Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
1fb6aaae
by Pier Angelo Vendrame at 2024-07-30T11:10:15+02:00
-
f51f78b2
by Pier Angelo Vendrame at 2024-07-30T11:10:28+02:00
9 changed files:
- − .gitattributes
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
- − projects/browser/allowed_addons.json
- projects/browser/build.android
- projects/browser/config
- − projects/browser/verify_allowed_addons.py
- − tools/fetch_allowed_addons.py
- tools/relprep.py
Changes:
1 | -projects/browser/allowed_addons.json -diff |
... | ... | @@ -59,8 +59,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
59 | 59 | - [ ] `fenix_version` : update to match alpha `firefox-android` build tag
|
60 | 60 | - [ ] `browser_branch` : update to match alpha `firefox-android` build tag
|
61 | 61 | - [ ] `browser_build` : update to match alpha `firefox-android` build tag
|
62 | - - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
|
63 | - - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
|
64 | 62 | - [ ] Update `projects/translation/config`:
|
65 | 63 | - [ ] run `make list_translation_updates-alpha` to get updated hashes
|
66 | 64 | - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
... | ... | @@ -60,8 +60,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
60 | 60 | - [ ] `browser_branch` : update to match stable `firefox-android` build tag
|
61 | 61 | - [ ] `browser_build` : update to match stable `firefox-android` build tag
|
62 | 62 | variant: Beta
|
63 | - - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
|
|
64 | - - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
|
|
65 | 63 | - [ ] Update `projects/translation/config`:
|
66 | 64 | - [ ] run `make list_translation_updates-release` to get updated hashes
|
67 | 65 | - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
|
... | ... | @@ -39,15 +39,6 @@ unzip ../omni.ja |
39 | 39 | }) %]
|
40 | 40 | popd
|
41 | 41 | |
42 | - |
|
43 | -[% IF c("var/verify_allowed_addons") %]
|
|
44 | - # Check that allowed_addons.json contains the right versions of our bundled extension(s).
|
|
45 | - # If so, replace the default allowed_addons.json by ours in the apk assets folder.
|
|
46 | - $rootdir/verify_allowed_addons.py "$rootdir/allowed_addons.json" "$noscript_path"
|
|
47 | -[% END %]
|
|
48 | - |
|
49 | -mv $rootdir/allowed_addons.json $assets_dir/allowed_addons.json
|
|
50 | - |
|
51 | 42 | mkdir apk
|
52 | 43 | pushd apk
|
53 | 44 | 7zz x "$apk"
|
... | ... | @@ -49,7 +49,6 @@ targets: |
49 | 49 | android:
|
50 | 50 | build: '[% INCLUDE build.android %]'
|
51 | 51 | var:
|
52 | - verify_allowed_addons: 1
|
|
53 | 52 | arch_deps:
|
54 | 53 | - 7zip
|
55 | 54 | - openjdk-17-jdk-headless
|
... | ... | @@ -160,10 +159,6 @@ input_files: |
160 | 159 | enable: '[% c("var/namecoin") %]'
|
161 | 160 | - filename: namecoin.patch
|
162 | 161 | enable: '[% c("var/namecoin") %]'
|
163 | - - filename: allowed_addons.json
|
|
164 | - enable: '[% c("var/android") %]'
|
|
165 | - - filename: verify_allowed_addons.py
|
|
166 | - enable: '[% c("var/android") && c("var/verify_allowed_addons") %]'
|
|
167 | 162 | - project: manual
|
168 | 163 | name: manual
|
169 | 164 | enable: '[% ! c("var/android") && c("var/tor-browser") %]'
|
1 | -#!/usr/bin/env python3
|
|
2 | - |
|
3 | -import json
|
|
4 | -import sys
|
|
5 | -import hashlib
|
|
6 | -import zipfile
|
|
7 | - |
|
8 | -def find_addon(addons, addon_id):
|
|
