boklm pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: f11c6a41 by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41759: Remove var/torbrowser_legacy_version from rbm.conf And var/torbrowser_legacy_platform_version. - - - - - 8d52f71d by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41759: Remove legacy channel from gitlab templates - - - - - 00735068 by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Revert "Bug 41373: Add support for old from mar filenames (with `_ALL`)" This reverts commit 98191f1547eff98955ea53a294e458e68033f72f. - - - - - f8e22809 by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41759: Remove legacy channel support from tools/signing/do-all-signing - - - - - 2b885eeb by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41759: Remove legacy channel support from tools/browser - - - - - 3e7a89e1 by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41759: Remove legacy channel support from projects/release/update_responses_config.yml - - - - - a9325827 by Nicolas Vigier at 2026-04-02T16:02:11+02:00 Bug 41476: Remove tools/signing/wrappers/sign-rcodesign And related files. This was used to sign 13.5 releases. - - - - - 14 changed files: - .gitlab/issue_templates/010 Backport.md - .gitlab/issue_templates/041 Release Prep - Tor Browser Stable.md - .gitlab/merge_request_templates/relprep.md - projects/release/update_responses_config.yml - rbm.conf - tools/browser/README.md - tools/browser/sign-tag - − tools/signing/alpha.entitlements.xml - tools/signing/do-all-signing - tools/signing/machines-setup/setup-signing-machine - − tools/signing/machines-setup/sudoers.d/sign-rcodesign - − tools/signing/release.entitlements.xml - − tools/signing/wrappers/sign-rcodesign - tools/update-responses/update_responses Changes: ===================================== .gitlab/issue_templates/010 Backport.md ===================================== @@ -20,7 +20,6 @@ This is an issue for tracking back-porting a patch-set (e.g. from main to maint- ### Target Channels - [ ] maint-15.0 -- [ ] maint-13.5 ## Notes ===================================== .gitlab/issue_templates/041 Release Prep - Tor Browser Stable.md ===================================== @@ -68,8 +68,6 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version - **NOTE**: We try to build incrementals for the previous 3 desktop versions - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail - - [ ] `var/torbrowser_legacy_version`: updated to latest legacy Tor Browser version - - [ ] `var/torbrowser_legacy_platform_version`: updated to latest legacy Tor Browser ESR version - [ ] `projects/firefox/config` - [ ] `var/browser_build`: updated to match `tor-browser` tag - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased @@ -211,9 +209,6 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b Changelog: # paste changelog as quote here ``` -- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed - - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation! - - **NOTE** Stable releases without a corresponding legacy release may ignore this - [ ] On `${STAGING_SERVER}`, ensure updated: - **NOTE** Having a local git branch with `maint-15.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase` - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}` ===================================== .gitlab/merge_request_templates/relprep.md ===================================== @@ -20,8 +20,6 @@ - [ ] `var/torbrowser_build`: should be `build1`, unless bumping a previous release preparation - [ ] `var/browser_release_date`: must not be in the future when we start building - [ ] `var/torbrowser_incremental_from` (not needed for Android-only releases) - - [ ] `var/torbrowser_legacy_version` (For Tor Browser 14.0.x stable releases only) - - [ ] `var/torbrowser_legacy_platform_version` (For Tor Browser 14.0.x stable releases only) - [ ] Tag updates: - [ ] [Firefox](https://gitlab.torproject.org/tpo/applications/tor-browser/-/tags) - [ ] Geckoview - should match Firefox ===================================== projects/release/update_responses_config.yml ===================================== @@ -32,9 +32,6 @@ build_targets: channels: [% c('var/channel') %]: - [% c("var/torbrowser_version") %] -[% IF c("var/tor-browser") && c("var/torbrowser_legacy_version") -%] - - [% c("var/torbrowser_legacy_version") %] -[% END -%] versions: [% c("var/torbrowser_version") %]: [% IF c("var/create_unsigned_incrementals") -%] @@ -70,25 +67,6 @@ versions: minSupportedOSVersion: 10.0 linux-x86_64: minSupportedInstructionSet: SSE2 -[% IF c("var/tor-browser") && c("var/torbrowser_legacy_version") -%] - [% c("var/torbrowser_legacy_version") %]: - mar_channel_id: [% c('var/mar_channel_id') %] - platformVersion: [% c('var/torbrowser_legacy_platform_version') %] - detailsURL: https://blog.torproject.org/new[% IF c("var/alpha") %]-alpha[% END %]-release-tor-browser-[% c("var/torbrowser_legacy_version") FILTER remove('\.') %] - # minSupportedOsVersion on macOS corresponds to the Darwin version ( https://en.wikipedia.org/wiki/Darwin_(operating_system) ) - macos: - # macOS v10.12.0 - minSupportedOSVersion: 16.0.0 - # minSupportedOsVersion on Windows corresponds to the operating system version ( https://docs.microsoft.com/en-us/windows/win32/sysinfo/operating-system-vers... ) - windows-i686: - # Windows 7 - minSupportedOSVersion: 6.1 - minSupportedInstructionSet: SSE2 - windows-x86_64: - # Windows 7 - minSupportedOSVersion: 6.1 - minSupportedInstructionSet: SSE2 -[% END -%] mar_compression: xz [% IF c("var/tor-browser") -%] tag: 'tbb-[% c("var/torbrowser_version") %]-[% c("var/torbrowser_build") %]' ===================================== rbm.conf ===================================== @@ -136,9 +136,6 @@ var: - 16.0a2 mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]' -# torbrowser_legacy_version: 13.5.22 -# torbrowser_legacy_platform_version: 115.28.0 - # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed # in the same order. In the cases where the installation order is ===================================== tools/browser/README.md ===================================== @@ -50,8 +50,7 @@ This script gpg signs a git tag associated with a particular browser commit in t usage: ./tools/browser/sign-tag.<browser> <channel> <build-number> [commit] browser one of basebrowser, torbrowser, or mullvadbrowser -channel the release channel of the commit to sign (e.g. alpha, stable, - or legacy) +channel the release channel of the commit to sign (e.g. alpha, or stable) build-number the build number portion of a browser build tag (e.g. build2) commit optional git commit, HEAD is used if argument not present ``` @@ -71,18 +70,6 @@ Invoke the relevant soft-link'd version of this script to sign a particular brow message: Tagging build1 for 128.4.0esr-based alpha ``` - - ##### `tor-browser-115.17.0esr-13.5-1-build2` - After checking out `tor-browser-115.17.0esr-13.5-1` branch in linked tor-browser.git - ```bash - ./sign-tag.torbrowser legacy build2 8e9e58fe400291f20be5712d057ad0b5fc4d70c1 - ``` - **output**: - ``` - Tag commit 8e9e58fe4002 in tor-browser-115.17.0esr-13.5-1 - tag: tor-browser-115.17.0esr-13.5-1-build2 - message: Tagging build2 for 115.17.0esr-based legacy - ``` - - ##### `mullvad-browser-128.4.0esr-14.0-1-build2` After checking out `mullvad-browser-128.4.0esr-14.0-1` branch in linked mullvad-browser.git ```bash ===================================== tools/browser/sign-tag ===================================== @@ -80,11 +80,10 @@ commit=$(git rev-parse --short ${3:-HEAD}) # channel validation if [[ "${project}" == "mullvad-browser" ]]; then repo="$project" - valid_channels=("rapid" "alpha" "stable") else repo="tor-browser" - valid_channels=("rapid" "alpha" "stable" "legacy") fi +valid_channels=("alpha" "stable") channel_valid=false for value in "${valid_channels[@]}"; do if [[ "${channel}" == "${value}" ]]; then ===================================== tools/signing/alpha.entitlements.xml deleted ===================================== @@ -1,26 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<!-- - Entitlements to apply during codesigning of production builds. ---> -<plist version="1.0"> - <dict> - <!-- Firefox needs to create executable pages (without MAP_JIT) --> - <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> - - <!-- Allow loading third party libraries. Needed for Flash and CDMs --> - <key>com.apple.security.cs.disable-library-validation</key><true/> - - <!