[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Bug 41522: Adapt signing scripts for tor-vpn

29 Aug 2025


      boklm pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
821c192e by Nicolas Vigier at 2025-08-29T12:16:22+02:00
Bug 41522: Adapt signing scripts for tor-vpn

- - - - -


30 changed files:

- rbm.conf
- tools/signing/do-all-signing
- + tools/signing/do-all-signing.torvpn
- tools/signing/functions
- + tools/signing/linux-signer-gpg-sign.torvpn
- + tools/signing/linux-signer-sign-android-aab
- + tools/signing/linux-signer-sign-android-aab.torvpn
- tools/signing/linux-signer-sign-android-apks
- + tools/signing/linux-signer-sign-android-apks.torvpn
- tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/sudoers.d/sign-aab
- tools/signing/machines-setup/sudoers.d/sign-apk
- tools/signing/set-config
- + tools/signing/staticiforme-prepare-cdn-dist-upload.torvpn
- + tools/signing/sync-builder-to-local.torvpn
- + tools/signing/sync-builder-to-local.torvpn.dry-run
- + tools/signing/sync-builder-unsigned-to-local-signed.torvpn
- + tools/signing/sync-builder-unsigned-to-local-signed.torvpn.dry-run
- + tools/signing/sync-linux-signer-to-local.torvpn
- + tools/signing/sync-linux-signer-to-local.torvpn.dry-run
- + tools/signing/sync-local-to-builder.torvpn
- + tools/signing/sync-local-to-builder.torvpn.dry-run
- + tools/signing/sync-local-to-linux-signer.torvpn
- + tools/signing/sync-local-to-linux-signer.torvpn.dry-run
- + tools/signing/sync-local-to-staticiforme.torvpn
- + tools/signing/sync-local-to-staticiforme.torvpn.dry-run
- + tools/signing/sync-scripts-to-linux-signer.torvpn
- + tools/signing/sync-scripts-to-linux-signer.torvpn.dry-run
- + tools/signing/wrappers/sign-aab
- tools/signing/wrappers/sign-apk


Changes:

=====================================
rbm.conf
=====================================
@@ -97,8 +97,8 @@ var:
     # enable/disable all android or desktop platforms. If you want to
     # check whether a release includes some android or desktop platforms
     # see signing_android and signing_desktop below.
-    is_android_release: '[% c("var/tor-browser") %]'
-    is_desktop_release: '1'
+    is_android_release: '[% c("var/tor-browser") || c("var/tor-vpn") %]'
+    is_desktop_release: '[% ! c("var/tor-vpn") %]'
 
     # signing_android is used in signing scripts to check if at least
     # one android platform is being signed/published
@@ -328,6 +328,18 @@ targets:
       max_torbrowser_incremental_from: 2
       build_infos_json: 1
 
+  torvpn:
+    var:
+      tor-vpn: 1
+      torbrowser_version: '1.0.0Beta'
+      torbrowser_build: 'build1'
+      browser_release_date: '2025/08/28 15:33:44'
+      project-name: tor-vpn
+      projectname: torvpn
+      Project_Name: 'Tor VPN'
+      ProjectName: TorVPN
+      project_initials: tv
+
   torbrowser:
     var:
       tor-browser: 1


=====================================
tools/signing/do-all-signing
=====================================
@@ -67,7 +67,7 @@ echo
 echo
 
 [ -z "$platform_android" ] || \
-  [ -f "$steps_dir/linux-signer-sign-android-apks.done" ] || \
+  [ -f "$steps_dir/sync-after-sign-android-apks.done" ] || \
   [ -n "$KSPASS" ] || \
   read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
 echo
@@ -155,6 +155,14 @@ EOF
   unset KSPASS
 }
 