9 | - results = addons['results']
|
|
10 | - for x in results:
|
|
11 | - addon = x['addon']
|
|
12 | - if addon['guid'] == addon_id:
|
|
13 | - return addon
|
|
14 | - sys.exit("Error: cannot find addon " + addon_id)
|
|
15 | - |
|
16 | -def verify_extension_version(addons, addon_id, version):
|
|
17 | - addon = find_addon(addons, addon_id)
|
|
18 | - expected_version = addon['current_version']['version']
|
|
19 | - if version != expected_version:
|
|
20 | - sys.exit("Error: version " + version + " != " + expected_version)
|
|
21 | - |
|
22 | -def verify_extension_hash(addons, addon_id, hash):
|
|
23 | - addon = find_addon(addons, addon_id)
|
|
24 | - expected_hash = addon["current_version"]["files"][0]["hash"]
|
|
25 | - if hash != expected_hash:
|
|
26 | - sys.exit("Error: hash " + hash + " != " + expected_hash)
|
|
27 | - |
|
28 | -def read_extension_manifest(path):
|
|
29 | - return json.loads(zipfile.ZipFile(path, 'r').read('manifest.json'))
|
|
30 | - |
|
31 | -def main(argv):
|
|
32 | - allowed_addons_path = argv[0]
|
|
33 | - noscript_path = argv[1]
|
|
34 | - |
|
35 | - addons = None
|
|
36 | - with open(allowed_addons_path, 'r') as file:
|
|
37 | - addons = json.loads(file.read())
|
|
38 | - |
|
39 | - noscript_hash = None
|
|
40 | - with open(noscript_path, 'rb') as file:
|
|
41 | - noscript_hash = "sha256:" + hashlib.sha256(file.read()).hexdigest()
|
|
42 | - |
|
43 | - noscript_version = read_extension_manifest(noscript_path)["version"]
|
|
44 | - |
|
45 | - verify_extension_hash(addons, '{73a6fe31-595d-460b-a920-fcc0f8843232}', noscript_hash)
|
|
46 | - verify_extension_version(addons, '{73a6fe31-595d-460b-a920-fcc0f8843232}', noscript_version)
|
|
47 | - |
|
48 | -if __name__ == "__main__":
|
|
49 | - main(sys.argv[1:]) |
1 | -#!/usr/bin/env python3
|
|
2 | - |
|
3 | -import urllib.request
|
|
4 | -import json
|
|
5 | -import base64
|
|
6 | -import sys
|
|
7 | - |
|
8 | -NOSCRIPT = "{73a6fe31-595d-460b-a920-fcc0f8843232}"
|
|
9 | - |
|
10 | - |
|
11 | -def fetch(x):
|
|
12 | - with urllib.request.urlopen(x) as response:
|
|
13 | - return response.read()
|
|
14 | - |
|
15 | - |
|
16 | -def find_addon(addons, addon_id):
|
|
17 | - results = addons["results"]
|
|
18 | - for x in results:
|
|
19 | - addon = x["addon"]
|
|
20 | - if addon["guid"] == addon_id:
|
|
21 | - return addon
|
|
22 | - |
|
23 | - |
|
24 | -def fetch_and_embed_icons(addons):
|
|
25 | - results = addons["results"]
|
|
26 | - for x in results:
|
|
27 | - addon = x["addon"]
|
|
28 | - icon_data = fetch(addon["icon_url"])
|
|
29 | - addon["icon_url"] = "data:image/png;base64," + str(
|
|
30 | - base64.b64encode(icon_data), "utf8"
|
|
31 | - )
|
|
32 | - |
|
33 | - |
|
34 | -def fetch_allowed_addons(amo_collection=None):
|
|
35 | - if amo_collection is None:
|
|
36 | - amo_collection = "83a9cccfe6e24a34bd7b155ff9ee32"
|
|
37 | - url = f"https://services.addons.mozilla.org/api/v4/accounts/account/mozilla/collections/{amo_collection}/addons/"
|
|
38 | - data = json.loads(fetch(url))
|
|
39 | - fetch_and_embed_icons(data)
|
|
40 | - data["results"].sort(key=lambda x: x["addon"]["guid"])
|
|
41 | - return data
|
|
42 | - |
|
43 | - |
|
44 | -def main(argv):
|
|
45 | - data = fetch_allowed_addons(argv[0] if len(argv) > 1 else None)
|
|
46 | - # Check that NoScript is present
|
|
47 | - if find_addon(data, NOSCRIPT) is None:
|
|
48 | - sys.exit("Error: cannot find NoScript.")
