This is an automated email from the git hooks/post-receive script.
boklm pushed a change to branch maint-11.0 in repository builders/tor-browser-build.
from 303ef06 Bug 40491: Change links for several Tor Project's sites into their onion services. new 2e9a309 Bug 40137: Add publication script new a2886d8 Bug 40157: Add sanity check scripts new 5b7e8d1 Bug 40414: Remove tools/update/format_changelog.pl new aab6131 Bug 40414: Add common config and functions files new 1ecaffe Bug 40414: Improve the gatekeeper-bundling.sh script new 54998d8 Bug 40414: Add osslsigncode project new 4063e49 Bug 40414: Improve the authenticode-timestamping.sh script new 2e66fd7 Bug 40414: Add sync-* signing scripts new 2337f75 Bug 40414: add macos-signer-proxy new c2f560b Bug 40414: Move hash_signed_bundles.sh to the signing directory new 9dc7222 Bug 40414: Improve hash_signed_bundles.sh new 78a9e3f Bug 40414: Add download-unsigned-sha256sums-gpg-signatures-from-people-tpo script new 1cbbc49 Bug 40414: Add linux-signer-signmars new 7c0525c Bug 40414: Improve linux-signer-signmars new 3460d13 Bug 40414: Add tools/signing/create-blog-post new ed8709b Bug 40414: Add tools/signing/upload-update_responses-to-staticiforme new 655fd49 Bug 40414: Add tools/signing/dmg2mar new 04b1955 Bug 40414: Rename gatekeeper-signing.sh to macos-signer-gatekeeper-signing new 5eb300d Bug 40414: Update stable.entitlements.xml new 08564b5 Bug 40414: Update macos-signer-gatekeeper-signing new cf2d10b Bug 40414: Improve macos-signer-gatekeeper-signing new e4cb274 Bug 40414: Rename notarization.sh to macos-signer-notarization new 14e74b7 Bug 40414: Update macos-signer-notarization new 62626b4 Bug 40414: Improve macos-signer-notarization new 1767485 Bug 40414: Rename stapler.sh to macos-signer-stapler new 3209c27 Bug 40414: Update macos-signer-stapler new 64abe72 Bug 40414: Improve macos-signer-stapler new e7f2deb Bug 40414: Rename tbb-signing.sh to linux-signer-gpg-sign new 05455d3 Bug 40414: Update linux-signer-gpg-sign new 209de9b Bug 40414: Improve linux-signer-gpg-sign new b854fea Bug 40414: Update nssdb7 path in linux-signer-signmars new 479afa2 Bug 40414: Add finished-signing-clean-*
The 32 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
Summary of changes: .../0001-Make-code-work-with-OpenSSL-1.1.patch | 324 +++++++++++++++++++++ projects/{libdmg-hfsplus => osslsigncode}/build | 13 +- projects/osslsigncode/config | 17 ++ projects/osslsigncode/timestamping.patch | 56 ++++ ...e_check.sh => authenticode_verify_timestamp.sh} | 76 +++-- tools/marsigning_check.sh | 12 + tools/signing/authenticode-timestamping.sh | 24 +- tools/signing/check_file_counts | 168 +++++++++++ tools/signing/create-blog-post | 61 ++++ tools/signing/ddmg.sh | 41 +++ tools/signing/dmg2mar | 29 ++ ...igned-sha256sums-gpg-signatures-from-people-tpo | 16 + tools/signing/finished-signing-clean-linux-signer | 14 + tools/signing/finished-signing-clean-macos-signer | 14 + tools/signing/functions | 22 ++ tools/signing/gatekeeper-bundling.sh | 46 ++- tools/signing/gatekeeper-signing.sh | 51 ---- tools/{ => signing}/hash_signed_bundles.sh | 14 +- tools/signing/linux-signer-gpg-sign | 19 ++ tools/signing/linux-signer-signmars | 75 +++++ tools/signing/macos-signer-gatekeeper-signing | 98 +++++++ tools/signing/macos-signer-notarization | 44 +++ tools/signing/macos-signer-proxy | 6 + tools/signing/macos-signer-stapler | 18 ++ tools/signing/notarization.sh | 50 ---- ...a.entitlements.xml => release.entitlements.xml} | 0 tools/signing/set-config | 17 ++ tools/signing/set-config.blog | 4 + tools/signing/set-config.hosts | 6 + tools/signing/set-config.macos-notarization | 5 + tools/signing/set-config.tbb-version | 7 + tools/signing/stable.entitlements.xml | 53 ---- tools/signing/stapler.sh | 47 --- tools/signing/sync-builder-to-local | 8 + tools/signing/sync-builder-to-local.dry-run | 1 + .../signing/sync-builder-unsigned-to-local-signed | 8 + .../sync-builder-unsigned-to-local-signed.dry-run | 1 + tools/signing/sync-linux-signer-to-local | 8 + tools/signing/sync-linux-signer-to-local.dry-run | 1 + tools/signing/sync-local-to-builder | 8 + tools/signing/sync-local-to-builder.dry-run | 1 + tools/signing/sync-local-to-linux-signer | 8 + tools/signing/sync-local-to-linux-signer.dry-run | 1 + tools/signing/sync-local-to-staticiforme | 6 + tools/signing/sync-local-to-staticiforme.dry-run | 1 + tools/signing/sync-macos-local-to-macos-signer | 8 + .../sync-macos-local-to-macos-signer.dry-run | 1 + ...ync-macos-signer-stapled-to-macos-local-stapled | 8 + ...s-signer-stapled-to-macos-local-stapled.dry-run | 1 + tools/signing/sync-scripts-to-linux-signer | 8 + tools/signing/sync-scripts-to-linux-signer.dry-run | 1 + tools/signing/sync-scripts-to-macos-signer | 8 + tools/signing/sync-scripts-to-macos-signer.dry-run | 1 + tools/signing/tbb-signing.sh | 38 --- .../upload-update_responses-to-staticiforme | 49 ++++ tools/update/publish_version.sh | 39 +++ 56 files changed, 1360 insertions(+), 301 deletions(-) create mode 100644 projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch copy projects/{libdmg-hfsplus => osslsigncode}/build (63%) create mode 100644 projects/osslsigncode/config create mode 100644 projects/osslsigncode/timestamping.patch copy tools/{authenticode_check.sh => authenticode_verify_timestamp.sh} (54%) create mode 100755 tools/signing/check_file_counts create mode 100755 tools/signing/create-blog-post create mode 100755 tools/signing/ddmg.sh create mode 100755 tools/signing/dmg2mar create mode 100755 tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo create mode 100755 tools/signing/finished-signing-clean-linux-signer create mode 100755 tools/signing/finished-signing-clean-macos-signer create mode 100644 tools/signing/functions delete mode 100755 tools/signing/gatekeeper-signing.sh rename tools/{ => signing}/hash_signed_bundles.sh (87%) create mode 100755 tools/signing/linux-signer-gpg-sign create mode 100755 tools/signing/linux-signer-signmars create mode 100755 tools/signing/macos-signer-gatekeeper-signing create mode 100755 tools/signing/macos-signer-notarization create mode 100755 tools/signing/macos-signer-proxy create mode 100755 tools/signing/macos-signer-stapler delete mode 100755 tools/signing/notarization.sh copy tools/signing/{alpha.entitlements.xml => release.entitlements.xml} (100%) create mode 100644 tools/signing/set-config create mode 100644 tools/signing/set-config.blog create mode 100644 tools/signing/set-config.hosts create mode 100644 tools/signing/set-config.macos-notarization create mode 100644 tools/signing/set-config.tbb-version delete mode 100644 tools/signing/stable.entitlements.xml delete mode 100755 tools/signing/stapler.sh create mode 100755 tools/signing/sync-builder-to-local create mode 120000 tools/signing/sync-builder-to-local.dry-run create mode 100755 tools/signing/sync-builder-unsigned-to-local-signed create mode 120000 tools/signing/sync-builder-unsigned-to-local-signed.dry-run create mode 100755 tools/signing/sync-linux-signer-to-local create mode 120000 tools/signing/sync-linux-signer-to-local.dry-run create mode 100755 tools/signing/sync-local-to-builder create mode 120000 tools/signing/sync-local-to-builder.dry-run create mode 100755 tools/signing/sync-local-to-linux-signer create mode 120000 tools/signing/sync-local-to-linux-signer.dry-run create mode 100755 tools/signing/sync-local-to-staticiforme create mode 120000 tools/signing/sync-local-to-staticiforme.dry-run create mode 100755 tools/signing/sync-macos-local-to-macos-signer create mode 120000 tools/signing/sync-macos-local-to-macos-signer.dry-run create mode 100755 tools/signing/sync-macos-signer-stapled-to-macos-local-stapled create mode 120000 tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run create mode 100755 tools/signing/sync-scripts-to-linux-signer create mode 120000 tools/signing/sync-scripts-to-linux-signer.dry-run create mode 100755 tools/signing/sync-scripts-to-macos-signer create mode 120000 tools/signing/sync-scripts-to-macos-signer.dry-run delete mode 100755 tools/signing/tbb-signing.sh create mode 100755 tools/signing/upload-update_responses-to-staticiforme create mode 100755 tools/update/publish_version.sh
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 2e9a30950bd5186de95a119522fda33c9765b38b Author: Matthew Finkel sysrqb@torproject.org AuthorDate: Tue Nov 17 01:44:21 2020 +0000
Bug 40137: Add publication script --- tools/update/format_changelog.pl | 64 ++++++++++++++++++++++++++++++++++++++++ tools/update/publish_version.sh | 51 ++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+)
diff --git a/tools/update/format_changelog.pl b/tools/update/format_changelog.pl new file mode 100755 index 0000000..c469b37 --- /dev/null +++ b/tools/update/format_changelog.pl @@ -0,0 +1,64 @@ +#!/usr/bin/perl -w + +# Read ChangeLog.txt from stdin +# $ ./format_changelog.pl < ChangeLog.txt + +my $once = 0; +my $last_indent=0; + +sub finish { + while ($last_indent > 2) { + print "</ul>\n"; + # Every entry in the ChangeLog is indented by 2 characters + # except for the first Platform line + $last_indent -= 2 + } + exit; +} + +while (<>) { + #print "$_"; + my $line = ""; + if ($_ =~ /^Tor Browser /) { + finish() unless $once == 0; + $once = 1; + next; + } + # Skip empty lines + if ($_ =~ /^\s*$/) { + next; + } + #print ">>> $_"; + if ($_ =~ /(\s+)* Bug (\d+):(.*)$/) { + my $indentation = $1; + my $bug = $2; + my $description = $3; + my $current_indent = length($indentation); + if ($current_indent > $last_indent) { + $line = "<ul>"; + } elsif ($current_indent < $last_indent) { + $line = "</ul>"; + } + $last_indent = $current_indent; + if ($bug < 40000) { + $line.="<li><a href="https://bugs.torproject.org/$bug%5C%22%3EBug $bug</a>:$3</li>"; + } else { + $description =~ /(.*)[([a-z-]*)]$/; + my $project = "tpo/applications/$2/$bug" // "$bug"; + $line.="<li><a href="https://bugs.torproject.org/$project%5C%22%3EBug $bug</a>:$1</li>"; + } + } elsif ($_ =~ /(\s+)* (.*)$/) { + my $indentation = $1; + my $current_indent = length($indentation); + if ($current_indent > $last_indent) { + $line = "<ul>"; + } elsif ($current_indent < $last_indent) { + $line = "</ul>"; + } + $last_indent = $current_indent; + $line .= "<li>$2"; + } else { + $line = $_; + } + print "$line\n"; +} diff --git a/tools/update/publish_version.sh b/tools/update/publish_version.sh new file mode 100755 index 0000000..25083e3 --- /dev/null +++ b/tools/update/publish_version.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +set -e + +TORBROWSER_VERSION=$1 +if [ -z "${TORBROWSER_VERSION}" ]; then + echo "please specify version number (excluding -buildN)" + exit 1 +fi + +PREV_TORBROWSER_VERSION=$2 +if [ -z "${PREV_TORBROWSER_VERSION}" ]; then + echo "please specify a previous version number (needed for copying .htaccess file)" + exit 1 +fi + +TORBROWSER_UPDATE_CHANNEL=$3 +if [ -z "${TORBROWSER_UPDATE_CHANNEL}" ]; then + echo "please specify the release channel (release|alpha)" + exit 1 +fi + +wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~sysrqb/builds/$%7BTORBROWSER_VERSION%7D" +#wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~gk/builds/$%7BTORBROWSER_VERSION%7D" +rm "${TORBROWSER_VERSION}/index.html*" + +# Rename the update responses directory to .old to make it easier to +# revert in case of problem (see the file RollingBackUpdate for more +# details about this) +rm -rf "/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old" +mv /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/"${TORBROWSER_UPDATE_CHANNEL}"{,.old} + +date +mv "${TORBROWSER_VERSION}" /srv/dist-master.torproject.org/htdocs/torbrowser/ +cp "/srv/dist-master.torproject.org/htdocs/torbrowser/${PREV_TORBROWSER_VERSION}/.htaccess" "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}/" +chmod 775 "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +chmod 664 "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}"/* +chown -R :torwww "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +cd "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +for i in *.asc; do echo "$i"; gpg -q "$i" || exit; done +date +static-update-component dist.torproject.org + +mkdir "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +chmod 775 "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +cd "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +for marfile in /srv/dist-master.torproject.org/htdocs/torbrowser/"${TORBROWSER_VERSION}"/*.mar; do ln -f "${marfile}" .; done +date +static-update-component cdn.torproject.org + +echo "Now sync and publish update responses"