-- Firefox needs to access the microphone on sites the user allows --> - <key>com.apple.security.device.audio-input</key><true/> - - <!-- Firefox needs to access the camera on sites the user allows --> - <key>com.apple.security.device.camera</key><true/> - - <!-- Firefox needs to access the location on sites the user allows --> - <key>com.apple.security.personal-information.location</key><true/> - - <!-- For SmartCardServices(7) --> - <key>com.apple.security.smartcard</key><true/> - </dict> -</plist> ===================================== tools/signing/do-all-signing ===================================== @@ -19,21 +19,10 @@ if [[ $1 = "-p" ]]; then shift fi -function is_legacy { - [[ "$tbb_version" = 13.* ]] -} - -if is_legacy; then - platform_android= - platform_desktop=1 - platform_macos=1 - platform_windows=1 -else - platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) - platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop) - platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos) - platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows) -fi +platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) +platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop) +platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos) +platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows) is_project torbrowser && nssdb=torbrowser-nssdb7 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1 @@ -293,6 +282,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo do_step sync-local-to-staticiforme do_step sync-scripts-to-staticiforme do_step staticiforme-prepare-cdn-dist-upload -[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && ! is_legacy && \ +[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && \ do_step upload-update_responses-to-staticiforme do_step finished-signing-clean-linux-signer ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -41,6 +41,12 @@ function authorized_keys { chmod 600 "$authkeysfile" } +function remove_sudoers_file { + # Remove a sudoers file that previously existed but is no longer used + sfile="$1" + rm -f "/etc/sudoers.d/$sfile" +} + function sudoers_file { sfile="$1" cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" @@ -91,7 +97,8 @@ sudoers_file sign-mar sudoers_file sign-exe sudoers_file sign-apk sudoers_file sign-aab -sudoers_file sign-rcodesign +# sign-rcodesign is removed - tor-browser-build#41476 +remove_sudoers_file sign-rcodesign sudoers_file sign-rcodesign-128 sudoers_file sign-rcodesign-146 sudoers_file set-date ===================================== tools/signing/machines-setup/sudoers.d/sign-rcodesign deleted ===================================== @@ -1,2 +0,0 @@ -Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW" -%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign ===================================== tools/signing/release.entitlements.xml deleted ===================================== @@ -1,26 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<!-- - Entitlements to apply during codesigning of production builds. ---> -<plist version="1.0"> - <dict> - <!-- Firefox needs to create executable pages (without MAP_JIT) --> - <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> - - <!-- Allow loading third party libraries. Needed for Flash and CDMs --> - <key>com.apple.security.cs.disable-library-validation</key><true/> - - <!-- Firefox needs to access the microphone on sites the user allows --> - <key>com.apple.security.device.audio-input</key><true/> - - <!-- Firefox needs to access the camera on sites the user allows --> - <key>com.apple.security.device.camera</key><true/> - - <!-- Firefox needs to access the location on sites the user allows --> - <key>com.apple.security.personal-information.location</key><true/> - - <!-- For SmartCardServices(7) --> - <key>com.apple.security.smartcard</key><true/> - </dict> -</plist> ===================================== tools/signing/wrappers/sign-rcodesign deleted ===================================== @@ -1,106 +0,0 @@ -#!