This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch main in repository builders/tor-browser-build. The following commit(s) were added to refs/heads/main by this push: new 751756c Bug 40574: Improve tools/signing/android-signing 751756c is described below commit 751756c2e7d7239df0636bf5ac8cc22d4781cbc6 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Jul 12 16:48:51 2022 +0200 Bug 40574: Improve tools/signing/android-signing * use projects/android-toolchain/config to download android build-tools * download unsigned apk files for pkgstage and upload them to pkgstage when signed * use set-config.android-signing --- projects/android-toolchain/config | 21 +++++++- tools/signing/android-signing | 93 +++++++++++++++++++++++--------- tools/signing/set-config.android-signing | 7 +++ 3 files changed, 93 insertions(+), 28 deletions(-) diff --git a/projects/android-toolchain/config b/projects/android-toolchain/config index 57c38c1..a2f34ae 100644 --- a/projects/android-toolchain/config +++ b/projects/android-toolchain/config @@ -47,11 +47,13 @@ var: sdk_tools_version: 4333796 commandlinetools_version: 7583922 commandlinetools_version_string: 5.0 + build_tools_filename: build-tools_r31-linux.zip + build_tools_sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8 input_files: - project: container-image - - URL: '[% c("var/google_repo") %]/build-tools_r31-linux.zip' + - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]' name: build_tools - sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8 + sha256sum: '[% c("var/build_tools_sha256sum") %]' - URL: '[% c("var/google_repo") %]/build-tools_r[% c("var/version_30") %]-linux.zip' name: build_tools_30 sha256sum: 565af786dc0cc1941002174fb945122eabd080b222cd4c7c3d9a2ae0fabf5dc4 @@ -85,3 +87,18 @@ input_files: - URL: '[% c("var/google_repo") %]/android-ndk-r[% c("var/android_ndk_version") %][% c("var/android_ndk_revision") %]-linux-x86_64.zip' name: android_ndk_compiler sha256sum: dd6dc090b6e2580206c64bcee499bc16509a5d017c6952dcd2bed9072af67cbd +steps: + # The get_build_tools step is used by tools/signing/android-signing + get_build_tools: + filename: 'android-[% c("var/build_tools_filename") %]' + get_build_tools: | + #!/bin/bash + set -e + mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %] + var: + container: + use_container: 0 + input_files: + - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]' + name: build_tools + sha256sum: '[% c("var/build_tools_sha256sum") %]' diff --git a/tools/signing/android-signing b/tools/signing/android-signing index 7c2ee50..16610e7 100755 --- a/tools/signing/android-signing +++ b/tools/signing/android-signing @@ -1,23 +1,64 @@ #!/bin/bash # Sign apk for each target architecture. -# This script requires two command line arguments. -# Usage: android-signing <version> <path/to/signing/key> +# This script does not require command line argument, but it needs +# some configuration options to be set in set-config.android-signing: +# - ssh_host_pkgstage is the host which you use for staging packages +# during signing. The script will download the unsigned .apk files +# from this host, and upload the signed .apk there +# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build +# on pkgstage +# - android_signing_key_dir: the local path where the android signing +# keys are located. That directory should contains files tba_alpha.p12 +# and tba_release.p12 for alpha and release signing keys. +# The Tor Browser version is taken from set-config.tbb-version -# In addition, hard-coding the path to an Android SDK build-tools version, as -# BUILD_TOOLS, is required. - -set -x set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.android-signing" -VERSION=$1 -SIGNING_KEY_PATH=$2 +topdir="$script_dir/../.." +ARCHS="armv7 aarch64 x86 x86_64" -# TODO set correctly. -BUILD_TOOLS=/path/to/build-tools/version -export PATH="${BUILD_TOOLS}:${PATH}" +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" -ARCHS="armv7 aarch64 x86 x86_64" +check_installed_packages() { + local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' + for package in $packages + do + dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ + exit_error "package $package is missing" + done +} + +setup_build_tools() { + local rbm="$topdir/rbm/rbm" + local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)" + if ! test -f "$build_tools_zipfile"; then + "$rbm" build --step get_build_tools android-toolchain + test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing" + fi + local build_tools_dir=$(mktemp -d) + trap "rm -Rf $build_tools_dir" EXIT + unzip -d "$build_tools_dir" "$build_tools_zipfile" + test -f "$build_tools_dir"/android-12/apksigner || \ + exit_error "$build_tools_dir/android-12/apksigner is missing" + export PATH="$build_tools_dir/android-12:${PATH}" +} + +download_unsigned_apks() { + apks_dir=$(mktemp -d) + trap "rm -Rf $apks_dir" EXIT + rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/" +} + +upload_signed_apks() { + rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \ + --exclude="*-unsigned.apk" "$apks_dir/" \ + "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/" +} # Sign individual apk sign_apk() { @@ -57,7 +98,7 @@ sign_apk() { # Step 3: Sign # Use this command if reading key from file - apksigner sign --verbose -ks ${SIGNING_KEY_PATH} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}" + apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}" # Or, use below command if using a hardware token # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}" @@ -81,18 +122,18 @@ sign_apk() { # Rename and verify signing certificate finalize() { for arch in ${ARCHS}; do - mv tor-browser-${VERSION}-android-${arch}-multi{-qa,}.apk + mv tor-browser-${tbb_version}-android-${arch}-multi{-qa,}.apk done for arch in ${ARCHS}; do - verified=`apksigner verify --print-certs --verbose tor-browser-${VERSION}-android-${arch}-multi.apk` + verified=`apksigner verify --print-certs --verbose tor-browser-${tbb_version}-android-${arch}-multi.apk` scheme_v1= scheme_v2= cert_digest= pubkey_digest= # Verify the expected signing key was used, Alpha verses Release based on the filename. - if `echo ${VERSION} | grep -q a`; then + if test "$tbb_version_type" = "alpha"; then scheme_v1="Verified using v1 scheme (JAR signing): true" scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" @@ -117,15 +158,7 @@ finalize() { echo Done. } -if [ -z "$VERSION" ]; then - echo Provide version number - exit -fi - -if [ -z "${SIGNING_KEY_PATH}" ]; then - echo Provide the path to the signing key: release or alpha - exit -fi +check_installed_packages if [ -z "$KSPASS" ]; then echo "Enter keystore passphrase" @@ -133,9 +166,17 @@ if [ -z "$KSPASS" ]; then export KSPASS fi +setup_build_tools + +download_unsigned_apks + +cd $apks_dir + # Sign all packages for arch in ${ARCHS}; do - sign_apk tor-browser-${VERSION}-android-${arch}-multi-qa.apk + sign_apk tor-browser-${tbb_version}-android-${arch}-multi-qa.apk done finalize + +upload_signed_apks diff --git a/tools/signing/set-config.android-signing b/tools/signing/set-config.android-signing new file mode 100644 index 0000000..1731efc --- /dev/null +++ b/tools/signing/set-config.android-signing @@ -0,0 +1,7 @@ +# The following line should be uncommented and updated: + +#ssh_host_pkgstage=tbbuild +#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build +#android_signing_key_dir=/path/to/signing/key/dir + +var_is_defined ssh_host_pkgstage android_signing_key_dir -- To stop receiving notification emails like this one, please contact the administrator of this repository.