_PATH="$martools_dir"

+export PATH="$martools_dir:$PATH"

+  echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"

+  cp /home/signing-mar/last-signed-mar.mar "$marfile"

+#!/bin/bash

+set -e

+

+if test $(whoami) != 'build-pkgs'; then

+  echo 'This script should be run as the build-pkgs user' >&2

+  exit 1

+fi

+

+destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs

+if test -d "$destdir"; then

+  echo "$destdir already exists. Doing nothing."

+  exit 0

+fi

+

+cd /home/build-pkgs

+tar xf /signing/tor-browser-build.tar

+cd tor-browser-build

+tar xf /signing/rbm.tar

+yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)

+mkdir -p out/yubihsm-shell

+cp "/signing/$yubihsm_src_filename" out/yubihsm-shell

+./rbm/rbm build yubihsm-shell

+yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)

+rm -Rf "$destdir"

+mkdir -p $(dirname $destdir)

+mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"

+ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"

+ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"

+connector = yhusb://

+#debug

+#dinout

+#libdebug

+#debug-file = /tmp/yubihsm_pkcs11_debug

+#!/bin/bash

+set -e

+

+if test $(whoami) != 'signing-win'; then

+  echo 'This script should be run as the signing-win user' >&2

+  exit 1

+fi

+

+destdir=/home/signing-win/osslsigncode

+if test -d "$destdir"; then

+  echo "$destdir already exists. Doing nothing."

+  exit 0

+fi

+

+cd /home/signing-win

+tar xf /signing/tor-browser-build.tar

+cd tor-browser-build

+tar xf /signing/rbm.tar

+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)

+mkdir -p out/osslsigncode

+cp "/signing/$osslsigncodefile" out/osslsigncode

+./rbm/rbm build osslsigncode --target no-git

+osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)

+cd /home/signing-win

+tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"

+chmod -R 755 /home/signing-win/osslsigncode

+echo "Extracted osslsigncode to /home/signing-win/osslsigncode"

+#!/bin/bash

+set -e

+

+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

+

+function create_user {

+  user="$1"

+  groups="$2"

+  id "$user" > /dev/null 2>&1 && return 0

+  test -n "$groups" && groups="--groups $groups"

+  useradd -s /bin/bash -m "$user" $groups

+}

+

+function create_group {

+  group="$1"

+  getent group "$group" > /dev/null 2>&1 && return 0

+  groupadd "$group"

+}

+

+function authorized_keys {

+  user="$1"

+  shift

+  tmpfile=$(mktemp)

+  for file in "$@"; do

+    cat "$script_dir/ssh-keys/$file" >> "$tmpfile"

+  done

+  sshdir="/home/$user/.ssh"

+  authkeysfile="$sshdir/authorized_keys"

+  if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then

+    rm "$tmpfile"

+    return 0

+  fi

+  echo "Update authorized_keys for user $user"

+  if ! test -d "$sshdir"; then

+    mkdir "$sshdir"

+    chmod 700 "$sshdir"

+    chown $user:$user "$sshdir"

+  fi

+  mv "$tmpfile" "$authkeysfile"

+  chown $user:$user "$authkeysfile"

+  chmod 600 "$authkeysfile"

+}

+

+function sudoers_file {

+  sfile="$1"

+  cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"

+  chown root:root "/etc/sudoers.d/$sfile"

+  chmod 0440 "/etc/sudoers.d/$sfile"

+}

+

+function udev_rule {

+  udevrule="$1"

+  rulepath="/etc/udev/rules.d/$udevrule"

+  if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then

+    cp "$script_dir$rulepath" "$rulepath"

+    udevadm control --reload-rules

+  fi

+}

+

+function install_packages {

+  for pkg in "$@"

+  do

+    dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue

+    apt-get install -y "$pkg"

+  done

+}

+

+install_packages build-essential rsync unzip

+install_packages sudo vim tmux gnupg

+

+create_user setup

+authorized_keys setup boklm-yk1.pub

+mkdir -p /signing

+chmod 0755 /signing

+chown setup /signing

+

+create_user yubihsm

+create_group yubihsm

+udev_rule 70-yubikey.rules

+

+create_user signing

+create_group signing

+create_user signing-gpg

+create_user signing-mar

+create_user signing-win yubihsm

+

+

+sudoers_file sign-gpg

+sudoers_file sign-mar

+sudoers_file sign-exe

+

+authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub

+create_user richard signing

+authorized_keys richard richard.pub

+

+# Install rbm deps

+install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \

+                 libio-handle-util-perl libio-all-perl \

+                 libio-captureoutput-perl libjson-perl libpath-tiny-perl \

+                 libstring-shellquote-perl libsort-versions-perl \

+                 libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \

+                 libfile-copy-recursive-perl libfile-slurp-perl

+

+# Install deps for building osslsigncode

+install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev

+sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode

+

+# Packages needed for windows signing

+install_packages opensc libengine-pkcs11-openssl

+

+# Install deps for building yubihsm-shell

+install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec

+

+# Build and install yubihsm-pkcs11 package

+create_user build-pkgs

+if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then

+  yubishm_version=2.4.0

+  sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg

+  pushd /home/build-pkgs/packages/yubihsm-shell-pkgs

+  apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \

+    ./libyubihsm1_${yubishm_version}_amd64.deb \

+    ./libyubihsm-http1_${yubishm_version}_amd64.deb \

+    ./libyubihsm-usb1_${yubishm_version}_amd64.deb

+  popd

+fi

+

+# install mar-tools

+if ! test -d /home/signing-mar/mar-tools; then

+  tmpdir=$(mktemp -d)

