[tbb-commits] [tor-browser-bundle/master] Bug 20217: check that OSX incremental MARs are made with code signing

11 Oct 2016

commit 9836227e4ae27123a3eb27167dc6dca13b5d1027
Author: Nicolas Vigier boklm@torproject.org
Date:   Mon Oct 10 19:44:10 2016 +0200
Bug 20217: check that OSX incremental MARs are made with code signing
When updating the OSX incremental MAR files after running dmg2mar, we check
    that both the old and the new mar files contain code signing.
We don't check this while creating the incremental MAR files during the
    build.
---
 gitian/Makefile                         | 4 ++--
 tools/update-responses/update_responses | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/gitian/Makefile b/gitian/Makefile
index f008834..a4a757f 100644
--- a/gitian/Makefile
+++ b/gitian/Makefile
@@ -48,12 +48,12 @@ signmars-nightly:
 dmg2mars:
    cd $(shell ../tools/update-responses/get_channel_version release) && ../../tools/dmg2mar
    $(TORSOCKS) ../tools/update-responses/download_missing_versions release
-	MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals release
+	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals release
dmg2mars-alpha:
    cd $(shell ../tools/update-responses/get_channel_version alpha) && ../../tools/dmg2mar
    $(TORSOCKS) ../tools/update-responses/download_missing_versions alpha
-	MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals alpha
+	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals alpha
update_responses:
    ../tools/update-responses/update_responses release
diff --git a/tools/update-responses/update_responses b/tools/update-responses/update_responses
index 7962f69..ceba144 100755
--- a/tools/update-responses/update_responses
+++ b/tools/update-responses/update_responses
@@ -197,6 +197,12 @@ sub create_incremental_mar {
     my $tmpdir = File::Temp->newdir();
     extract_mar(mar_filename($from_version, $os, $lang), "$tmpdir/A");
     extract_mar(mar_filename($new_version, $os, $lang), "$tmpdir/B");
+    if ($ENV{CHECK_CODESIGNATURE_EXISTS}) {
+        unless (-f "$tmpdir/A/TorBrowser.app/Contents/_CodeSignature/CodeResources"
+            && -f "$tmpdir/B/TorBrowser.app/Contents/_CodeSignature/CodeResources") {
+            exit_error "Missing code signature while creating $mar_file";
+        }
+    }
     my ($out, $err, $success) = capture_exec('make_incremental_update.sh',
                                    $mar_file_path, "$tmpdir/A", "$tmpdir/B");
     if (!$success) {

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[tbb-commits] [tor-browser-bundle/master] Bug 20217: check that OSX incremental MARs are made with code signing