Richard Pospesel pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build
Commits: 42213fb6 by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts
Use separate accounts to store the different keys.
- - - - - 4875b3ec by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40846: Temporarily disable Windows signing
- - - - -
25 changed files:
- + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar
Changes:
===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/%5B% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok
===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz'
===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest"
===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/%5B% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok
===================================== rbm.conf ===================================== @@ -87,7 +87,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %]
===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign
===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo
-tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' ; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done
unset YUBIPASS -rmdir "$tmpdir"
===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done
===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values).
set -e set -u @@ -10,38 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions"
-if [ -z "${NSS_DB_DIR+x}" ]; then - if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 - fi - if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1 - fi -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C
-# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH"
# Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -70,9 +43,8 @@ for marfile in *.mar; do continue; fi
- echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done
===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"
===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug
===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode"
===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi
===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release
===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1
===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a
===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe
===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg
===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar
===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"
===================================== tools/signing/set-config ===================================== @@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \ || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \ || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME"
+export SIGNING_PROJECTNAME + test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
. "$script_dir/set-config.tbb-version" @@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers
===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe"
===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"
===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/7...