commit 748c56459b1304207502754d8541c089edc4051a Author: Nicolas Vigier boklm@mars-attacks.org Date: Mon Jul 20 19:59:27 2015 +0200
Bug #15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
And sha256sums.incrementals.txt to sha256sums-unsigned-build.incrementals.txt. --- gitian/README.build | 13 +++++++------ gitian/check-match.sh | 20 ++++++++++---------- gitian/hash-bundles.sh | 13 ++++++++++--- gitian/upload-signature.sh | 12 ++++++------ tools/authenticode_check.sh | 4 ++-- tools/update-responses/update_responses | 12 +++++++----- 6 files changed, 42 insertions(+), 32 deletions(-)
diff --git a/gitian/README.build b/gitian/README.build index 4b211a0..656dddd 100644 --- a/gitian/README.build +++ b/gitian/README.build @@ -118,14 +118,15 @@ Detailed Explanation of Scripts: inputs for inclusion in the 'Docs/sources' subdirectory of the bundles themselves.
- 10. hash-bundles.sh: This script generates a 'sha256sums.txt' file in sorted, - reproducible order. + 10. hash-bundles.sh: This script generates a 'sha256sums-unsigned-build.txt' + file in sorted, reproducible order.
- 11. check-match.sh: This script checks your 'sha256sums.txt' file against - any signed, published builds. + 11. check-match.sh: This script checks your 'sha256sums-unsigned-build.txt' + file against any signed, published builds.
- 12. upload-signature.sh: This script signs and uploads your 'sha256sums.txt' - file (for use if you are an official builder). + 12. upload-signature.sh: This script signs and uploads your + 'sha256sums-unsigned-build.txt' file (for use if you are an official + builder). 13. signmars.sh: This script generates the signatures on the update (.mar) files. It expects an nssdb directory, containing the key, in the same directory (i.e. tor-browser-bundle/gitian where it is located, too) and diff --git a/gitian/check-match.sh b/gitian/check-match.sh index 71a57f2..e264ef3 100755 --- a/gitian/check-match.sh +++ b/gitian/check-match.sh @@ -37,24 +37,24 @@ do mkdir -p $TORBROWSER_BUILDDIR/$u cd $TORBROWSER_BUILDDIR/$u
- wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums.txt || continue - wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums.txt.asc || continue + wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt || continue + wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt.... || continue
keyring="../../gpg/$u.gpg"
# XXX: Remove this dir gpghome=$(mktemp -d) GNUPGHOME="$gpghome" gpg --import "$keyring" - GNUPGHOME="$gpghome" gpg sha256sums.txt.asc || exit 1 + GNUPGHOME="$gpghome" gpg sha256sums-unsigned-build.txt.asc || exit 1
- diff -u ../sha256sums.txt sha256sums.txt || exit 1 + diff -u ../sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt || exit 1
VALID="$u $VALID" done cd ../..
# XXX: We should refactor this code into a shared function -if [ -f $TORBROWSER_BUILDDIR/sha256sums.incrementals.txt ] +if [ -f $TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt ] then for u in $USERS do @@ -64,17 +64,17 @@ then mkdir -p $TORBROWSER_BUILDDIR/$u cd $TORBROWSER_BUILDDIR/$u
- wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums.incrementals.txt || continue - wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums.incrementals.txt.as... || continue + wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incr... || continue + wget -U "" -N https://$HOST/~$u/builds/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incr... || continue
keyring="../../gpg/$u.gpg"
# XXX: Remove this dir gpghome=$(mktemp -d) GNUPGHOME="$gpghome" gpg --import "$keyring" - GNUPGHOME="$gpghome" gpg sha256sums.incrementals.txt.asc || exit 1 + GNUPGHOME="$gpghome" gpg sha256sums-unsigned-build.incrementals.txt.asc || exit 1
- diff -u ../sha256sums.incrementals.txt sha256sums.incrementals.txt || exit 1 + diff -u ../sha256sums-unsigned-build.incrementals.txt sha256sums-unsigned-build.incrementals.txt || exit 1
VALID_incrementals="$u $VALID_incrementals" done @@ -91,7 +91,7 @@ else echo "Matching bundles exist from the following users: $VALID" fi
-if [ -f $TORBROWSER_BUILDDIR/sha256sums.incrementals.txt ] +if [ -f $TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt ] then if [ -z "$VALID_incrementals" ] then diff --git a/gitian/hash-bundles.sh b/gitian/hash-bundles.sh index fe04699..006ed0b 100755 --- a/gitian/hash-bundles.sh +++ b/gitian/hash-bundles.sh @@ -19,11 +19,11 @@ eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) export LC_ALL=C