+function linux-signer-sign-android-aab {
+  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
+  export KSPASS=$KSPASS
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-aab.$SIGNING_PROJECTNAME
+EOF
+  unset KSPASS
+}
+
 function sync-after-sign-android-apks {
   "$script_dir/sync-linux-signer-to-local"
 }
@@ -257,6 +265,8 @@ do_step sync-before-linux-signer-signmars
   do_step sync-after-signmars
 [ -n "$platform_android" ] && \
   do_step linux-signer-sign-android-apks
+[ "$SIGNING_PROJECTNAME" = 'torvpn' ] && [ -n "$platform_android" ] && \
+  do_step linux-signer-sign-android-aab
 [ -n "$platform_android" ] && \
   do_step sync-after-sign-android-apks
 [ -n "$platform_windows" ] && \
@@ -275,6 +285,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
 do_step sync-local-to-staticiforme
 do_step sync-scripts-to-staticiforme
 do_step staticiforme-prepare-cdn-dist-upload
-! is_legacy && \
+[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && ! is_legacy \
   do_step upload-update_responses-to-staticiforme
 do_step finished-signing-clean-linux-signer


=====================================
tools/signing/do-all-signing.torvpn
=====================================
@@ -0,0 +1 @@
+do-all-signing
\ No newline at end of file


=====================================
tools/signing/functions
=====================================
@@ -14,6 +14,7 @@ function var_is_defined {
 }
 
 function check_update_responses_repository_dir {
+  test "$SIGNING_PROJECTNAME" = 'torvpn' && return 0
   if test -z "$update_responses_repository_dir" || ! test -d "$update_responses_repository_dir"
   then
     cat << 'EOF' > /dev/stderr


=====================================
tools/signing/linux-signer-gpg-sign.torvpn
=====================================
@@ -0,0 +1 @@
+linux-signer-gpg-sign
\ No newline at end of file


=====================================
tools/signing/linux-signer-sign-android-aab
=====================================
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+no_generate_config=1
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+
+topdir="$script_dir/../.."
+test "$SIGNING_PROJECTNAME" = 'torvpn'
+projname=$(project-name)
+# tbb_version_type, tbb_version and SIGNING_PROJECTNAME are used in
+# wrappers/sign-apk, so we export them
+export tbb_version tbb_version_type SIGNING_PROJECTNAME
+# (note: we should also export SIGNING_PROJECTNAME and tbb_version in
+# the maint-14.5 branch)
+
+check_installed_packages() {
+  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+  for package in $packages
+  do
+    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+      exit_error "package $package is missing"
+  done
+}
+
+sign_aab() {
+  sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-aab
+}
+
+check_installed_packages
+
+if [ -z "$KSPASS" ]; then
+    echo "Enter keystore passphrase"
+    stty -echo; read KSPASS; stty echo
+    export KSPASS
+fi
+
+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/$projname-$tbb_version.aab \
+  /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"
+
+sign_aab
+
+cp /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \
+  ~/"$SIGNING_PROJECTNAME-$tbb_version"/$projname-$tbb_version.aab
+rm /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"
+rm /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"


=====================================
tools/signing/linux-signer-sign-android-aab.torvpn
=====================================
@@ -0,0 +1 @@
+linux-signer-sign-android-aab
\ No newline at end of file


=====================================
tools/signing/linux-signer-sign-android-apks
=====================================
@@ -7,9 +7,11 @@ source "$script_dir/functions"
 
 topdir="$script_dir/../.."
 ARCHS="armv7 aarch64 x86 x86_64"
+test "$SIGNING_PROJECTNAME" = 'torvpn' && ARCHS='multiarch'
 projname=$(project-name)
-# tbb_version_type is used in wrappers/sign-apk, so we export it
-export tbb_version_type
+# tbb_version_type, tbb_version and SIGNING_PROJECTNAME are used in
+# wrappers/sign-apk, so we export them
+export tbb_version tbb_version_type SIGNING_PROJECTNAME
 
 check_installed_packages() {
   local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
@@ -21,10 +23,11 @@ check_installed_packages() {
 }
 
 setup_build_tools() {
+  abt_version=16
   build_tools_dir=/signing/android-build-tools
-  test -f "$build_tools_dir"/android-12/apksigner || \
-    exit_error "$build_tools_dir/android-12/apksigner is missing"
-  export PATH="$build_tools_dir/android-12:${PATH}"
+  test -f "$build_tools_dir"/android-$abt_version/apksigner || \
+    exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"
+  export PATH="$build_tools_dir/android-$abt_version:${PATH}"
 }
 
 sign_apk() {
@@ -36,7 +39,6 @@ verify_apk() {
   scheme_v1="Verified using v1 scheme (JAR signing): true"
   scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
 