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit a2886d8460b00af8eae907e1e5e7c21c2a551b33 Author: Matthew Finkel sysrqb@torproject.org AuthorDate: Tue Nov 17 03:01:22 2020 +0000
Bug 40157: Add sanity check scripts --- tools/authenticode_verify_timestamp.sh | 95 +++++++++++++++++++ tools/marsigning_check.sh | 12 +++ tools/signing/check_file_counts | 168 +++++++++++++++++++++++++++++++++ 3 files changed, 275 insertions(+)
diff --git a/tools/authenticode_verify_timestamp.sh b/tools/authenticode_verify_timestamp.sh new file mode 100755 index 0000000..efa8986 --- /dev/null +++ b/tools/authenticode_verify_timestamp.sh @@ -0,0 +1,95 @@ +#!/bin/sh + +# Copyright (c) 2021, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Usage: +# 1) Let OSSLSIGNCODE point to your osslsigncode binary +# 2) Change into the directory containing the .exe files and the sha256sums-unsigned-build.txt +# 3) Run /path/to/authenticode_verify_timestamp.sh + +if [ -z "$OSSLSIGNCODE" ] +then + echo "The path to your osslsigncode binary is missing!" + exit 1 +fi + +#set -x + +VERIFIED_PACKAGES=0 +MISSING_TIMESTAMP=0 + +for f in `ls *.exe`; do + echo -n "$f timestamped: " + + ${OSSLSIGNCODE} extract-signature -pem -in $f -out $f.sigs 1>/dev/null + ts=`openssl pkcs7 -print -in $f.sigs | grep -A 227 unauth_attr` + ts_len=`openssl pkcs7 -print -in $f.sigs | grep -A 227 unauth_attr | wc -l` + rm $f.sigs + + if [ $ts_len -ne 228 ]; then + echo "timestamp format changed. Expected 228 lines, but received $ts_len" + fi + + missing_attrs=0 + # Random selection. We can choose better ones later. + for exp in "d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData" \ + "d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo" \ + "d=9 hl=2 l= 40 prim: PRINTABLESTRING :DigiCert SHA2 Assured ID Timestamping CA" \ + "d=9 hl=2 l= 23 prim: PRINTABLESTRING :DigiCert Timestamp 2021" \ + "d=7 hl=2 l= 9 prim: OBJECT :signingTime"; do + #echo "Checking '$exp'" + if ! `echo $ts | grep -q "$exp"`; then + missing_attrs=`expr $missing_attrs + 1` + echo "no: missing attribute: $exp" + fi + done + if [ $missing_attrs -ne 0 ]; then + MISSING_TIMESTAMP=`expr $MISSING_TIMESTAMP + 1` + else + echo yes + fi + + CHECKED_PACKAGES=`expr ${CHECKED_PACKAGES} + 1` +done + +if [ "${MISSING_TIMESTAMP}" -ne 0 ]; then + echo "${MISSING_TIMESTAMP} packages not timestamped." + exit 1 +fi + +if [ "${CHECKED_PACKAGES}" -ne `ls *.exe | wc -l` ]; then + echo "Some packages were not verified!." + exit 1 +fi + +echo "Successfully verified are ${CHECKED_PACKAGES} timestamped" + +exit 0 diff --git a/tools/marsigning_check.sh b/tools/marsigning_check.sh index fb5e4f6..28f149a 100755 --- a/tools/marsigning_check.sh +++ b/tools/marsigning_check.sh @@ -35,6 +35,7 @@ # 2) Let LD_LIBRARY_PATH point to the mar-tools directory # 3) Let NSS_DB_DIR point to the directory containing the database with the # signing certificate to check against. +# 4) Let CHANNEL be the expected update channel # # To create the database to use for signature checking import the # release*.der certificate of your choice found in @@ -66,6 +67,12 @@ then exit 1 fi
+if [ -z "$CHANNEL" ] +then + echo "The update channel is missing! ([nightly|alpha|release])" + exit 1 +fi + unsigned_mars=0 badsigned_mars=0 not_reproduced_mars=0 @@ -98,6 +105,11 @@ for f in *.mar; do fi fi
+ # Test 1.5: Is the MAR file correctly signed by the correct channel key? + if [ ! "$($SIGNMAR -T "$f" | grep "MAR channel name")" = " - MAR channel name: torbrowser-torproject-${CHANNEL}" ]; then + echo "$f contains wrong update channel!" + fi + # Test 2: Do we get the old SHA-256 sum after stripping the MAR signature? We # want to have a test for that to be sure we've the signed MAR files in front # of us which we actually want to ship to our users. diff --git a/tools/signing/check_file_counts b/tools/signing/check_file_counts new file mode 100755 index 0000000..beaa8e7 --- /dev/null +++ b/tools/signing/check_file_counts @@ -0,0 +1,168 @@ +#!/bin/bash + +#set -x +#set -e + +VERSION=$1 +LANG_COUNT=$2 +INCREMENTAL_VERSIONS="$3" +SIGNERS="$4" + +if [ "$#" -ne 4 ]; then + echo "<version> <lang_count> <incrementals> <signers>" + exit +fi + +INSTALL_PLATFORMS="tor-browser-linux32-${VERSION}_*.tar.xz tor-browser-linux64-${VERSION}_*.tar.xz torbrowser-install-${VERSION}_*.exe torbrowser-install-win64-${VERSION}_*.exe TorBrowser-${VERSION}-osx64_*.dmg" + +MAR_PLATFORMS="linux32 linux64 win32 win64 osx64" +MAR_TOOLS_PLATFORMS="linux32 linux64 win32 win64 mac64" + +total_count=0 +remaining_files=$(ls) + +for p in ${INSTALL_PLATFORMS}; do + expand_p=$(echo "${p}" | sed 's/\*/*/g') + test "$(ls ${expand_p} 2>/dev/null | wc -l)" = "${LANG_COUNT}" || echo "${p} not ${LANG_COUNT}" + total_count=$(( total_count + LANG_COUNT )) + for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done +done + +for p in ${INSTALL_PLATFORMS}; do + expand_p="$(echo "${p}" | sed 's/\*/*/g')" + test "$(ls ${expand_p}.asc 2>/dev/null | wc -l)" = "${LANG_COUNT}" || echo "${p}.asc not ${LANG_COUNT}" + total_count=$(( total_count + LANG_COUNT )) + for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}.asc"' / /') + done +done + +p=tor-browser-"${VERSION}"-android-*-multi*.apk +expand_p="$(echo "${p}" | sed 's/\\*/*/g')" +test "$(ls ${expand_p} 2>/dev/null | wc -l)" = 8 || echo "${p} not 8" +total_count=$(( total_count + 8 )) +for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') +done +test "$(ls ${expand_p}.asc 2>/dev/null | wc -l)" = 8 || echo "${p}.asc not 8" +total_count=$(( total_count + 8 )) +for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}.asc"' / /') +done + +for p in ${MAR_PLATFORMS}; do + count=$(ls tor-browser-"${p}"-"${VERSION}"_*.mar 2>/dev/null | wc -l) + test "${count}" -eq "${LANG_COUNT}" || echo "${p} not ${LANG_COUNT} (found $count)" + total_count=$(( total_count + count )) + for f in tor-browser-"${p}"-"${VERSION}"_*.mar; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done +done + +for p in ${MAR_TOOLS_PLATFORMS}; do + test -f mar-tools-"${p}".zip || echo mar-tools-"${p}".zip does not exit + total_count=$(( total_count + 1 )) + remaining_files=$(echo "${remaining_files}" | sed 's/ 'mar-tools-"${p}".zip' / /') +done + +for p in ${MAR_TOOLS_PLATFORMS}; do + test -f mar-tools-"${p}".zip.asc || echo mar-tools-"${p}".zip.asc does not exit + total_count=$(( total_count + 1 )) + remaining_files=$(echo "${remaining_files}" | sed 's/ 'mar-tools-"${p}".zip.asc' / /') +done + +for p in ${MAR_PLATFORMS}; do + for i in ${INCREMENTAL_VERSIONS}; do + count="$(ls tor-browser-"${p}"-"${i}"-"${VERSION}"_*.mar 2>/dev/null | wc -l)" + test "${count}" -eq "${LANG_COUNT}" || echo "${p} ${i} incrementals not ${LANG_COUNT} (found $count)" + total_count=$(( total_count + count )) + for f in tor-browser-"${p}"-"${i}"-"${VERSION}"_*.mar; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done + done +done + +for f in tor-win32-*.zip tor-win64-*.zip; do + test -f "${f}" || echo "${f} does not exist" + test -f "${f}.asc" || echo "${f}.asc does not exist" + total_count=$(( total_count + 2 )) + remaining_files=$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /') + remaining_files=$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /') +done + +for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + test -f ${f} || echo ${f} does not exist + test -f ${f}.asc || echo ${f}.asc does not exist + total_count=$(( total_count + 2 )) + #remaining_files=$(echo ${remaining_files} | sed 's/ '${f}' / /') + remaining_files=$(echo "${remaining_files}" | sed 's/ '${f}' / /') + remaining_files=$(echo "${remaining_files}" | sed 's/ '${f}.asc' / /') +done + +for s in ${SIGNERS}; do + for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt; do + test -f "${f}.asc-${s}" || echo "${f}.asc-${s} does not exist" + total_count=$(( total_count + 1 )) + remaining_files="$(echo "${remaining_files}" | sed 's/ '"${f}.asc-${s}"' / /')" + done +done + +for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt; do + for s in "${f}".asc-*; do + gpg2 --quiet --verify "${s}" ${f} + done +done + +for f in sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + gpg2 --quiet --verify ${f}.asc ${f} +done + +for f in sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + sha256sum --quiet -c $f +done + +f=geckodriver-linux64.tar.xz +test -f ${f} || echo ${f} does not exist +test -f ${f}.asc || echo ${f}.asc does not exist +total_count=$(( total_count + 2 )) +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +for f in tor-browser-linux64-debug.tar.xz tor-linux32-debug.tar.xz tor-linux64-debug.tar.xz; do + test -f ${f} || echo ${f} does not exist + test -f ${f}.asc || echo ${f}.asc does not exist + total_count=$(( total_count + 2 )) + remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" + remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" +done + +test "$(ls src-firefox-tor-browser-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo src-firefox-tor-browser-*.tar.xz is wrong +test "$(ls src-firefox-tor-browser-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo src-firefox-tor-browser-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls src-firefox-tor-browser-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +test "$(ls src-tor-launcher-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo src-tor-launcher-*.tar.xz is wrong +test "$(ls src-tor-launcher-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo src-tor-launcher-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls src-tor-launcher-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +test "$(ls langpacks-tor-browser-linux64-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo langpacks-tor-browser-linux64-*.tar.xz is wrong +test "$(ls langpacks-tor-browser-linux64-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo langpacks-tor-browser-linux64-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls langpacks-tor-browser-linux64-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +# Expected file endings +file_count_by_ending="$(ls ./*.tar.xz{,.asc} ./*.zip{,.asc} ./*.exe{,.asc} ./*.mar ./*.dmg{,.asc} ./*.apk{,.asc} ./*.txt{,.asc} ./*.txt.asc-* | wc -l)" +test "${file_count_by_ending}" -eq ${total_count} || echo "Unexpected file endings: counted ${file_count_by_ending} vs ${total_count}" + +test "$(ls | wc -l)" -eq ${total_count} || echo "wrong total count: $(ls | wc -l) vs ${total_count}" +echo "${remaining_files}" +echo done.