cd $TORBROWSER_BUILDDIR -rm -f sha256sums.txt sha256sums.incrementals.txt -sha256sum `ls -1 | grep -v '.incremental.mar$' | sort` > sha256sums.txt +rm -f sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt +sha256sum `ls -1 | grep -v '.incremental.mar$' | sort` > sha256sums-unsigned-build.txt if ls -1 | grep -q '.incremental.mar$' then - sha256sum `ls -1 | grep '.incremental.mar$' | sort` > sha256sums.incrementals.txt + sha256sum `ls -1 | grep '.incremental.mar$' | sort` > sha256sums-unsigned-build.incrementals.txt echo echo "If this is an official build, you should now sign your result with: " echo " make sign" @@ -42,4 +42,11 @@ else echo " make incrementals && make hash" fi
+cat > .htaccess <<EOF +RewriteEngine On +RewriteRule ^sha256sums.txt$ sha256sums-unsigned-build.txt +RewriteRule ^sha256sums.txt.asc$ sha256sums-unsigned-build.txt.asc +RewriteRule ^sha256sums.incrementals.txt$ sha256sums-unsigned-build.incrementals.txt +RewriteRule ^sha256sums.incrementals.txt.asc$ sha256sums-unsigned-build.incrementals.txt.asc +EOF
diff --git a/gitian/upload-signature.sh b/gitian/upload-signature.sh index c403cd5..41a01f6 100755 --- a/gitian/upload-signature.sh +++ b/gitian/upload-signature.sh @@ -23,20 +23,20 @@ fi . $VERSIONS_FILE eval $(./get-tb-version $TORBROWSER_VERSION_TYPE)
-if [ ! -f $TORBROWSER_BUILDDIR/sha256sums.txt.asc ]; +if [ ! -f $TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt.asc ]; then - pushd $TORBROWSER_BUILDDIR && gpg -abs sha256sums.txt + pushd $TORBROWSER_BUILDDIR && gpg -abs sha256sums-unsigned-build.txt popd fi
-if [ -f $TORBROWSER_BUILDDIR/sha256sums.incrementals.txt ] \ - && [ ! -f $TORBROWSER_BUILDDIR/sha256sums.incrementals.txt.asc ] +if [ -f $TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt ] \ + && [ ! -f $TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt.asc ] then - pushd $TORBROWSER_BUILDDIR && gpg -abs sha256sums.incrementals.txt + pushd $TORBROWSER_BUILDDIR && gpg -abs sha256sums-unsigned-build.incrementals.txt popd fi
ssh $HOST "mkdir -p $BASE_DIR/$TORBROWSER_BUILDDIR" -scp $TORBROWSER_BUILDDIR/sha256sums*.txt* $HOST:$BASE_DIR/$TORBROWSER_BUILDDIR/ +scp $TORBROWSER_BUILDDIR/.htaccess $TORBROWSER_BUILDDIR/sha256sums-unsigned-build*.txt* $HOST:$BASE_DIR/$TORBROWSER_BUILDDIR/ ssh $HOST "chmod 755 $BASE_DIR/$TORBROWSER_BUILDDIR && chmod 644 $BASE_DIR/$TORBROWSER_BUILDDIR/*" diff --git a/tools/authenticode_check.sh b/tools/authenticode_check.sh index 646fdce..32b1f92 100755 --- a/tools/authenticode_check.sh +++ b/tools/authenticode_check.sh @@ -32,7 +32,7 @@
# Usage: # 1) Let OSSLSIGNCODE point to your osslsigncode binary -# 2) Change into the directory containing the .exe files and the sha256sums.txt +# 2) Change into the directory containing the .exe files and the sha256sums-unsigned-build.txt # 3) Run /path/to/authenticode_check.sh
if [ -z "$OSSLSIGNCODE" ] @@ -47,7 +47,7 @@ BADSIGNED_BUNDLES=0 mkdir tmp
for f in `ls *.exe`; do - SHA256_TXT=`grep "$f" sha256sums.txt` + SHA256_TXT=`grep "$f" sha256sums-unsigned-build.txt`
# Test 1: Is the .exe file still unsigned? I.e. does its SHA 256 sum still # match the one we had before we signed the .exe file? If so, notify us diff --git a/tools/update-responses/update_responses b/tools/update-responses/update_responses index 07efc7c..d238d3a 100755 --- a/tools/update-responses/update_responses +++ b/tools/update-responses/update_responses @@ -415,20 +415,22 @@ sub download_version { my $destdir = "$releases_dir/$version"; my $urldir = "$config->{download}{archive_url}/$version"; print "Downloading version $version\n"; - foreach my $file (qw(sha256sums.txt sha256sums.txt.asc)) { + foreach my $file (qw(sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) { if (getstore("$urldir/$file", "$tmpdir/$file") != 200) { exit_error "Error downloading $urldir/$file"; } } if (system('gpg', '--no-default-keyring', '--keyring', $config->{download}{gpg_keyring}, '--verify', - "$tmpdir/sha256sums.txt.asc", "$tmpdir/sha256sums.txt")) { + "$tmpdir/sha256sums-unsigned-build.txt.asc", + "$tmpdir/sha256sums-unsigned-build.txt")) { exit_error "Error checking gpg signature for version $version"; } mkdir $destdir; - move "$tmpdir/sha256sums.txt.asc", "$destdir/sha256sums.txt.asc"; - move "$tmpdir/sha256sums.txt", "$destdir/sha256sums.txt"; - my %sums = map { chomp; reverse split ' ', $_ } read_file "$destdir/sha256sums.txt"; + move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc"; + move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt"; + my %sums = map { chomp; reverse split ' ', $_ } + read_file "$destdir/sha256sums-unsigned-build.txt"; foreach my $file (sort grep { $_ =~ m/.mar$/ } keys %sums) { print "Downloading $file\n"; exit_error "Error downloading $urldir/$file\n"