GitLab

at 2025-08-29T12:16:22+02:00

Bug 41522: Adapt signing scripts for tor-vpn

     # enable/disable all android or desktop platforms. If you want to

     # check whether a release includes some android or desktop platforms

     # see signing_android and signing_desktop below.

-    is_android_release: '[% c("var/tor-browser") %]'

-    is_desktop_release: '1'

+    is_android_release: '[% c("var/tor-browser") || c("var/tor-vpn") %]'

+    is_desktop_release: '[% ! c("var/tor-vpn") %]'

 

     # signing_android is used in signing scripts to check if at least

     # one android platform is being signed/published

       max_torbrowser_incremental_from: 2

       build_infos_json: 1

 

+  torvpn:

+    var:

+      tor-vpn: 1

+      torbrowser_version: '1.0.0Beta'

+      torbrowser_build: 'build1'

+      browser_release_date: '2025/08/28 15:33:44'

+      project-name: tor-vpn

+      projectname: torvpn

+      Project_Name: 'Tor VPN'

+      ProjectName: TorVPN

+      project_initials: tv

+

   torbrowser:

     var:

       tor-browser: 1

 echo

 

 [ -z "$platform_android" ] || \

-  [ -f "$steps_dir/linux-signer-sign-android-apks.done" ] || \

+  [ -f "$steps_dir/sync-after-sign-android-apks.done" ] || \

   [ -n "$KSPASS" ] || \

   read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS

 echo

   unset KSPASS

 }

 

+function linux-signer-sign-android-aab {

+  ssh "$ssh_host_linux_signer" 'bash -s' << EOF

+  export KSPASS=$KSPASS

+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-aab.$SIGNING_PROJECTNAME

+EOF

+  unset KSPASS

+}

+

 function sync-after-sign-android-apks {

   "$script_dir/sync-linux-signer-to-local"

 }

   do_step sync-after-signmars

 [ -n "$platform_android" ] && \

   do_step linux-signer-sign-android-apks

+[ "$SIGNING_PROJECTNAME" = 'torvpn' ] && [ -n "$platform_android" ] && \

+  do_step linux-signer-sign-android-aab

 [ -n "$platform_android" ] && \

   do_step sync-after-sign-android-apks

 [ -n "$platform_windows" ] && \

 do_step sync-local-to-staticiforme

 do_step sync-scripts-to-staticiforme

 do_step staticiforme-prepare-cdn-dist-upload

-! is_legacy && \

+[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && ! is_legacy \

   do_step upload-update_responses-to-staticiforme

 do_step finished-signing-clean-linux-signer
+do-all-signing
 }

 

 function check_update_responses_repository_dir {

+  test "$SIGNING_PROJECTNAME" = 'torvpn' && return 0

   if test -z "$update_responses_repository_dir" || ! test -d "$update_responses_repository_dir"

   then

     cat << 'EOF' > /dev/stderr

+linux-signer-gpg-sign
+#!/bin/bash

+

+set -e

+no_generate_config=1

+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

+source "$script_dir/functions"

+

+topdir="$script_dir/../.."

+test "$SIGNING_PROJECTNAME" = 'torvpn'

+projname=$(project-name)

+# tbb_version_type, tbb_version and SIGNING_PROJECTNAME are used in

+# wrappers/sign-apk, so we export them

+export tbb_version tbb_version_type SIGNING_PROJECTNAME

+# (note: we should also export SIGNING_PROJECTNAME and tbb_version in

+# the maint-14.5 branch)

+

+check_installed_packages() {

+  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'

+  for package in $packages

+  do

+    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \

+      exit_error "package $package is missing"

+  done

+}

+

+sign_aab() {

+  sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-aab

+}

+

+check_installed_packages

+

+if [ -z "$KSPASS" ]; then

+    echo "Enter keystore passphrase"

+    stty -echo; read KSPASS; stty echo

+    export KSPASS

+fi

+

+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/$projname-$tbb_version.aab \

+  /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"

+

+sign_aab

+

+cp /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \

+  ~/"$SIGNING_PROJECTNAME-$tbb_version"/$projname-$tbb_version.aab

+rm /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"

+rm /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab"
+linux-signer-sign-android-aab
 

 topdir="$script_dir/../.."

 ARCHS="armv7 aarch64 x86 x86_64"

+test "$SIGNING_PROJECTNAME" = 'torvpn' && ARCHS='multiarch'

 projname=$(project-name)

-# tbb_version_type is used in wrappers/sign-apk, so we export it

-export tbb_version_type

+# tbb_version_type, tbb_version and SIGNING_PROJECTNAME are used in

+# wrappers/sign-apk, so we export them

+export tbb_version tbb_version_type SIGNING_PROJECTNAME

 

 check_installed_packages() {

   local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'

 }

 

 setup_build_tools() {

+  abt_version=16

   build_tools_dir=/signing/android-build-tools

-  test -f "$build_tools_dir"/android-12/apksigner || \

-    exit_error "$build_tools_dir/android-12/apksigner is missing"

-  export PATH="$build_tools_dir/android-12:${PATH}"

+  test -f "$build_tools_dir"/android-$abt_version/apksigner || \

+    exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"

+  export PATH="$build_tools_dir/android-$abt_version:${PATH}"

 }

 

 sign_apk() {

   scheme_v1="Verified using v1 scheme (JAR signing): true"

   scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"

 

-  # Verify the expected signing key was used, Alpha verses Release based on the filename.

   if test "$tbb_version_type" = "alpha"; then

     cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"

     pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"

     cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"

     pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"

   fi

+  if test "$SIGNING_PROJECTNAME" = "torvpn"; then

+    # No v1 scheme signature on torvpn apk

+    scheme_v1=''