-  # Verify the expected signing key was used, Alpha verses Release based on the filename.
   if test "$tbb_version_type" = "alpha"; then
     cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
     pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
@@ -44,7 +46,14 @@ verify_apk() {
     cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
     pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
   fi
+  if test "$SIGNING_PROJECTNAME" = "torvpn"; then
+    # No v1 scheme signature on torvpn apk
+    scheme_v1=''
+    cert_digest="Signer #1 certificate SHA-256 digest: c2f6ffa30e56a7c53a226248ef908612ee539df2f52bede5a55037425b83331d"
+    pubkey_digest="Signer #1 public key SHA-256 digest: fddc5f93ae0bc971e951481b0b5e6b62e47040fe979ff535cf75daade2f13f3d"
+  fi
   for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
+    test -z "$digest" && continue
     if ! echo "${verified}" | grep -q "${digest}"; then
       echo "Expected digest not found:"
       echo ${digest}
@@ -69,8 +78,10 @@ mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
 chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
 chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
 cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk \
-  ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \
   ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+test "$SIGNING_PROJECTNAME" != 'torvpn' && \
+  cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \
+    ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
 cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
 
 # Sign all packages
@@ -79,7 +90,8 @@ for arch in ${ARCHS}; do
   unsigned_apk=${projname}-qa-unsigned-android-${arch}-${tbb_version}.apk
   unsigned_apk_bspatch=${projname}-qa-unsign-android-${arch}-${tbb_version}.bspatch
   signed_apk=${projname}-android-${arch}-${tbb_version}.apk
-  bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch"
+  test -f "$unsigned_apk" || \
+    bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch"
   sign_apk "$unsigned_apk" "$signed_apk"
   verify_apk "$signed_apk"
   cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"


=====================================
tools/signing/linux-signer-sign-android-apks.torvpn
=====================================
@@ -0,0 +1 @@
+linux-signer-sign-android-apks
\ No newline at end of file


=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -91,6 +91,7 @@ sudoers_file sign-gpg
 sudoers_file sign-mar
 sudoers_file sign-exe
 sudoers_file sign-apk
+sudoers_file sign-aab
 sudoers_file sign-rcodesign
 sudoers_file sign-rcodesign-128
 sudoers_file set-date
@@ -105,6 +106,10 @@ authorized_keys ma1 ma1.pub
 create_user pierov signing
 authorized_keys pierov pierov.pub
 
+mkdir -p /home/signing-apk/unsigned-files /home/signing-apk/signed-files
+chgrp signing /home/signing-apk/unsigned-files /home/signing-apk/signed-files
+chmod g+rwx /home/signing-apk/unsigned-files /home/signing-apk/signed-files
+
 # Install rbm deps
 install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
                  libio-handle-util-perl libio-all-perl \


=====================================
tools/signing/machines-setup/sudoers.d/sign-aab
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version tbb_version_type KSPASS"
+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-aab


=====================================
tools/signing/machines-setup/sudoers.d/sign-apk
=====================================
@@ -1,2 +1,2 @@
-Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version tbb_version_type KSPASS"
 %signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk


=====================================
tools/signing/set-config
=====================================
@@ -16,6 +16,7 @@ test -n "${SIGNING_PROJECTNAME+x}" \
 test "$SIGNING_PROJECTNAME" = 'torbrowser' \
   || test "$SIGNING_PROJECTNAME" = 'basebrowser' \
   || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \
+  || test "$SIGNING_PROJECTNAME" = 'torvpn' \
   || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME"
 
 export SIGNING_PROJECTNAME


=====================================
tools/signing/staticiforme-prepare-cdn-dist-upload.torvpn
=====================================
@@ -0,0 +1 @@
+staticiforme-prepare-cdn-dist-upload
\ No newline at end of file


=====================================
tools/signing/sync-builder-to-local.torvpn
=====================================
@@ -0,0 +1 @@
+sync-builder-to-local
\ No newline at end of file


=====================================
tools/signing/sync-builder-to-local.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-builder-to-local
\ No newline at end of file


=====================================
tools/signing/sync-builder-unsigned-to-local-signed.torvpn
=====================================
@@ -0,0 +1 @@
+sync-builder-unsigned-to-local-signed
\ No newline at end of file


=====================================
tools/signing/sync-builder-unsigned-to-local-signed.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-builder-unsigned-to-local-signed
\ No newline at end of file