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 5b7e8d17a55d3ff2525e8705efd6dd9122a71021 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Thu Mar 24 13:11:05 2022 +0100
Bug 40414: Remove tools/update/format_changelog.pl
This is replaced by tools/changelog-format-blog-post --- tools/update/format_changelog.pl | 64 ---------------------------------------- 1 file changed, 64 deletions(-)
diff --git a/tools/update/format_changelog.pl b/tools/update/format_changelog.pl deleted file mode 100755 index c469b37..0000000 --- a/tools/update/format_changelog.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -w - -# Read ChangeLog.txt from stdin -# $ ./format_changelog.pl < ChangeLog.txt - -my $once = 0; -my $last_indent=0; - -sub finish { - while ($last_indent > 2) { - print "</ul>\n"; - # Every entry in the ChangeLog is indented by 2 characters - # except for the first Platform line - $last_indent -= 2 - } - exit; -} - -while (<>) { - #print "$_"; - my $line = ""; - if ($_ =~ /^Tor Browser /) { - finish() unless $once == 0; - $once = 1; - next; - } - # Skip empty lines - if ($_ =~ /^\s*$/) { - next; - } - #print ">>> $_"; - if ($_ =~ /(\s+)* Bug (\d+):(.*)$/) { - my $indentation = $1; - my $bug = $2; - my $description = $3; - my $current_indent = length($indentation); - if ($current_indent > $last_indent) { - $line = "<ul>"; - } elsif ($current_indent < $last_indent) { - $line = "</ul>"; - } - $last_indent = $current_indent; - if ($bug < 40000) { - $line.="<li><a href="https://bugs.torproject.org/$bug%5C%22%3EBug $bug</a>:$3</li>"; - } else { - $description =~ /(.*)[([a-z-]*)]$/; - my $project = "tpo/applications/$2/$bug" // "$bug"; - $line.="<li><a href="https://bugs.torproject.org/$project%5C%22%3EBug $bug</a>:$1</li>"; - } - } elsif ($_ =~ /(\s+)* (.*)$/) { - my $indentation = $1; - my $current_indent = length($indentation); - if ($current_indent > $last_indent) { - $line = "<ul>"; - } elsif ($current_indent < $last_indent) { - $line = "</ul>"; - } - $last_indent = $current_indent; - $line .= "<li>$2"; - } else { - $line = $_; - } - print "$line\n"; -}
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit aab61319681bd037abc9b4b4781f64953061e23c Author: Nicolas Vigier boklm@torproject.org AuthorDate: Fri Jan 14 12:25:06 2022 +0100
Bug 40414: Add common config and functions files
Add common config file used to set Tor Browser version (and later other things). We also add a `functions` file where we can put functions used in multiple scripts.
The following lines can be used at the top of a script to use the config and functions files:
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" --- tools/signing/functions | 16 ++++++++++++++++ tools/signing/set-config | 1 + tools/signing/set-config.tbb-version | 7 +++++++ 3 files changed, 24 insertions(+)
diff --git a/tools/signing/functions b/tools/signing/functions new file mode 100644 index 0000000..f53f6ed --- /dev/null +++ b/tools/signing/functions @@ -0,0 +1,16 @@ +function exit_error { + for msg in "$@" + do + echo "$msg" > /dev/stderr + done + exit 1 +} + +function var_is_defined { + for var in "$@" + do + test -n "${!var}" || exit_error "$var is not defined (see set-config* files)" + done +} + +. "$script_dir/set-config" diff --git a/tools/signing/set-config b/tools/signing/set-config new file mode 100644 index 0000000..70f1200 --- /dev/null +++ b/tools/signing/set-config @@ -0,0 +1 @@ +. "$script_dir/set-config.tbb-version" diff --git a/tools/signing/set-config.tbb-version b/tools/signing/set-config.tbb-version new file mode 100644 index 0000000..5e844b5 --- /dev/null +++ b/tools/signing/set-config.tbb-version @@ -0,0 +1,7 @@ +# The following 3 lines should be uncommented and updated: + +#tbb_version=11.5a4 +#tbb_version_build=1 +#tbb_version_type=alpha + +var_is_defined tbb_version tbb_version_build tbb_version_type
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 1ecaffeb7031ca9c2baf756ae895bf5df6841d4b Author: Nicolas Vigier boklm@torproject.org AuthorDate: Fri Jan 14 13:35:41 2022 +0100
Bug 40414: Improve the gatekeeper-bundling.sh script
- use common config - add ddmg.sh - check if needed dependencies are installed --- tools/signing/ddmg.sh | 41 ++++++++++++++++++++++++++++++++ tools/signing/gatekeeper-bundling.sh | 46 ++++++++++++++++++++++++++---------- tools/signing/set-config | 8 +++++++ 3 files changed, 82 insertions(+), 13 deletions(-)
diff --git a/tools/signing/ddmg.sh b/tools/signing/ddmg.sh new file mode 100755 index 0000000..45de211 --- /dev/null +++ b/tools/signing/ddmg.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# This script is called from gatekeeper-bundling.sh, and creates a dmg +# file from a directory +# +# Usage: +# ddmg.sh <dmg-file> <src-directory> + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +dest_file="$1" +src_dir="$2" + +set +e +find $src_dir -executable -exec chmod 0755 {} ; 2> /dev/null +find $src_dir ! -executable -exec chmod 0644 {} ; 2> /dev/null + +find $src_dir -exec touch -m -t 200001010101 {} ; 2> /dev/null +set -e + +dmg_tmpdir=$(mktemp -d) +filelist="$dmg_tmpdir/filelist.txt" +cd $src_dir +find . -type f | sed -e 's/^.///' | sort | xargs -i echo "{}={}" > $filelist +find . -type l | sed -e 's/^.///' | sort | xargs -i echo "{}={}" >> $filelist + +export LD_PRELOAD=$faketime_path +export FAKETIME="2000-01-01 01:01:01" + +echo "Starting: " $(basename $dest_file) + +genisoimage -D -V "Tor Browser" -no-pad -R -apple -o "$dmg_tmpdir/tbb-uncompressed.dmg" -path-list $filelist -graft-points -gid 20 -dir-mode 0755 -new-dir-mode 0755 + +dmg dmg "$dmg_tmpdir/tbb-uncompressed.dmg" "$dest_file" + +echo "Finished: " $(basename $dest_file) + +rm -Rf "$dmg_tmpdir" diff --git a/tools/signing/gatekeeper-bundling.sh b/tools/signing/gatekeeper-bundling.sh index 742bc61..9d3da01 100755 --- a/tools/signing/gatekeeper-bundling.sh +++ b/tools/signing/gatekeeper-bundling.sh @@ -30,20 +30,40 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-TORBROWSER_VERSION=$1 -if [ -z $TORBROWSER_VERSION ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" -builddir=/path/to/the/build/dir -mkdir $builddir/$TORBROWSER_VERSION-signed -for LANG in $BUNDLE_LOCALES +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +which genisoimage > /dev/null || \ + exit_error 'genisoimage is missing. You should install the genisoimage package.' +test -f $faketime_path || \ + exit_error "$faketime_path is missing" +test -d $macos_stapled_dir || \ + exit_error "The stapled macos zip files should be placed in directory $macos_stapled_dir" +libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-dfd5e5cc3dc1-c9296e.tar.gz" +test -f "$libdmg_file" || \ + exit_error "$libdmg_file is missing." \ + "You can build it with:" \ + " ./rbm/rbm build --target no_containers libdmg-hfsplus" \ + "See var/deps in projects/libdmg-hfsplus/config for the list of build dependencies" + +test -d "$macos_signed_dir" || mkdir "$macos_signed_dir" +tmpdir="$macos_stapled_dir/tmp" +rm -Rf "$tmpdir" +mkdir "$tmpdir" +cp -rT "$script_dir/../../projects/tor-browser/Bundle-Data/mac-applications.dmg" "$tmpdir/dmg" + +tar -C "$tmpdir" -xf "$libdmg_file" +export PATH="$PATH:$tmpdir/libdmg-hfsplus" + +for lang in $bundle_locales do - cd $builddir/dmg - unzip -q $builddir/$TORBROWSER_VERSION/tb-${TORBROWSER_VERSION}_$LANG-stapled.zip + cd $tmpdir/dmg + unzip -q $macos_stapled_dir/tb-${tbb_version}_$lang-stapled.zip cd .. - $builddir/ddmg.sh $builddir/$TORBROWSER_VERSION-signed/TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg $builddir/dmg/ + $script_dir/ddmg.sh $macos_signed_dir/TorBrowser-${tbb_version}-osx64_$lang.dmg $tmpdir/dmg/ rm -rf 'dmg/Tor Browser.app' done + +rm -Rf "$tmpdir" diff --git a/tools/signing/set-config b/tools/signing/set-config index 70f1200..99e1bfa 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -1 +1,9 @@ . "$script_dir/set-config.tbb-version" + +bundle_locales="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" + +signed_dir="$script_dir/../../$tbb_version_type/signed" +macos_stapled_dir="$signed_dir/$tbb_version-macos-stapled" +macos_signed_dir="$signed_dir/$tbb_version-macos-signed" + +faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 54998d8366d3e07c780a78c29c4d128866c1c0eb Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Jan 17 11:40:29 2022 +0100
Bug 40414: Add osslsigncode project --- .../0001-Make-code-work-with-OpenSSL-1.1.patch | 324 +++++++++++++++++++++ projects/osslsigncode/build | 19 ++ projects/osslsigncode/config | 17 ++ projects/osslsigncode/timestamping.patch | 56 ++++ 4 files changed, 416 insertions(+)
diff --git a/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch new file mode 100644 index 0000000..e290ab0 --- /dev/null +++ b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch @@ -0,0 +1,324 @@ +From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Reimar.Doeffinger@gmx.de +Date: Sun, 12 Mar 2017 23:00:12 +0100 +Subject: [PATCH] Make code work with OpenSSL 1.1. + +Changes in consist of: +- Use EVP_MD_CTX_new/free API instead of on-stack allocation +- Remove some M_ prefixes like for ASN1_IA5STRING_new +- Remove pagehash functionality because it is useless to me and + fixing it would be a pain. Would require declaring a few + ASN_SEQUENCES and use that to get the required i2d functions + from what I could find out. +- Remove OBJ_create calls that seem to serve no purpose, + now crash because NULL pointers are no longer handled + (who changes API that way?!) and even if that was fixed + lead to errors when these objects are later created + again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, + did not investigate further). + +diff --git a/osslsigncode.c b/osslsigncode.c +index 2978c02..3797458 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) + if (desc) { + info->programName = SpcString_new(); + info->programName->type = 1; +- info->programName->value.ascii = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, ++ info->programName->value.ascii = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->programName->value.ascii, + (const unsigned char*)desc, strlen(desc)); + } + + if (url) { + info->moreInfo = SpcLink_new(); + info->moreInfo->type = 0; +- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, ++ info->moreInfo->value.url = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->moreInfo->value.url, + (const unsigned char*)url, strlen(url)); + } + +@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const + + if (rfc3161) { + unsigned char mdbuf[EVP_MAX_MD_SIZE]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + + TimeStampReq *req = TimeStampReq_new(); + ASN1_INTEGER_set(req->version, 1); + req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); + req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); + req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; +- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); ++ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); + req->certReq = (void*)0x1; + + len = i2d_TimeStampReq(req, NULL); +@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { + 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 + }; + +-static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, +- unsigned int sigpos, int phtype, unsigned int *phlen); +- +-DECLARE_STACK_OF(ASN1_OCTET_STRING) +-#ifndef sk_ASN1_OCTET_STRING_new_null +-#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) +-#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) +-#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) +-#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) +-#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null +-#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) +-#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) +-#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) +-#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) +-{ +- unsigned int phlen; +- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); +- if (!ph) { +- fprintf(stderr, "Failed to calculate page hash\n"); +- exit(-1); +- } +- +- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); +- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); +- free(ph); +- +- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); +- sk_ASN1_OCTET_STRING_push(oset, ostr); +- unsigned char *p, *tmp; +- unsigned int l; +- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- ASN1_OCTET_STRING_free(ostr); +- sk_ASN1_OCTET_STRING_free(oset); +- +- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); +- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); +- aval->value = ASN1_TYPE_new(); +- aval->value->type = V_ASN1_SET; +- aval->value->value.set = ASN1_STRING_new(); +- ASN1_STRING_set(aval->value->value.set, p, l); +- OPENSSL_free(p); +- +- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); +- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- sk_SpcAttributeTypeAndOptionalValue_free(aset); +- SpcAttributeTypeAndOptionalValue_free(aval); +- +- SpcSerializedObject *so = SpcSerializedObject_new(); +- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); +- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); +- OPENSSL_free(p); +- +- SpcLink *link = SpcLink_new(); +- link->type = 1; +- link->value.moniker = so; +- return link; +-} +- + static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, +- int pagehash, char *indata, unsigned int peheader, int pe32plus, ++ char *indata, unsigned int peheader, int pe32plus, + unsigned int sigpos) + { + static const unsigned char msistr[] = { +@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + } else if (type == FILE_TYPE_PE) { + SpcPeImageData *pid = SpcPeImageData_new(); + ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); +- if (pagehash) { +- int phtype = NID_sha1; +- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) +- phtype = NID_sha256; +- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); +- } else { +- pid->file = get_obsolete_link(); +- } ++ pid->file = get_obsolete_link(); + l = i2d_SpcPeImageData(pid, NULL); + p = OPENSSL_malloc(l); + i2d_SpcPeImageData(pid, &p); +@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + ASN1_INTEGER_set(si->d, 0); + ASN1_INTEGER_set(si->e, 0); + ASN1_INTEGER_set(si->f, 0); +- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); ++ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); + l = i2d_SpcSipInfo(si, NULL); + p = OPENSSL_malloc(l); + i2d_SpcSipInfo(si, &p); +@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + hashlen = EVP_MD_size(md); + hash = OPENSSL_malloc(hashlen); + memset(hash, 0, hashlen); +- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); ++ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); + OPENSSL_free(hash); + + *len = i2d_SpcIndirectDataContent(idc, NULL); +@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + unsigned int peheader, int pe32plus, unsigned int fileend) + { + static unsigned char bfb[16*1024*1024]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + + memset(mdbuf, 0, EVP_MAX_MD_SIZE); + + (void)BIO_seek(bio, 0); + BIO_read(bio, bfb, peheader + 88); +- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); ++ EVP_DigestUpdate(mdctx, bfb, peheader + 88); + BIO_read(bio, bfb, 4); + BIO_read(bio, bfb, 60+pe32plus*16); +- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); ++ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); + BIO_read(bio, bfb, 8); + + unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; +@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + int l = BIO_read(bio, bfb, want); + if (l <= 0) + break; +- EVP_DigestUpdate(&mdctx, bfb, l); ++ EVP_DigestUpdate(mdctx, bfb, l); + n += l; + } + +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); + } + + +@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + int phlen = pphlen * (3 + nsections + sigpos / pagesize); + unsigned char *res = malloc(phlen); + unsigned char *zeroes = calloc(pagesize, 1); +- EVP_MD_CTX mdctx; +- +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, indata, peheader + 88); +- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); +- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, indata, peheader + 88); ++ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); ++ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); + memset(res, 0, 4); +- EVP_DigestFinal(&mdctx, res + 4, NULL); ++ EVP_DigestFinal(mdctx, res + 4, NULL); + + unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); + char *sections = indata + peheader + 24 + sizeofopthdr; +@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + unsigned int l; + for (l=0; l < rs; l+=pagesize, pi++) { + PUT_UINT32_LE(ro + l, res + pi*pphlen); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + if (rs - l < pagesize) { +- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); ++ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); + } else { +- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); ++ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); + } +- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); ++ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); + } + lastpos = ro + rs; + sections += 40; + } ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + PUT_UINT32_LE(lastpos, res + pi*pphlen); + memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); + pi++; +@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) + int nturl = 0, ntsurl = 0; + int addBlob = 0; + u_char *p = NULL; +- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; ++ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; + unsigned int tmp, peheader = 0, padlen = 0; + off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; + file_type_t type; +@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) + ERR_load_crypto_strings(); + OPENSSL_add_all_algorithms_conf(); + +- /* create some MS Authenticode OIDS we need later on */ +- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || +- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || +- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || +- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) +- DO_EXIT_0("Failed to add objects\n"); +- + md = EVP_sha1(); + + if (argc > 1) { +@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) + readpass = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { + comm = 1; +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { +- pagehash = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) + p7x = NULL; + } + +- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); ++ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); + len -= EVP_MD_size(md); + memcpy(buf, p, len); + OPENSSL_free(p); +-- +2.34.1 + diff --git a/projects/osslsigncode/build b/projects/osslsigncode/build new file mode 100644 index 0000000..0f7ae9b --- /dev/null +++ b/projects/osslsigncode/build @@ -0,0 +1,19 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +mkdir -p $distdir/[% project %] +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch +patch -p1 < ../timestamping.patch + +./autogen.sh +./configure --prefix=/[% project %] +make +make DESTDIR=$distdir install + +cd $distdir +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/osslsigncode/config b/projects/osslsigncode/config new file mode 100644 index 0000000..03dbcba --- /dev/null +++ b/projects/osslsigncode/config @@ -0,0 +1,17 @@ +# vim: filetype=yaml sw=2 +version: '[% c("abbrev") %]' +git_url: https://github.com/mtrojnar/osslsigncode +git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +var: + container: + use_container: 0 + deps: + - autoconf + - libtool + - pkg-config + - libssl-dev + - libcurl4-openssl-dev +input_files: + - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch + - filename: timestamping.patch diff --git a/projects/osslsigncode/timestamping.patch b/projects/osslsigncode/timestamping.patch new file mode 100644 index 0000000..94b5261 --- /dev/null +++ b/projects/osslsigncode/timestamping.patch @@ -0,0 +1,56 @@ +From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Fri, 5 Feb 2016 09:23:10 +0000 +Subject: [PATCH] Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 32e37c8..2978c02 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) + if (--argc < 1) usage(argv0); + url = *(++argv); + #ifdef ENABLE_CURL +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { + if (--argc < 1) usage(argv0); + turl[nturl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { + if (--argc < 1) usage(argv0); + tsurl[ntsurl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { + if (--argc < 1) usage(argv0); + proxy = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { + noverifypeer = 1; + #endif + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { +-- +2.7.0 + + +From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Sat, 11 Apr 2020 05:50:36 +0000 +Subject: [PATCH] fixup! Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 3797458..4f4b897 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { + if (--argc < 1) usage(argv0); + ++argv; + if (!strcmp(*argv, "md5")) { +-- +2.26.0
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 4063e499cf73bac3a5ba2fcd206e967672e27002 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Jan 17 12:56:52 2022 +0100
Bug 40414: Improve the authenticode-timestamping.sh script --- tools/signing/authenticode-timestamping.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/tools/signing/authenticode-timestamping.sh b/tools/signing/authenticode-timestamping.sh index 77973b7..4e07ae3 100755 --- a/tools/signing/authenticode-timestamping.sh +++ b/tools/signing/authenticode-timestamping.sh @@ -32,10 +32,30 @@
set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" + +test -f "$osslsigncode_file" || + exit_error "$osslsigncode_file is missing." \ + "You can build it with:" \ + " ./rbm/rbm build osslsigncode" \ + "See var/deps in projects/osslsigncode/config for the list of build dependencies" + +which rename > /dev/null 2>&1 || + exit_error '`rename` is missing.' + +tmp_dir="$signed_dir/$tbb_version/tmp-timestamp" +mkdir "$tmp_dir" +tar -C "$tmp_dir" -xf "$osslsigncode_file" +export PATH="$PATH:$tmp_dir/osslsigncode/bin" + +cd "$signed_dir/$tbb_version" COUNT=0 for i in `find . -name "*.exe" -print` do - /path/to/patched/osslsigncode add \ + osslsigncode add \ -t http://timestamp.digicert.com \ -p socks://127.0.0.1:9050 \ $i $i-timestamped @@ -44,3 +64,5 @@ do done echo "Timestamped $COUNT .exe files, now renaming" rename -f 's/-timestamped//' *-timestamped + +rm -Rf "$tmp_dir"
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 2e66fd7412985e825e6b99a526399b09a8fac4f9 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Jan 17 14:13:11 2022 +0100
Bug 40414: Add sync-* signing scripts --- tools/signing/set-config | 6 ++++++ tools/signing/set-config.hosts | 6 ++++++ tools/signing/sync-builder-to-local | 8 ++++++++ tools/signing/sync-builder-to-local.dry-run | 1 + tools/signing/sync-builder-unsigned-to-local-signed | 8 ++++++++ tools/signing/sync-builder-unsigned-to-local-signed.dry-run | 1 + tools/signing/sync-linux-signer-to-local | 8 ++++++++ tools/signing/sync-linux-signer-to-local.dry-run | 1 + tools/signing/sync-local-to-builder | 8 ++++++++ tools/signing/sync-local-to-builder.dry-run | 1 + tools/signing/sync-local-to-linux-signer | 8 ++++++++ tools/signing/sync-local-to-linux-signer.dry-run | 1 + tools/signing/sync-local-to-staticiforme | 6 ++++++ tools/signing/sync-local-to-staticiforme.dry-run | 1 + tools/signing/sync-macos-local-to-macos-signer | 8 ++++++++ tools/signing/sync-macos-local-to-macos-signer.dry-run | 1 + tools/signing/sync-macos-signer-stapled-to-macos-local-stapled | 8 ++++++++ .../sync-macos-signer-stapled-to-macos-local-stapled.dry-run | 1 + tools/signing/sync-scripts-to-linux-signer | 8 ++++++++ tools/signing/sync-scripts-to-linux-signer.dry-run | 1 + tools/signing/sync-scripts-to-macos-signer | 8 ++++++++ tools/signing/sync-scripts-to-macos-signer.dry-run | 1 + 22 files changed, 100 insertions(+)
diff --git a/tools/signing/set-config b/tools/signing/set-config index 99e1bfa..e81ccac 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -1,9 +1,15 @@ . "$script_dir/set-config.tbb-version" +. "$script_dir/set-config.hosts"
bundle_locales="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW"
signed_dir="$script_dir/../../$tbb_version_type/signed" +signed_version_dir="$signed_dir/$tbb_version" macos_stapled_dir="$signed_dir/$tbb_version-macos-stapled" macos_signed_dir="$signed_dir/$tbb_version-macos-signed"
faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 + +echo "${BASH_ARGV0:-}" | grep -q '.dry-run$' && DRY_RUN='--dry-run' +test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" +rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" diff --git a/tools/signing/set-config.hosts b/tools/signing/set-config.hosts new file mode 100644 index 0000000..6a2d939 --- /dev/null +++ b/tools/signing/set-config.hosts @@ -0,0 +1,6 @@ +ssh_host_builder=tbbuild +ssh_host_linux_signer=linux-signer-notor +ssh_host_macos_signer=mac-signer-notor +ssh_host_staticiforme=staticiforme.torproject.org + +builder_tor_browser_build_dir=/home/user/tor-browser-build diff --git a/tools/signing/sync-builder-to-local b/tools/signing/sync-builder-to-local new file mode 100755 index 0000000..5a251b5 --- /dev/null +++ b/tools/signing/sync-builder-to-local @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/" "$signed_version_dir/" diff --git a/tools/signing/sync-builder-to-local.dry-run b/tools/signing/sync-builder-to-local.dry-run new file mode 120000 index 0000000..f6de9e2 --- /dev/null +++ b/tools/signing/sync-builder-to-local.dry-run @@ -0,0 +1 @@ +sync-builder-to-local \ No newline at end of file diff --git a/tools/signing/sync-builder-unsigned-to-local-signed b/tools/signing/sync-builder-unsigned-to-local-signed new file mode 100755 index 0000000..769faf2 --- /dev/null +++ b/tools/signing/sync-builder-unsigned-to-local-signed @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/unsigned/$tbb_version-build$tbb_version_build/" "$signed_version_dir/" diff --git a/tools/signing/sync-builder-unsigned-to-local-signed.dry-run b/tools/signing/sync-builder-unsigned-to-local-signed.dry-run new file mode 120000 index 0000000..d3a4554 --- /dev/null +++ b/tools/signing/sync-builder-unsigned-to-local-signed.dry-run @@ -0,0 +1 @@ +sync-builder-unsigned-to-local-signed \ No newline at end of file diff --git a/tools/signing/sync-linux-signer-to-local b/tools/signing/sync-linux-signer-to-local new file mode 100755 index 0000000..ea29971 --- /dev/null +++ b/tools/signing/sync-linux-signer-to-local @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$ssh_host_linux_signer:$tbb_version/" "$signed_version_dir/" diff --git a/tools/signing/sync-linux-signer-to-local.dry-run b/tools/signing/sync-linux-signer-to-local.dry-run new file mode 120000 index 0000000..6c687e1 --- /dev/null +++ b/tools/signing/sync-linux-signer-to-local.dry-run @@ -0,0 +1 @@ +sync-linux-signer-to-local \ No newline at end of file diff --git a/tools/signing/sync-local-to-builder b/tools/signing/sync-local-to-builder new file mode 100755 index 0000000..f6a7e25 --- /dev/null +++ b/tools/signing/sync-local-to-builder @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/" diff --git a/tools/signing/sync-local-to-builder.dry-run b/tools/signing/sync-local-to-builder.dry-run new file mode 120000 index 0000000..24f6e15 --- /dev/null +++ b/tools/signing/sync-local-to-builder.dry-run @@ -0,0 +1 @@ +sync-local-to-builder \ No newline at end of file diff --git a/tools/signing/sync-local-to-linux-signer b/tools/signing/sync-local-to-linux-signer new file mode 100755 index 0000000..cc4192c --- /dev/null +++ b/tools/signing/sync-local-to-linux-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_linux_signer:$tbb_version/" diff --git a/tools/signing/sync-local-to-linux-signer.dry-run b/tools/signing/sync-local-to-linux-signer.dry-run new file mode 120000 index 0000000..c4498ad --- /dev/null +++ b/tools/signing/sync-local-to-linux-signer.dry-run @@ -0,0 +1 @@ +sync-local-to-linux-signer \ No newline at end of file diff --git a/tools/signing/sync-local-to-staticiforme b/tools/signing/sync-local-to-staticiforme new file mode 100755 index 0000000..2372623 --- /dev/null +++ b/tools/signing/sync-local-to-staticiforme @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_staticiforme:/srv/dist-master.torproject.org/htdocs/torbrowser/$tbb_version/" diff --git a/tools/signing/sync-local-to-staticiforme.dry-run b/tools/signing/sync-local-to-staticiforme.dry-run new file mode 120000 index 0000000..3e0a7fd --- /dev/null +++ b/tools/signing/sync-local-to-staticiforme.dry-run @@ -0,0 +1 @@ +sync-local-to-staticiforme \ No newline at end of file diff --git a/tools/signing/sync-macos-local-to-macos-signer b/tools/signing/sync-macos-local-to-macos-signer new file mode 100755 index 0000000..75dd3a1 --- /dev/null +++ b/tools/signing/sync-macos-local-to-macos-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$signed_version_dir"/*.dmg "$ssh_host_macos_signer:$tbb_version/" diff --git a/tools/signing/sync-macos-local-to-macos-signer.dry-run b/tools/signing/sync-macos-local-to-macos-signer.dry-run new file mode 120000 index 0000000..e8f1262 --- /dev/null +++ b/tools/signing/sync-macos-local-to-macos-signer.dry-run @@ -0,0 +1 @@ +sync-macos-local-to-macos-signer \ No newline at end of file diff --git a/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled new file mode 100755 index 0000000..2d170bf --- /dev/null +++ b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$ssh_host_macos_signer:$tbb_version/*-stapled.zip" "$macos_stapled_dir/" diff --git a/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run new file mode 120000 index 0000000..f397acd --- /dev/null +++ b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run @@ -0,0 +1 @@ +sync-macos-signer-stapled-to-macos-local-stapled \ No newline at end of file diff --git a/tools/signing/sync-scripts-to-linux-signer b/tools/signing/sync-scripts-to-linux-signer new file mode 100755 index 0000000..6e46120 --- /dev/null +++ b/tools/signing/sync-scripts-to-linux-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$script_dir/" "$ssh_host_linux_signer:signing-$tbb_version_type/" diff --git a/tools/signing/sync-scripts-to-linux-signer.dry-run b/tools/signing/sync-scripts-to-linux-signer.dry-run new file mode 120000 index 0000000..4fa2b82 --- /dev/null +++ b/tools/signing/sync-scripts-to-linux-signer.dry-run @@ -0,0 +1 @@ +sync-scripts-to-linux-signer \ No newline at end of file diff --git a/tools/signing/sync-scripts-to-macos-signer b/tools/signing/sync-scripts-to-macos-signer new file mode 100755 index 0000000..d56328d --- /dev/null +++ b/tools/signing/sync-scripts-to-macos-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$script_dir/" "$ssh_host_macos_signer:signing-$tbb_version_type/" diff --git a/tools/signing/sync-scripts-to-macos-signer.dry-run b/tools/signing/sync-scripts-to-macos-signer.dry-run new file mode 120000 index 0000000..1f00d0a --- /dev/null +++ b/tools/signing/sync-scripts-to-macos-signer.dry-run @@ -0,0 +1 @@ +sync-scripts-to-macos-signer \ No newline at end of file
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 2337f751c88a91279421f0188553302cf0887bfc Author: Nicolas Vigier boklm@torproject.org AuthorDate: Sun Feb 6 08:41:47 2022 +0100
Bug 40414: add macos-signer-proxy --- tools/signing/macos-signer-proxy | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/tools/signing/macos-signer-proxy b/tools/signing/macos-signer-proxy new file mode 100755 index 0000000..8eff373 --- /dev/null +++ b/tools/signing/macos-signer-proxy @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +ssh -R :1080 "$ssh_host_macos_signer" 'python ~/proxy.py --port 8443'
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit c2f560b53e8d200aadef7e4e4d4aa4b70d38ba01 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 7 20:00:23 2022 +0100
Bug 40414: Move hash_signed_bundles.sh to the signing directory --- tools/{ => signing}/hash_signed_bundles.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tools/hash_signed_bundles.sh b/tools/signing/hash_signed_bundles.sh similarity index 100% rename from tools/hash_signed_bundles.sh rename to tools/signing/hash_signed_bundles.sh
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 9dc7222b8c2d829f6851ef7931ddbbf3589ae234 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 7 20:05:31 2022 +0100
Bug 40414: Improve hash_signed_bundles.sh
Automatically change to the signed directory before creating the sha256sums-signed files. --- tools/signing/hash_signed_bundles.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/tools/signing/hash_signed_bundles.sh b/tools/signing/hash_signed_bundles.sh index 1e21c49..e7a1247 100755 --- a/tools/signing/hash_signed_bundles.sh +++ b/tools/signing/hash_signed_bundles.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash
# Copyright (c) 2018, The Tor Project, Inc. # @@ -30,12 +30,18 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-# Usage: -# 1) Change into the directory containing the files to be hashed -# 2) Run /path/to/hash_signed_bundles.sh +# This script will generate sha256sums-signed-build.txt and +# sha256sums-signed-build.incrementals.txt files in the signed directory. + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions"
export LC_ALL=C
+cd "$signed_version_dir" + rm -f sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt sha256sum `ls -1 | grep -v '.incremental.mar$' | grep -v '^sha256sums*' | \ sort` > sha256sums-signed-build.txt
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 78a9e3f6c58c16106f1fb0f129afe568a0a71dd4 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Feb 8 19:11:46 2022 +0100
Bug 40414: Add download-unsigned-sha256sums-gpg-signatures-from-people-tpo script --- ...ad-unsigned-sha256sums-gpg-signatures-from-people-tpo | 16 ++++++++++++++++ tools/signing/set-config | 2 ++ 2 files changed, 18 insertions(+)
diff --git a/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo b/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo new file mode 100755 index 0000000..a26b051 --- /dev/null +++ b/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo @@ -0,0 +1,16 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +for builder in $tb_builders +do + for file in sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.incrementals.txt.asc + do + tmpfile=$(mktemp) + chmod 644 "$tmpfile" + wget -q -O "$tmpfile" "https://people.torproject.org/~$builder/builds/$tbb_version-build$tbb_versio..." || \ + wget -q -O "$tmpfile" "https://people.torproject.org/~$builder/builds/tor-browser/$tbb_version-buil..." && \ + mv "$tmpfile" "$signed_version_dir/$file-$builder" && echo "Added $file-$builder" + done +done diff --git a/tools/signing/set-config b/tools/signing/set-config index e81ccac..70bd311 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -13,3 +13,5 @@ faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 echo "${BASH_ARGV0:-}" | grep -q '.dry-run$' && DRY_RUN='--dry-run' test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" + +tb_builders='aguestuser boklm gk pierov richard sysrqb'
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 1cbbc4909300fdf2b8df2c0ad5092ff62bb86922 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 14 19:41:23 2022 +0100
Bug 40414: Add linux-signer-signmars
This is a copy from tor-browser-bundle/gitian/signmars.sh that we currently use for mar signing. --- tools/signing/linux-signer-signmars | 133 ++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+)
diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars new file mode 100755 index 0000000..269610f --- /dev/null +++ b/tools/signing/linux-signer-signmars @@ -0,0 +1,133 @@ +#!/bin/bash +# +# +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. + +set -e +set -u + +WRAPPER_DIR=$(dirname "$0") +WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") + +if [ -z "${NSS_DB_DIR+x}" ]; then + NSS_DB_DIR=$WRAPPER_DIR/nssdb +fi + +if [ -z "${NSS_CERTNAME+x}" ]; then + NSS_CERTNAME=marsigner +fi + +# Incorporate definitions from the versions file. +if [ -z "$1" ]; then + VERSIONS_FILE=$WRAPPER_DIR/versions +else + VERSIONS_FILE=$1 +fi + +if ! [ -e $VERSIONS_FILE ]; then + echo >&2 "Error: $VERSIONS_FILE file does not exist" + exit 1 +fi + +. $VERSIONS_FILE +#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) + +export LC_ALL=C + +# Check some prerequisites. +if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then + >&2 echo "Please create and populate the $NSS_DB_DIR directory" + exit 2 +fi + +OSNAME="" +ARCH="$(uname -s)-$(uname -m)" +case $ARCH in + Linux-x86_64) + OSNAME="linux64" + ;; + Linux-i*86) + OSNAME="linux32" + ;; + *) + >&2 echo "Unsupported architecture $ARCH" + exit 2 +esac + +# Extract the MAR tools so we can use the signmar program. +MARTOOLS_TMP_DIR=$(mktemp -d) +trap "rm -rf $MARTOOLS_TMP_DIR" EXIT +MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip" +cd $MARTOOLS_TMP_DIR +unzip -q "$MARTOOLS_ZIP" +cd $WRAPPER_DIR +export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" +if [ -z "${LD_LIBRARY_PATH+x}" ]; then + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" +else + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +fi + +# Prompt for the NSS password. +# TODO: Test that the entered NSS password is correct. But how? Unfortunately, +# both certutil and signmar keep trying to read a new password when they are +# given an incorrect one. +read -s -p "NSS password:" NSSPASS +echo "" + +# Sign each MAR file. +# +# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION +# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: +# If a file has not been signed, we move it to the -unsigned/ directory. +# If a file has already been signed and a file with the same name exists in +# the -unsigned/ directory, we just delete the signed file. +# If a file has already been signed but no corresponding file exists in +# the -unsigned/ directory, we report an error and exit. +# +# Once the above is done, the -unsigned/ directory contains a set of .mar +# files that need to be signed, so we go ahead and sign them one-by-one. +SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" +UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" +mkdir -p "$UNSIGNED_DIR" +cd "$SIGNED_DIR" +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + + # First, we check for an existing signature. The signmar -T output will + # include a line like "Signature block found with N signatures". + SIGINFO_PREFIX="Signature block found with " + SIGINFO=$(signmar -T "$marfile" | grep "^${SIGINFO_PREFIX}") + SIGCOUNT=0 + if [ ! -z "$SIGINFO" ]; then + SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/([0-9]*).*$/\1/') + fi + if [ $SIGCOUNT -eq 0 ]; then + # No signature; move this .mar file to the -unsigned/ directory. + mv "$marfile" "$UNSIGNED_DIR/" + else + echo "Skipping $marfile (already signed)" + fi +done + +# Use signmar to sign each .mar file that is now in the -unsigned directory. +TMPMAR="$SIGNED_DIR/tmp.mar" +trap "rm -f $TMPMAR" EXIT +cd "$UNSIGNED_DIR" +echo "Starting the signing..." +COUNT=0 +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ + "$marfile" "$TMPMAR" + mv "$TMPMAR" "$SIGNED_DIR/$marfile" + COUNT=$((COUNT + 1)) + echo "Signed MAR file $COUNT" + rm "$marfile" +done + +echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed."