+    cert_digest="Signer #1 certificate SHA-256 digest: c2f6ffa30e56a7c53a226248ef908612ee539df2f52bede5a55037425b83331d"

+    pubkey_digest="Signer #1 public key SHA-256 digest: fddc5f93ae0bc971e951481b0b5e6b62e47040fe979ff535cf75daade2f13f3d"

+  fi

   for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do

+    test -z "$digest" && continue

     if ! echo "${verified}" | grep -q "${digest}"; then

       echo "Expected digest not found:"

       echo ${digest}

 chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

 chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

 cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk \

-  ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \

   ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

+test "$SIGNING_PROJECTNAME" != 'torvpn' && \

+  cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \

+    ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

 cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

 

 # Sign all packages

   unsigned_apk=${projname}-qa-unsigned-android-${arch}-${tbb_version}.apk

   unsigned_apk_bspatch=${projname}-qa-unsign-android-${arch}-${tbb_version}.bspatch

   signed_apk=${projname}-android-${arch}-${tbb_version}.apk

-  bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch"

+  test -f "$unsigned_apk" || \

+    bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch"

   sign_apk "$unsigned_apk" "$signed_apk"

   verify_apk "$signed_apk"

   cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"

+linux-signer-sign-android-apks
 sudoers_file sign-mar

 sudoers_file sign-exe

 sudoers_file sign-apk

+sudoers_file sign-aab

 sudoers_file sign-rcodesign

 sudoers_file sign-rcodesign-128

 sudoers_file set-date

 create_user pierov signing

 authorized_keys pierov pierov.pub

 

+mkdir -p /home/signing-apk/unsigned-files /home/signing-apk/signed-files

+chgrp signing /home/signing-apk/unsigned-files /home/signing-apk/signed-files

+chmod g+rwx /home/signing-apk/unsigned-files /home/signing-apk/signed-files

+

 # Install rbm deps

 install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \

                  libio-handle-util-perl libio-all-perl \

+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version tbb_version_type KSPASS"

+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-aab
-Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"

+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version tbb_version_type KSPASS"

 %signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk
 test "$SIGNING_PROJECTNAME" = 'torbrowser' \

   || test "$SIGNING_PROJECTNAME" = 'basebrowser' \

   || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \

+  || test "$SIGNING_PROJECTNAME" = 'torvpn' \

   || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME"

 

 export SIGNING_PROJECTNAME

+staticiforme-prepare-cdn-dist-upload
+sync-builder-to-local
+sync-builder-to-local
+sync-builder-unsigned-to-local-signed
+sync-builder-unsigned-to-local-signed
+sync-linux-signer-to-local
+sync-linux-signer-to-local
+sync-local-to-builder
+sync-local-to-builder
+sync-local-to-linux-signer
+sync-local-to-linux-signer
+sync-local-to-staticiforme
+sync-local-to-staticiforme
+sync-scripts-to-linux-signer
+sync-scripts-to-linux-signer
+#!/bin/bash

+set -e

+

+function exit_error {

+  for msg in "$@"

+  do

+    echo "$msg" >&2

+  done

+  exit 1

+}

+

+case "$SIGNING_PROJECTNAME" in

+  torbrowser | mullvadbrowser | torvpn)

+    ;;

+  *)

+    exit_error "Unexpected value for SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"

+    ;;

+esac

+

+case "$tbb_version_type" in

+  release | alpha)

+    ;;

+  *)

+    exit_error "Unexpected value for tbb_version_type: $tbb_version_type"

+    ;;

+esac

+

+android_signing_key_dir=/home/signing-apk/keys

+android_signing_key_path="$android_signing_key_dir/torvpn.p12"

+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"

+

+tmpdir=$(mktemp -d)

+cd "$tmpdir"

+

+jarsigner -keystore "${android_signing_key_path}" -storepass:env KSPASS \

+  -signedjar /home/signing-apk/signed-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \

+  -verbose /home/signing-apk/unsigned-files/"$SIGNING_PROJECTNAME-$tbb_version_type.aab" \

+  tor-vpn

+

+cd -

+rm -Rf "$tmpdir"
   exit_error "Unexpected value for tbb_version_type: $tbb_version_type"

 fi

 

+case "$SIGNING_PROJECTNAME" in

+  torbrowser | mullvadbrowser | torvpn)

+    ;;

+  *)

+    exit_error "Unexpected value for SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"

+    ;;

+esac

+

 android_signing_key_dir=/home/signing-apk/keys

-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"

+android_signing_key_path="$android_signing_key_dir/$pname_$tbb_version_type.p12"

+test -n "$SIGNING_PROJECTNAME" && test "$SIGNING_PROJECTNAME" = 'torvpn' && \

+  android_signing_key_path="$android_signing_key_dir/torvpn.p12"

 test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"

 

 setup_build_tools() {

+  abt_version=16

+  # If signing 14.5, keep using android-12 build tools

+  # (we can remove this when 15.0 is the stable release)

+  ( test -z "$tbb_version" || echo "$tbb_version" | grep -q '^14\.5' ) && \

+    abt_version=12

   build_tools_dir=/signing/android-build-tools

-  test -f "$build_tools_dir"/android-12/apksigner || \

-    exit_error "$build_tools_dir/android-12/apksigner is missing"

-  export PATH="$build_tools_dir/android-12:${PATH}"

+  test -f "$build_tools_dir"/android-$abt_version/apksigner || \

+    exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"

+  export PATH="$build_tools_dir/android-$abt_version:${PATH}"

 }

 

 # Sign individual apk

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

30 changed files:

Changes:

	1	+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version tbb_version_type KSPASS"
	2	+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-aab

	1	+staticiforme-prepare-cdn-dist-upload
		\ No newline at end of file

	1	+sync-builder-unsigned-to-local-signed
		\ No newline at end of file