=====================================
tools/signing/sync-linux-signer-to-local.torvpn
=====================================
@@ -0,0 +1 @@
+sync-linux-signer-to-local
\ No newline at end of file


=====================================
tools/signing/sync-linux-signer-to-local.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-linux-signer-to-local
\ No newline at end of file


=====================================
tools/signing/sync-local-to-builder.torvpn
=====================================
@@ -0,0 +1 @@
+sync-local-to-builder
\ No newline at end of file


=====================================
tools/signing/sync-local-to-builder.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-local-to-builder
\ No newline at end of file


=====================================
tools/signing/sync-local-to-linux-signer.torvpn
=====================================
@@ -0,0 +1 @@
+sync-local-to-linux-signer
\ No newline at end of file


=====================================
tools/signing/sync-local-to-linux-signer.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-local-to-linux-signer
\ No newline at end of file


=====================================
tools/signing/sync-local-to-staticiforme.torvpn
=====================================
@@ -0,0 +1 @@
+sync-local-to-staticiforme
\ No newline at end of file


=====================================
tools/signing/sync-local-to-staticiforme.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-local-to-staticiforme
\ No newline at end of file


=====================================
tools/signing/sync-scripts-to-linux-signer.torvpn
=====================================
@@ -0,0 +1 @@
+sync-scripts-to-linux-signer
\ No newline at end of file


=====================================
tools/signing/sync-scripts-to-linux-signer.torvpn.dry-run
=====================================
@@ -0,0 +1 @@
+sync-scripts-to-linux-signer
\ No newline at end of file


=====================================
tools/signing/wrappers/sign-aab
=====================================
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+
+function exit_error {
+  for msg in "$@"
+  do
+    echo "$msg" >&2
+  done
+  exit 1
+}
+
+case "$SIGNING_PROJECTNAME" in
+  torbrowser | mullvadbrowser | torvpn)
+    ;;
+  *)
+    exit_error "Unexpected value for SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
+    ;;
+esac
+
+case "$tbb_version_type" in
+  release | alpha)
+    ;;
+  *)
+    exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
+    ;;
+esac
+
+android_signing_key_dir=/home/signing-apk/keys
+android_signing_key_path="$android_signing_key_dir/torvpn.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
+
+tmpdir=$(mktemp -d)
+cd "$tmpdir"
+
+jarsigner -keystore "${android_signing_key_path}" -storepass:env KSPASS \
+  -signedjar /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \
+  -verbose /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \
+  tor-vpn
+
+cd -
+rm -Rf "$tmpdir"


=====================================
tools/signing/wrappers/sign-apk
=====================================
@@ -14,15 +14,30 @@ if test "$tbb_version_type" != 'release' \
   exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
 fi
 
+case "$SIGNING_PROJECTNAME" in
+  torbrowser | mullvadbrowser | torvpn)
+    ;;
+  *)
+    exit_error "Unexpected value for SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
+    ;;
+esac
+
 android_signing_key_dir=/home/signing-apk/keys
-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+android_signing_key_path="$android_signing_key_dir/$pname_$tbb_version_type.p12"
+test -n "$SIGNING_PROJECTNAME" && test "$SIGNING_PROJECTNAME" = 'torvpn' && \
+  android_signing_key_path="$android_signing_key_dir/torvpn.p12"
 test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
 
 setup_build_tools() {
+  abt_version=16
+  # If signing 14.5, keep using android-12 build tools
+  # (we can remove this when 15.0 is the stable release)
+  ( test -z "$tbb_version" || echo "$tbb_version" | grep -q '^14\.5' ) && \
+    abt_version=12
   build_tools_dir=/signing/android-build-tools
-  test -f "$build_tools_dir"/android-12/apksigner || \
-    exit_error "$build_tools_dir/android-12/apksigner is missing"
-  export PATH="$build_tools_dir/android-12:${PATH}"
+  test -f "$build_tools_dir"/android-$abt_version/apksigner || \
+    exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"
+  export PATH="$build_tools_dir/android-$abt_version:${PATH}"
 }
 
 # Sign individual apk



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/82...

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/82...
You're receiving this email because of your account on gitlab.torproject.org.

    

[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Bug 41522: Adapt signing scripts for tor-vpn

boklm (＠boklm)