+  unzip -d "$tmpdir" /signing/mar-tools-linux64.zip

+  chown -R signing-mar:signing-mar "$tmpdir/mar-tools"

+  chmod go+rX "$tmpdir/mar-tools"/*

+  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools

+fi

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a

+Defaults>signing-win env_keep += SIGNING_PROJECTNAME

+%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe

+Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME

+%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg

+Defaults>signing-mar env_keep += SIGNING_PROJECTNAME

+%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar

+#!/bin/bash

+# Upload tor-browser-build directory from current HEAD commit and other

+# dependencies to signing machine

+set -e

+

+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

+

+cd "$script_dir/../../.."

+tmpdir=$(mktemp -d)

+tbbtar=$tmpdir/tor-browser-build.tar

+git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .

+

+echo "Created $tbbtar"

+

+make submodule-update

+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)

+if ! test -f "./out/osslsigncode/$osslsigncodefile"; then

+  ./rbm/rbm tar osslsigncode

+  echo "Created $osslsigncodefile"

+fi

+

+cd rbm

+git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .

+echo "Created rbm.tar"

+cd ..

+

+martools_filename=mar-tools-linux64.zip

+if ! test -f "./out/mar-tools/$martools_filename"; then

+  ./rbm/rbm build --step fetch_martools mar-tools

+  echo "Downloaded $martools_filename"

+fi

+

+yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)

+if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then

+  ./rbm/rbm build yubihsm-shell --step fetch_src

+  echo "Fetched $yubihsm_filename"

+fi

+

+signing_machine='linux-signer'

+setup_user='setup'

+signing_dir='/signing'

+

+echo "Uploading $osslsigncodefile to $signing_machine"

+chmod go+r "./out/osslsigncode/$osslsigncodefile"

+rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"

+echo "Uploading rbm.tar to $signing_machine"

+rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"

+echo "Uploading $martools_filename"

+chmod go+r "./out/mar-tools/$martools_filename"

+rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"

+echo "Uploading $yubihsm_filename"

+chmod go+r "./out/yubihsm-shell/$yubihsm_filename"

+rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"

+echo "Uploading tor-browser-build.tar to $signing_machine"

+scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"

+echo "Extracting tor-browser-build.tar on $signing_machine"

+ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar

+echo "You can now run this command on $signing_machine to update signing machine setup:"

+echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"

+export SIGNING_PROJECTNAME=torbrowser

+wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers

+#!/bin/bash

+set -e

+

+if test "$#" -ne 2; then

+  echo "Wrong number of arguments" >&2

+  exit 1

+fi

+

+if test $(whoami) != 'signing-win'; then

+  echo 'This script should be run as the signing-win user' >&2

+  exit 2

+fi

+

+yubipass="$1"

+to_sign_exe="$2"

+

+tpo_cert=/home/signing-win/tpo-cert.crt

+

+if ! test -f "$tpo_cert"; then

+  echo "File $tpo_cert is missing" >&2

+  exit 2

+fi

+

+output_signed_exe=/home/signing-win/last-signed-file.exe

+rm -f "$output_signed_exe"

+

+export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'

+/home/signing-win/osslsigncode/bin/osslsigncode \

+  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \

+  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \

+  -pass "$yubipass" \

+  -h sha256 \

+  -certs "$tpo_cert" \

+  -key 1c40 \

+  "$to_sign_exe" "$output_signed_exe"

+

+chmod 644 "$output_signed_exe"

+#!/bin/bash

+set -e

+

+if test "$#" -ne 1; then

+  echo "Wrong number of arguments" >&2

+  exit 2

+fi

+

+if test $(whoami) != 'signing-gpg'; then

+  echo 'This script should be run as the signing-gpg user' >&2

+  exit 1

+fi

+

+exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"

+#!/bin/bash

+set -e

+

+if test "$#" -ne 1; then

+  echo "Wrong number of arguments" >&2

+  exit 1

+fi

+

+if test $(whoami) != 'signing-mar'; then

+  echo 'This script should be run as the signing-mar user' >&2

+  exit 2

+fi

+

+output_signed_mar=/home/signing-mar/last-signed-mar.mar

+rm -f "$output_signed_mar"

+

+if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then

+  NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7

+elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then

+  NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1

+else

+  echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"

+  exit 3

+fi

+NSS_CERTNAME=marsigner

+

+if ! test -d "$NSS_DB_DIR"; then

+  echo "$NSS_DB_DIR is missing" >&2

+  exit 3

+fi

+

+martools_dir=/home/signing-mar/mar-tools

+if ! test -d "$martools_dir"; then

+  >&2 echo "Please create $martools_dir"

+  exit 4

+fi

+export LD_LIBRARY_PATH="$martools_dir"

+export PATH="$martools_dir:$PATH"

+

+"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar"

+chmod 644 "$output_signed_mar"