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 7c0525ce5749dbfe076d27383e93d34b426d841e Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 14 20:01:38 2022 +0100
Bug 40414: Improve linux-signer-signmars
- automatically change to bundle directory - allow setting password with an environment variable (useful for tor-browser-build#40476) - some cleaning --- tools/signing/linux-signer-signmars | 90 +++++++------------------------------ 1 file changed, 16 insertions(+), 74 deletions(-)
diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars index 269610f..23b400d 100755 --- a/tools/signing/linux-signer-signmars +++ b/tools/signing/linux-signer-signmars @@ -1,37 +1,23 @@ #!/bin/bash # # -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script +# (if you don't want to use the default values).
set -e set -u
-WRAPPER_DIR=$(dirname "$0") -WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions"
if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=$WRAPPER_DIR/nssdb + NSS_DB_DIR=/home/gk/marsigning/nssdb7 fi
if [ -z "${NSS_CERTNAME+x}" ]; then NSS_CERTNAME=marsigner fi
-# Incorporate definitions from the versions file. -if [ -z "$1" ]; then - VERSIONS_FILE=$WRAPPER_DIR/versions -else - VERSIONS_FILE=$1 -fi - -if ! [ -e $VERSIONS_FILE ]; then - echo >&2 "Error: $VERSIONS_FILE file does not exist" - exit 1 -fi - -. $VERSIONS_FILE -#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) - export LC_ALL=C
# Check some prerequisites. @@ -40,27 +26,11 @@ if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then exit 2 fi
-OSNAME="" -ARCH="$(uname -s)-$(uname -m)" -case $ARCH in - Linux-x86_64) - OSNAME="linux64" - ;; - Linux-i*86) - OSNAME="linux32" - ;; - *) - >&2 echo "Unsupported architecture $ARCH" - exit 2 -esac - # Extract the MAR tools so we can use the signmar program. MARTOOLS_TMP_DIR=$(mktemp -d) trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip" -cd $MARTOOLS_TMP_DIR -unzip -q "$MARTOOLS_ZIP" -cd $WRAPPER_DIR +MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip +unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" if [ -z "${LD_LIBRARY_PATH+x}" ]; then export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" @@ -72,25 +42,11 @@ fi # TODO: Test that the entered NSS password is correct. But how? Unfortunately, # both certutil and signmar keep trying to read a new password when they are # given an incorrect one. -read -s -p "NSS password:" NSSPASS +test -n "${NSSPASS:-}" || read -s -p "NSS password:" NSSPASS echo ""
-# Sign each MAR file. -# -# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION -# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: -# If a file has not been signed, we move it to the -unsigned/ directory. -# If a file has already been signed and a file with the same name exists in -# the -unsigned/ directory, we just delete the signed file. -# If a file has already been signed but no corresponding file exists in -# the -unsigned/ directory, we report an error and exit. -# -# Once the above is done, the -unsigned/ directory contains a set of .mar -# files that need to be signed, so we go ahead and sign them one-by-one. -SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" -UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" -mkdir -p "$UNSIGNED_DIR" -cd "$SIGNED_DIR" +COUNT=0 +cd ~/"$tbb_version" for marfile in *.mar; do if [ ! -f "$marfile" ]; then continue; @@ -104,30 +60,16 @@ for marfile in *.mar; do if [ ! -z "$SIGINFO" ]; then SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/([0-9]*).*$/\1/') fi - if [ $SIGCOUNT -eq 0 ]; then - # No signature; move this .mar file to the -unsigned/ directory. - mv "$marfile" "$UNSIGNED_DIR/" - else + if [ $SIGCOUNT -ne 0 ]; then echo "Skipping $marfile (already signed)" - fi -done - -# Use signmar to sign each .mar file that is now in the -unsigned directory. -TMPMAR="$SIGNED_DIR/tmp.mar" -trap "rm -f $TMPMAR" EXIT -cd "$UNSIGNED_DIR" -echo "Starting the signing..." -COUNT=0 -for marfile in *.mar; do - if [ ! -f "$marfile" ]; then continue; fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" "$TMPMAR" - mv "$TMPMAR" "$SIGNED_DIR/$marfile" + "$marfile" tmp.mar + mv -f tmp.mar "$marfile" COUNT=$((COUNT + 1)) - echo "Signed MAR file $COUNT" - rm "$marfile" + echo "Signed MAR file $COUNT ($marfile)" done
-echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed." +echo "$COUNT MAR files have been signed."
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 3460d13677d32282229786dc527ef9f300181c1c Author: Nicolas Vigier boklm@torproject.org AuthorDate: Fri Feb 18 20:28:04 2022 +0100
Bug 40414: Add tools/signing/create-blog-post --- tools/signing/create-blog-post | 61 ++++++++++++++++++++++++++++++++++++++++++ tools/signing/set-config.blog | 4 +++ 2 files changed, 65 insertions(+)
diff --git a/tools/signing/create-blog-post b/tools/signing/create-blog-post new file mode 100755 index 0000000..5a43ec3 --- /dev/null +++ b/tools/signing/create-blog-post @@ -0,0 +1,61 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.blog" + +var_is_defined blog_publish_user blog_directory + +content_dir="$blog_directory/content/blog" +test -d "$content_dir" || exit_error "$content_dir is not a direcotry" + +blog_dir="$content_dir/new-release-tor-browser-"$(echo $tbb_version | sed 's/.//g') + +test -d "$blog_dir" && exit_error "$blog_dir already exists" + +mkdir "$blog_dir" +echo "Created directory $blog_dir" + +if test "$tbb_version_type" = "release" +then + lead=../../../assets/static/images/blog/tor-browser-11.jpg +else + lead=../../../assets/static/images/blog/tor-browser_0_0.png +fi +ln -s "$lead" "$blog_dir/lead.jpg" +echo "Created $blog_dir/lead.jpg -> $lead" + + +if test "$tbb_version_type" = "release" +then + title="New Release: Tor Browser $tbb_version" + download_page='https://www.torproject.org/download/' +else + title="New Alpha Release: Tor Browser $tbb_version" + download_page='https://www.torproject.org/download/alpha/' +fi + +contents_lr="$blog_dir/contents.lr" +cat > "$contents_lr" << EOF +title: $title +--- +pub_date: $(date +%Y-%m-%d) +--- +author: $blog_publish_user +--- +categories: + +applications +releases +--- +summary: Tor Browser $tbb_version is now available from the Tor Browser download page and also from our distribution directory. +--- +body: +Tor Browser $tbb_version is now available from the [Tor Browser download page]($download_page) and also from our [distribution directory](https://www.torproject.org/dist/torbrowser/$tbb_version/). + +This version includes important [security updates](https://www.mozilla.org/en-US/security/advisories/) to Firefox. + +EOF + +$script_dir/../changelog-format-blog-post >> "$contents_lr" +echo "Created $contents_lr" diff --git a/tools/signing/set-config.blog b/tools/signing/set-config.blog new file mode 100644 index 0000000..4bf320d --- /dev/null +++ b/tools/signing/set-config.blog @@ -0,0 +1,4 @@ +# You should uncomment the following 2 lines: + +#blog_directory=/path/to/blog.git +#blog_publish_user=user
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit ed8709b2fa74a3bf822aa73afebb3d9e2fe79acd Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 21 11:53:30 2022 +0100
Bug 40414: Add tools/signing/upload-update_responses-to-staticiforme --- tools/signing/functions | 6 +++ .../upload-update_responses-to-staticiforme | 49 ++++++++++++++++++++++ tools/update/publish_version.sh | 12 ------ 3 files changed, 55 insertions(+), 12 deletions(-)
diff --git a/tools/signing/functions b/tools/signing/functions index f53f6ed..ed7ca8b 100644 --- a/tools/signing/functions +++ b/tools/signing/functions @@ -13,4 +13,10 @@ function var_is_defined { done }
+function check_torbrowser_version_var { + local tbver=$("$script_dir/../../rbm/rbm" showconf tor-browser var/torbrowser_version) + test "$tbver" != "$tbb_version" && exit_error "Wrong tbb_version: $tbver != $tbb_version" + return 0 +} + . "$script_dir/set-config" diff --git a/tools/signing/upload-update_responses-to-staticiforme b/tools/signing/upload-update_responses-to-staticiforme new file mode 100755 index 0000000..755963b --- /dev/null +++ b/tools/signing/upload-update_responses-to-staticiforme @@ -0,0 +1,49 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +check_torbrowser_version_var + +update_responses_tar_filename="update-responses-$tbb_version_type-$tbb_version.tar" +update_responses_tar="$script_dir/../../$tbb_version_type/update-responses/$update_responses_tar_filename" +if test -f "$update_responses_tar" +then + echo "$update_responses_tar_filename already exists: not running 'make update_responses-$tbb_version_type'" +else + echo "Running 'make update_responses-$tbb_version_type'" + pushd "$script_dir/../.." > /dev/null + make update_responses-$tbb_version_type + popd > /dev/null +fi + +update_dir=/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3 +deploy_script=$(mktemp) +trap "rm -Rf $deploy_script" EXIT +cat << EOF > "$deploy_script" +#!/bin/bash +set -e + +tmpdir="$(mktemp -d)" + +trap "rm -Rf $tmpdir" EXIT + +rm -Rf "$update_dir/$tbb_version_type.old" +test -d "$update_dir/$tbb_version_type" && \ + mv -v "$update_dir/$tbb_version_type" "$update_dir/$tbb_version_type.old" + +tar -C "$tmpdir" -xf ~/$update_responses_tar_filename +chmod 775 "$tmpdir"/$tbb_version_type +chmod 664 "$tmpdir"/$tbb_version_type/* "$tmpdir"/$tbb_version_type/.htaccess +chgrp -R torwww "$tmpdir"/$tbb_version_type +mv -v "$tmpdir"/$tbb_version_type "$update_dir/$tbb_version_type" + +static-update-component aus1.torproject.org +EOF + +chmod +x $deploy_script +scp -p "$update_responses_tar" "$ssh_host_staticiforme:" +scp -p $deploy_script $ssh_host_staticiforme:deploy_update_responses-$tbb_version_type.sh + +echo 'To enable updates you can now run:' +echo " ssh $ssh_host_staticiforme ./deploy_update_responses-$tbb_version_type.sh" diff --git a/tools/update/publish_version.sh b/tools/update/publish_version.sh index 25083e3..393701d 100755 --- a/tools/update/publish_version.sh +++ b/tools/update/publish_version.sh @@ -14,22 +14,10 @@ if [ -z "${PREV_TORBROWSER_VERSION}" ]; then exit 1 fi
-TORBROWSER_UPDATE_CHANNEL=$3 -if [ -z "${TORBROWSER_UPDATE_CHANNEL}" ]; then - echo "please specify the release channel (release|alpha)" - exit 1 -fi - wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~sysrqb/builds/$%7BTORBROWSER_VERSION%7D" #wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~gk/builds/$%7BTORBROWSER_VERSION%7D" rm "${TORBROWSER_VERSION}/index.html*"
-# Rename the update responses directory to .old to make it easier to -# revert in case of problem (see the file RollingBackUpdate for more -# details about this) -rm -rf "/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old" -mv /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/"${TORBROWSER_UPDATE_CHANNEL}"{,.old} - date mv "${TORBROWSER_VERSION}" /srv/dist-master.torproject.org/htdocs/torbrowser/ cp "/srv/dist-master.torproject.org/htdocs/torbrowser/${PREV_TORBROWSER_VERSION}/.htaccess" "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}/"
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 655fd49f26e6fd05cef18b6bdd18f9db5153db8d Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Mar 7 13:40:28 2022 +0100
Bug 40414: Add tools/signing/dmg2mar --- tools/signing/dmg2mar | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