|
|
49 | - print(json.dumps(data, indent=2, ensure_ascii=False))
|
|
50 | - |
|
51 | - |
|
52 | -if __name__ == "__main__":
|
|
53 | - main(sys.argv[1:]) |
... | ... | @@ -4,7 +4,6 @@ from collections import namedtuple |
4 | 4 | import configparser
|
5 | 5 | from datetime import datetime, timezone
|
6 | 6 | from hashlib import sha256
|
7 | -import json
|
|
8 | 7 | import locale
|
9 | 8 | import logging
|
10 | 9 | from pathlib import Path
|
... | ... | @@ -16,7 +15,6 @@ from git import Repo |
16 | 15 | import requests
|
17 | 16 | import ruamel.yaml
|
18 | 17 | |
19 | -from fetch_allowed_addons import NOSCRIPT, fetch_allowed_addons, find_addon
|
|
20 | 18 | import fetch_changelogs
|
21 | 19 | from update_manual import update_manual
|
22 | 20 | |
... | ... | @@ -303,28 +301,27 @@ class ReleasePreparation: |
303 | 301 | logger.info("Updating addons")
|
304 | 302 | config = self.load_config("browser")
|
305 | 303 | |
306 | - amo_data = fetch_allowed_addons()
|
|
307 | - logger.debug("Fetched AMO data")
|
|
308 | - if self.android:
|
|
309 | - with (
|
|
310 | - self.base_path / "projects/browser/allowed_addons.json"
|
|
311 | - ).open("w") as f:
|
|
312 | - json.dump(amo_data, f, indent=2)
|
|
313 | - |
|
314 | - noscript = find_addon(amo_data, NOSCRIPT)
|
|
315 | 304 | logger.debug("Updating NoScript")
|
316 | - self.update_addon_amo(config, "noscript", noscript)
|
|
305 | + self.update_addon_amo(
|
|
306 | + config, "noscript", "{73a6fe31-595d-460b-a920-fcc0f8843232}"
|
|
307 | + )
|
|
317 | 308 | if self.mullvad_browser:
|
318 | 309 | logger.debug("Updating uBlock Origin")
|
319 | - ublock = find_addon(amo_data, "uBlock0@raymondhill.net")
|
|
320 | - self.update_addon_amo(config, "ublock-origin", ublock)
|
|
310 | + self.update_addon_amo(
|
|
311 | + config, "ublock-origin", "uBlock0@raymondhill.net"
|
|
312 | + )
|
|
321 | 313 | logger.debug("Updating the Mullvad Browser extension")
|
322 | 314 | self.update_mullvad_addon(config)
|
323 | 315 | |
324 | 316 | self.save_config("browser", config)
|
325 | 317 | |
326 | - def update_addon_amo(self, config, name, addon):
|
|
327 | - addon = addon["current_version"]["files"][0]
|
|
318 | + def update_addon_amo(self, config, name, addon_id):
|
|
319 | + r = requests.get(
|
|
320 | + f"https://services.addons.mozilla.org/api/v4/addons/addon/{addon_id}"
|
|
321 | + )
|
|
322 | + r.raise_for_status()
|
|
323 | + amo_data = r.json()
|
|
324 | + addon = amo_data["current_version"]["files"][0]
|
|
328 | 325 | assert addon["hash"].startswith("sha256:")
|
329 | 326 | addon_input = self.find_input(config, name)
|
330 | 327 | addon_input["URL"] = addon["url"]
|
... | ... | @@ -448,9 +445,9 @@ class ReleasePreparation: |
448 | 445 | major = major[2:]
|
449 | 446 | return major
|
450 | 447 | |
448 | + logger.info("Updating Go")
|
|
451 | 449 | config = self.load_config("go")
|
452 | - # TODO: When Windows 7 goes EOL use config["version"]
|
|
453 | - major = get_major(config["var"]["go_1_21"])
|
|
450 | + major = get_major(config["version"])
|
|
454 | 451 | |
455 | 452 | r = requests.get("https://go.dev/dl/?mode=json")
|
456 | 453 | r.raise_for_status()
|
... | ... | @@ -463,7 +460,7 @@ class ReleasePreparation: |
463 | 460 | if not data:
|
464 | 461 | raise KeyError("Could not find information for our Go series.")
|
465 | 462 | # Skip the "go" prefix in the version.
|
466 | - config["var"]["go_1_21"] = data["version"][2:]
|
|
463 | + config["version"] = data["version"][2:]
|
|
467 | 464 | |
468 | 465 | sha256sum = ""
|
469 | 466 | for f in data["files"]:
|
... | ... | @@ -472,15 +469,7 @@ class ReleasePreparation: |
472 | 469 | break
|
473 | 470 | if not sha256sum:
|
474 | 471 | raise KeyError("Go source package not found.")
|
475 | - updated_hash = False
|
|
476 | - for input_ in config["input_files"]:
|
|
477 | - if "URL" in input_ and "var/go_1_21" in input_["URL"]:
|
|
478 | - input_["sha256sum"] = sha256sum
|
|
479 | - updated_hash = True
|
|
480 | - break
|
|
481 | - if not updated_hash:
|
|
482 | - raise KeyError("Could not find a matching entry in input_files.")
|
|
483 | - |
|
472 | + self.find_input(config, "go")["sha256sum"] = sha256sum
|
|
484 | 473 | self.save_config("go", config)
|
485 | 474 | |
486 | 475 | def update_manual(self):
|
... | ... | @@ -556,18 +545,11 @@ class ReleasePreparation: |
556 | 545 | # Sometimes this might be incorrect for alphas, but let's
|
557 | 546 | # keep it for now.
|
558 | 547 | kwargs["firefox"] += "esr"
|
559 | - self.check_update_simple(kwargs, prev_tag, "tor")
|
|
560 | - self.check_update_simple(kwargs, prev_tag, "openssl")
|
|
561 | - self.check_update_simple(kwargs, prev_tag, "zlib")
|
|
562 | - self.check_update_simple(kwargs, prev_tag, "zstd")
|
|
563 | - try:
|
|
564 | - self.check_update(kwargs, prev_tag, "go", ["var", "go_1_21"])
|
|
565 | - except KeyError as e:
|
|
566 | - logger.warning(
|
|
567 | - "Go: var/go_1_21 not found, marking Go as not updated.",
|
|
568 | - exc_info=e,
|
|
569 | - )
|
|
570 | - pass
|
|
548 | + self.check_update(kwargs, prev_tag, "tor")
|
|
549 | + self.check_update(kwargs, prev_tag, "openssl")
|
|
550 | + self.check_update(kwargs, prev_tag, "zlib")
|
|
551 | + self.check_update(kwargs, prev_tag, "zstd")
|
|
552 | + self.check_update(kwargs, prev_tag, "go")
|
|
571 | 553 | self.check_update_extensions(kwargs, prev_tag)
|
572 | 554 | logger.debug("Changelog arguments for %s: %s", tag_prefix, kwargs)
|
573 | 555 | cb = fetch_changelogs.ChangelogBuilder(
|
... | ... | @@ -587,7 +569,7 @@ class ReleasePreparation: |
587 | 569 | with (self.base_path / path).open("w") as f:
|
588 | 570 | f.write(changelogs + "\n" + last_changelogs + "\n")
|
589 | 571 | |
590 | - def check_update(self, updates, prev_tag, project, key):
|
|
572 | + def check_update(self, updates, prev_tag, project, key=["version"]):
|
|
591 | 573 | old_val = self.load_old_config(prev_tag.tag, project)
|
592 | 574 | new_val = self.load_config(project)
|
593 | 575 | for k in key:
|
... | ... | @@ -596,9 +578,6 @@ class ReleasePreparation: |
596 | 578 | if old_val != new_val:
|
597 | 579 | updates[project] = new_val
|
598 | 580 | |
599 | - def check_update_simple(self, updates, prev_tag, project):
|
|
600 | - self.check_update(updates, prev_tag, project, ["version"])
|
|
601 | - |
|
602 | 581 | def check_update_extensions(self, updates, prev_tag):
|
603 | 582 | old_config = self.load_old_config(prev_tag, "browser")
|
604 | 583 | new_config = self.load_config("browser")
|