diff --git a/tools/signing/dmg2mar b/tools/signing/dmg2mar new file mode 100755 index 0000000..246809b --- /dev/null +++ b/tools/signing/dmg2mar @@ -0,0 +1,29 @@ +#!/bin/bash + +# This script runs `make dmg2mar-release` or `make dmg2mar-alpha`, after +# moving the signed dmg files from the $tbb_version-macos-signed directory +# to the normal signed directory. +# It should be run after `gatekeeper-bundling.sh`. + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +cd "$script_dir/../.." + +version=$(./rbm/rbm showconf tor-browser --target alpha --target torbrowser-linux-x86_64 var/torbrowser_version) +test "$version" = "$tbb_version" || \ + exit_error "Incorrect tor browser version: $version != $tbb_version" + +test -d "$macos_signed_dir" || \ + exit_error "$macos_signed_dir does not exist" + +nb_locales=$(echo $bundle_locales | wc -w) +nb_bundles=$(ls -1 "$macos_signed_dir"/TorBrowser-*.dmg | wc -l) +test "$nb_locales" -eq "$nb_bundles" || \ + exit_error "Wrong number of bundles: $nb_locales != $nb_bundles" + +mv -vf "$macos_signed_dir"/TorBrowser-*.dmg "$signed_version_dir"/ + +make dmg2mar-$tbb_version_type
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 04b1955b930d31cf00be0e0ed3bd7563363c1a9c Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 16:45:08 2022 +0100
Bug 40414: Rename gatekeeper-signing.sh to macos-signer-gatekeeper-signing --- tools/signing/{gatekeeper-signing.sh => macos-signer-gatekeeper-signing} | 0 1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tools/signing/gatekeeper-signing.sh b/tools/signing/macos-signer-gatekeeper-signing similarity index 100% rename from tools/signing/gatekeeper-signing.sh rename to tools/signing/macos-signer-gatekeeper-signing
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 5eb300d8d48fc19d0ba6cc86c3f400529834d68e Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 16:53:43 2022 +0100
Bug 40414: Update stable.entitlements.xml
Update stable.entitlements.xml with the version currently in use on the signing machine. --- tools/signing/stable.entitlements.xml | 3 --- 1 file changed, 3 deletions(-)
diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/stable.entitlements.xml index 3097c05..3062b9d 100644 --- a/tools/signing/stable.entitlements.xml +++ b/tools/signing/stable.entitlements.xml @@ -20,9 +20,6 @@ <!-- Code paged in from disk should match the signature at page in-time --> <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
- <!-- Allow loading third party libraries. Needed for Flash and CDMs --> - <key>com.apple.security.cs.disable-library-validation</key><true/> - <!-- Allow dyld environment variables. Needed because Firefox uses dyld variables to load libaries from within the .app bundle. --> <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 08564b56e4c226dbdef9cd8fc849fe818b69abd3 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 17:10:35 2022 +0100
Bug 40414: Update macos-signer-gatekeeper-signing
Update macos-signer-gatekeeper-signing to the version currently in use. --- tools/signing/macos-signer-gatekeeper-signing | 117 ++++++++++++++++++-------- 1 file changed, 83 insertions(+), 34 deletions(-)
diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing index 3f31f82..38e119e 100755 --- a/tools/signing/macos-signer-gatekeeper-signing +++ b/tools/signing/macos-signer-gatekeeper-signing @@ -1,34 +1,4 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +set -x
TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; @@ -36,16 +6,95 @@ then echo "Please call this script with a Tor Browser version!" exit 1 fi -ENTITLEMENTS=/path/to/stable.entitlements.xml -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi + +function check_signature() { + LANG=$1 + TORBROWSER_VERSION=$2 + UNZIP=$3 + local failed_open=0 + local failed_exec=0 + if [ ${UNZIP} -eq 1 ] + then + test -d test_${LANG} && rm -r test_${LANG} + unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip + pushd test_${LANG} + fi + echo "Checking $LANG..." + spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/' + if [ $? -ne 3 ]; then + echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open. + failed_open=1 + fi + spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/' + if [ $? -ne 0 ]; then + echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec. + failed_exec=1 + fi + if [ ${UNZIP} -eq 1 ] + then + popd + rm -r test_${LANG} + fi + if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ] + then + return 1 + fi +} + for LANG in $BUNDLE_LOCALES do + if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ] + then + echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip" + rm tb-${TORBROWSER_VERSION}_${LANG}.zip + fi + if [ -d "Tor Browser.app" ] + then + echo "Deleting Tor Browser.app" + rm -r "Tor Browser.app" + fi + if [ -d '/Volumes/Tor Browser' ]; then + echo "DMG already mounted. Please correct." + exit 1 + fi hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" echo "Signing Tor Browser_$LANG.app" - codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "$ID" "Tor Browser.app/" + codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" + echo "codesign exit code: $?" + check_signature $LANG $TORBROWSER_VERSION 0 + if [ $? -eq 1 ] + then + echo Signature verification failed. + rm -r "Tor Browser.app" + hdiutil detach "/Volumes/Tor Browser" + exit 1 + fi echo "Zipping up" zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" rm -rf "Tor Browser.app" hdiutil detach "/Volumes/Tor Browser" + check_signature $LANG $TORBROWSER_VERSION 1 + if [ $? -eq 1 ] + then + echo Signature verification failed. + rm -r "Tor Browser.app" + fi done +#for LANG in $BUNDLE_LOCALES +#do +# hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg +# cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" +# echo "Signing Tor Browser_$LANG.app" +# codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" +# #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" +# echo "Zipping up" +# zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" +# rm -rf "Tor Browser.app" +# hdiutil detach "/Volumes/Tor Browser" +#done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit cf2d10b753d226120c98b433365c2a43390b6b18 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 17:29:23 2022 +0100
Bug 40414: Improve macos-signer-gatekeeper-signing
- get tbb_version and BUNDLE_LOCALES from config - automatically change to ~/$tbb_version directory - unlock keychain - use entitlements.xml from script directory - allow setting password with an environment variable (useful for tor-browser-build#40476) - cleanups --- tools/signing/macos-signer-gatekeeper-signing | 76 +++++++++++----------- ...e.entitlements.xml => release.entitlements.xml} | 0 2 files changed, 37 insertions(+), 39 deletions(-)
diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing index 38e119e..9df621f 100755 --- a/tools/signing/macos-signer-gatekeeper-signing +++ b/tools/signing/macos-signer-gatekeeper-signing @@ -1,38 +1,31 @@ -set -x +#!/bin/bash +set -e
-TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"
function check_signature() { LANG=$1 - TORBROWSER_VERSION=$2 - UNZIP=$3 + UNZIP=$2 local failed_open=0 local failed_exec=0 if [ ${UNZIP} -eq 1 ] then test -d test_${LANG} && rm -r test_${LANG} - unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip + unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip pushd test_${LANG} fi echo "Checking $LANG..." spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/' if [ $? -ne 3 ]; then - echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open. + echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open. failed_open=1 fi spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/' if [ $? -ne 0 ]; then - echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec. + echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec. failed_exec=1 fi if [ ${UNZIP} -eq 1 ] @@ -46,12 +39,24 @@ function check_signature() { fi }
-for LANG in $BUNDLE_LOCALES +cd ~/${tbb_version} + +if test -n "$KEYCHAIN_PW" +then + KPW="-p $KEYCHAIN_PW" +fi + +security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain +security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain + +unset KPW KEYCHAIN_PW + +for LANG in $bundle_locales do - if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ] + if [ -f tb-${tbb_version}_${LANG}.zip ] then - echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip" - rm tb-${TORBROWSER_VERSION}_${LANG}.zip + echo "Deleting tb-${tbb_version}_${LANG}.zip" + rm tb-${tbb_version}_${LANG}.zip fi if [ -d "Tor Browser.app" ] then @@ -62,12 +67,13 @@ do echo "DMG already mounted. Please correct." exit 1 fi - hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg + hdiutil attach TorBrowser-${tbb_version}-osx64_$LANG.dmg cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" echo "Signing Tor Browser_$LANG.app" codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" echo "codesign exit code: $?" - check_signature $LANG $TORBROWSER_VERSION 0 + set +e + check_signature $LANG 0 if [ $? -eq 1 ] then echo Signature verification failed. @@ -75,26 +81,18 @@ do hdiutil detach "/Volumes/Tor Browser" exit 1 fi - echo "Zipping up" - zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" + set -e + echo "Zipping up tb-${tbb_version}_${LANG}.zip" + zip -qr tb-${tbb_version}_${LANG}.zip "Tor Browser.app" rm -rf "Tor Browser.app" hdiutil detach "/Volumes/Tor Browser" - check_signature $LANG $TORBROWSER_VERSION 1 + set +e + check_signature $LANG 1 if [ $? -eq 1 ] then - echo Signature verification failed. + echo Signature verification failed ($LANG). rm -r "Tor Browser.app" + exit 1 fi + set -e done -#for LANG in $BUNDLE_LOCALES -#do -# hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg -# cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" -# echo "Signing Tor Browser_$LANG.app" -# codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" -# #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" -# echo "Zipping up" -# zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" -# rm -rf "Tor Browser.app" -# hdiutil detach "/Volumes/Tor Browser" -#done diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/release.entitlements.xml similarity index 100% rename from tools/signing/stable.entitlements.xml rename to tools/signing/release.entitlements.xml
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit e4cb274b4ad687d8ce3f4b1fdaef050bf526d7b3 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:05:22 2022 +0100
Bug 40414: Rename notarization.sh to macos-signer-notarization --- tools/signing/{notarization.sh => macos-signer-notarization} | 0 1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tools/signing/notarization.sh b/tools/signing/macos-signer-notarization similarity index 100% rename from tools/signing/notarization.sh rename to tools/signing/macos-signer-notarization
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 14e74b743ded7ac88b0eb0f95c9a6e712b9bd391 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:12:49 2022 +0100
Bug 40414: Update macos-signer-notarization
Update macos-signer-notarization to the version currently in use. --- tools/signing/macos-signer-notarization | 58 ++++++++++++++------------------- 1 file changed, 24 insertions(+), 34 deletions(-)
diff --git a/tools/signing/macos-signer-notarization b/tools/signing/macos-signer-notarization index eb29e74..239d6fe 100755 --- a/tools/signing/macos-signer-notarization +++ b/tools/signing/macos-signer-notarization @@ -1,50 +1,40 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +set -e +set -x
+ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; then echo "Please call this script with a Tor Browser version!" exit 1 fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +if [ -z "${PW}" ]; then + stty -echo; read PW; stty echo; export PW +fi +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi for LANG in $BUNDLE_LOCALES do + if test -d ${LANG}; then + mv ${LANG}/tb-${TORBROWSER_VERSION}_$LANG.zip ./ + rm -r ${LANG}/ + fi mkdir $LANG cd $LANG mv ../tb-${TORBROWSER_VERSION}_$LANG.zip . unzip -q tb-${TORBROWSER_VERSION}_$LANG.zip echo "Notarizing $LANG..." - xcrun altool --notarize-app -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip - --primary-bundle-id org.torproject.torbrowser -u USERNAME -p @env:PW --output-format xml + #xcrun altool --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + $ALTOOL --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + + request_uuid=`grep -A1 RequestUUID tb-${TORBROWSER_VERSION}_$LANG.zip.log | grep -o '[0-9a-f]+[0-9a-f-]+'` + if [ -z "${request_uuid}" ]; then + echo "Request UUID not present. Notarization failed" + exit 1 + fi + echo ${request_uuid} > tb-${TORBROWSER_VERSION}_$LANG.zip.uuid + cd .. done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 62626b43492ba84c18df251145d4c4bbe4242e52 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:21:25 2022 +0100
Bug 40414: Improve macos-signer-notarization
- get tbb_version, bundle_locales and macos_notarization_user from config - automatically change to ~/$tbb_version directory - add text to ask for notarization password - cleanup --- tools/signing/macos-signer-notarization | 42 ++++++++++++++++------------- tools/signing/set-config.macos-notarization | 5 ++++ 2 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/tools/signing/macos-signer-notarization b/tools/signing/macos-signer-notarization index 239d6fe..f242a71 100755 --- a/tools/signing/macos-signer-notarization +++ b/tools/signing/macos-signer-notarization @@ -1,40 +1,44 @@ +#!/bin/bash set -e -set -x + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.macos-notarization"
ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool -TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi + +cd ~/${tbb_version} + if [ -z "${PW}" ]; then + echo "Please enter notarization password:" stty -echo; read PW; stty echo; export PW fi -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi -for LANG in $BUNDLE_LOCALES + +for LANG in $bundle_locales do + if test -f ${LANG}/tb-${tbb_version}_$LANG.zip.uuid + then + echo "Skipping ${LANG}/tb-${tbb_version}_$LANG.zip" + continue; + fi if test -d ${LANG}; then - mv ${LANG}/tb-${TORBROWSER_VERSION}_$LANG.zip ./ + mv ${LANG}/tb-${tbb_version}_$LANG.zip ./ rm -r ${LANG}/ fi mkdir $LANG cd $LANG - mv ../tb-${TORBROWSER_VERSION}_$LANG.zip . - unzip -q tb-${TORBROWSER_VERSION}_$LANG.zip + mv ../tb-${tbb_version}_$LANG.zip . + unzip -q tb-${tbb_version}_$LANG.zip echo "Notarizing $LANG..." - #xcrun altool --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 - $ALTOOL --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + $ALTOOL --notarize-app --verbose -t osx -f tb-${tbb_version}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u "$macos_notarization_user" -p @env:PW --output-format xml | tee tb-${tbb_version}_$LANG.zip.log 2>&1
- request_uuid=`grep -A1 RequestUUID tb-${TORBROWSER_VERSION}_$LANG.zip.log | grep -o '[0-9a-f]+[0-9a-f-]+'` + request_uuid=`grep -A1 RequestUUID tb-${tbb_version}_$LANG.zip.log | grep -o '[0-9a-f]+[0-9a-f-]+'` if [ -z "${request_uuid}" ]; then echo "Request UUID not present. Notarization failed" exit 1 fi - echo ${request_uuid} > tb-${TORBROWSER_VERSION}_$LANG.zip.uuid + echo ${request_uuid} > tb-${tbb_version}_$LANG.zip.uuid + echo "Notarization done for $LANG."
cd .. done diff --git a/tools/signing/set-config.macos-notarization b/tools/signing/set-config.macos-notarization new file mode 100644 index 0000000..5d97a9b --- /dev/null +++ b/tools/signing/set-config.macos-notarization @@ -0,0 +1,5 @@ +# The following line should be uncommented and updated: + +#macos_notarization_user='user@email' + +var_is_defined macos_notarization_user
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 1767485ac4c36166ba92a20da7da817ab33c5ef7 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:35:18 2022 +0100
Bug 40414: Rename stapler.sh to macos-signer-stapler --- tools/signing/{stapler.sh => macos-signer-stapler} | 0 1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tools/signing/stapler.sh b/tools/signing/macos-signer-stapler similarity index 100% rename from tools/signing/stapler.sh rename to tools/signing/macos-signer-stapler
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 3209c27c1909b46fe2c115f68bab84286aeb5776 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:37:13 2022 +0100
Bug 40414: Update macos-signer-stapler
Update macos-signer-stapler to the version currently in use. --- tools/signing/macos-signer-stapler | 40 ++++++-------------------------------- 1 file changed, 6 insertions(+), 34 deletions(-)
diff --git a/tools/signing/macos-signer-stapler b/tools/signing/macos-signer-stapler index cdbb466..d82c485 100755 --- a/tools/signing/macos-signer-stapler +++ b/tools/signing/macos-signer-stapler @@ -1,47 +1,19 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - +STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; then echo "Please call this script with a Tor Browser version!" exit 1 fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi for LANG in $BUNDLE_LOCALES do echo "Stapling $LANG..." cd $LANG - xcrun stapler staple Tor\ Browser.app + $STAPLER staple Tor\ Browser.app zip -qr ../tb-${TORBROWSER_VERSION}_$LANG-stapled.zip Tor\ Browser.app cd .. done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 64abe72deb197b9de70a23c70ab201d329cfe1f5 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Wed Mar 16 19:42:12 2022 +0100
Bug 40414: Improve macos-signer-stapler
- get tbb_version, and bundle_locales from config - automatically change to ~/$tbb_version directory --- tools/signing/macos-signer-stapler | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/tools/signing/macos-signer-stapler b/tools/signing/macos-signer-stapler index d82c485..e7ed1f7 100755 --- a/tools/signing/macos-signer-stapler +++ b/tools/signing/macos-signer-stapler @@ -1,19 +1,18 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler -TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi -for LANG in $BUNDLE_LOCALES + +cd ~/${tbb_version} + +for LANG in $bundle_locales do echo "Stapling $LANG..." cd $LANG $STAPLER staple Tor\ Browser.app - zip -qr ../tb-${TORBROWSER_VERSION}_$LANG-stapled.zip Tor\ Browser.app + zip -qr ../tb-${tbb_version}_$LANG-stapled.zip Tor\ Browser.app cd .. done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit e7f2deb02f1b50c2f31e3754d29e92656f8a1b2d Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Mar 22 18:50:12 2022 +0100
Bug 40414: Rename tbb-signing.sh to linux-signer-gpg-sign --- tools/signing/{tbb-signing.sh => linux-signer-gpg-sign} | 0 1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tools/signing/tbb-signing.sh b/tools/signing/linux-signer-gpg-sign similarity index 100% rename from tools/signing/tbb-signing.sh rename to tools/signing/linux-signer-gpg-sign
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 05455d3337b9f1e52b3f57cffdaebab1be63fda7 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Mar 22 18:57:00 2022 +0100
Bug 40414: Update linux-signer-gpg-sign
Update linux-signer-gpg-sign to the version currently in use. --- tools/signing/linux-signer-gpg-sign | 42 ++++++++----------------------------- 1 file changed, 9 insertions(+), 33 deletions(-)
diff --git a/tools/signing/linux-signer-gpg-sign b/tools/signing/linux-signer-gpg-sign index 42ea235..723599b 100755 --- a/tools/signing/linux-signer-gpg-sign +++ b/tools/signing/linux-signer-gpg-sign @@ -1,38 +1,14 @@ #!/bin/bash
-# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -export GNUPGHOME=/path/to/gpg-key read -sp "Enter passphrase: " pass -for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk"` +for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do - echo "$pass" | gpg -absu $key! --passphrase-fd 0 $i + if test -f "$i.asc" + then + echo "Removing $i.asc" + rm -f "$i.asc" + fi + echo "Signing $i" + echo "$pass" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i + test $? || echo "Signing $i failed" done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 209de9b1f1ffddba748ae25996f0ec26cecebd4d Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Mar 22 18:59:35 2022 +0100
Bug 40414: Improve linux-signer-gpg-sign
- Automatically change to ~/$tbb_version directory - allow setting password with an environment variable (useful for tor-browser-build#40476) --- tools/signing/linux-signer-gpg-sign | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/signing/linux-signer-gpg-sign b/tools/signing/linux-signer-gpg-sign index 723599b..35058df 100755 --- a/tools/signing/linux-signer-gpg-sign +++ b/tools/signing/linux-signer-gpg-sign @@ -1,6 +1,12 @@ #!/bin/bash +set -e
-read -sp "Enter passphrase: " pass +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +cd ~/"$tbb_version" + +test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -9,6 +15,5 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$pass" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i - test $? || echo "Signing $i failed" + echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i done
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit b854feadfd16fc777040426f270338a90bbfbe7c Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Apr 5 10:23:41 2022 +0200
Bug 40414: Update nssdb7 path in linux-signer-signmars --- tools/signing/linux-signer-signmars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars index 23b400d..97678dd 100755 --- a/tools/signing/linux-signer-signmars +++ b/tools/signing/linux-signer-signmars @@ -11,7 +11,7 @@ script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions"
if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=/home/gk/marsigning/nssdb7 + NSS_DB_DIR=/home/boklm/marsigning/nssdb7 fi
if [ -z "${NSS_CERTNAME+x}" ]; then
This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch maint-11.0 in repository builders/tor-browser-build.
commit 479afa23aa5a5113e38de21b40f057e05d9cb596 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Tue Apr 19 12:11:19 2022 +0200
Bug 40414: Add finished-signing-clean-* --- tools/signing/finished-signing-clean-linux-signer | 14 ++++++++++++++ tools/signing/finished-signing-clean-macos-signer | 14 ++++++++++++++ 2 files changed, 28 insertions(+)
diff --git a/tools/signing/finished-signing-clean-linux-signer b/tools/signing/finished-signing-clean-linux-signer new file mode 100755 index 0000000..154babd --- /dev/null +++ b/tools/signing/finished-signing-clean-linux-signer @@ -0,0 +1,14 @@ +#!/bin/bash + +# Remove current tbb version from linux-signer. You should run this +# when all signing has been done. + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer tbb_version + +ssh "$ssh_host_linux_signer" 'bash -s' << EOF + test -n "$tbb_version" && rm -Rfv ~/"$tbb_version" +EOF diff --git a/tools/signing/finished-signing-clean-macos-signer b/tools/signing/finished-signing-clean-macos-signer new file mode 100755 index 0000000..d44d779 --- /dev/null +++ b/tools/signing/finished-signing-clean-macos-signer @@ -0,0 +1,14 @@ +#!/bin/bash + +# Remove current tbb version from macos-signer. You should run this +# when all signing has been done. + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer tbb_version + +ssh "$ssh_host_macos_signer" 'bash -s' << EOF + test -n "$tbb_version" && rm -Rfv ~/"$tbb_version" +EOF
tbb-commits@lists.torproject.org