/bin/bash -set -e - -function exit_error { - for msg in "$@" - do - echo "$msg" >&2 - done - exit 1 -} - -test $# -eq 2 || exit_error "Wrong number of arguments" -dmg_file="$1" -display_name="$2" - -output_file="/home/signing-macos/last-signed-$display_name.tar.zst" -rm -f "$output_file" - -rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12 -test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing" - -tmpdir=$(mktemp -d) -trap "rm -Rf $tmpdir" EXIT -cd "$tmpdir" -7z x "$dmg_file" - -# Fix permission on files: -# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... -# FIXME: Maybe we should extract the .mar file instead of the .dmg to -# preserve permissions -chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \ - "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \ - "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/* -test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \ - chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor" - -pwdir=/run/lock/rcodesign-pw -trap "rm -Rf $pwdir" EXIT -rm -Rf "$pwdir" -mkdir "$pwdir" -chmod 700 "$pwdir" -cat > "$pwdir/rcodesign-pw-2" << EOF -$RCODESIGN_PW -EOF -tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw" -rm "$pwdir/rcodesign-pw-2" - -rcodesign_opts=" - --code-signature-flags runtime - --timestamp-url http://timestamp.apple.com:8080/ts01 - --p12-file $rcodesign_signing_p12_file - --p12-password-file $pwdir/rcodesign-pw - " - -# sign updater.app and plugin-container.app separately -echo '**** Signing updater.app ****' -/signing/rcodesign/rcodesign sign \ - $rcodesign_opts \ - --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \ - -- \ - "$display_name/$display_name.app/Contents/MacOS/updater.app" -echo '**** Signing plugin-container.app ****' -/signing/rcodesign/rcodesign sign \ - $rcodesign_opts \ - --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \ - -- \ - "$display_name/$display_name.app/Contents/MacOS/plugin-container.app" - -# Setting binary-identifier on some files, to avoid signature errors. See: -# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29... -pushd "$display_name/$display_name.app/Contents/MacOS/" -for lib in *.dylib -do - binident=$(echo $lib | sed 's/\.dylib$//') - binident="--binary-identifier Contents/MacOS/$lib:$binident" - echo "Adding option $binident" - rcodesign_opts="$rcodesign_opts $binident" -done -popd - -if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/" -then - pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/" - for file in echo * - do - binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file" - echo "Adding option $binident" - rcodesign_opts="$rcodesign_opts $binident" - done - popd -fi - -echo "**** Signing main bundle ($display_name.app) ****" -# We use `--exclude '**'` to avoid re-signing nested bundles -/signing/rcodesign/rcodesign sign \ - $rcodesign_opts \ - --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \ - --exclude '**' \ - -- \ - "$display_name/$display_name.app" - -rm -f "$pwdir/rcodesign-pw" -rmdir "$pwdir" -tar -C "$display_name" -caf "$output_file" "$display_name.app" -cd - -rm -Rf "$tmpdir" ===================================== tools/update-responses/update_responses ===================================== @@ -87,33 +87,6 @@ sub get_sha512_hex_of_file { return $sha->hexdigest; } -# With release 15.0 _ALL is being removed from mar file names. -# However we need to be able to generate incrementals from versions -# using the old filenames. As a workaround, if the old filename is -# found we create a symlink to the new file name. -# The symlinks are used in `create_incremental_mar` and `get_buildinfos`, -# where supporting both file names would complexify things. The symlinks -# are ignored in `get_version_files` where the regexp used support both -# old and new filenames. -# We can remove this once we don't need to generate incrementals from -# versions with the old file names. -sub symlink_ALL { - my ($config, $version) = @_; - my $vdir = version_dir($config, $version); - opendir(my $d, $vdir) or exit_error "Error opening directory $vdir"; - foreach my $file (readdir $d) { - next unless -f "$vdir/$file"; - if ($file =~ m/^(.+)_ALL\.mar$/) { - next if -f "$vdir/$1.mar"; - symlink $file, "$vdir/$1.mar"; - } - if ($file =~ m/^(.+)_ALL\.incremental\.mar$/) { - next if -f "$vdir/$1.incremental.mar"; - symlink $file, "$vdir/$1.incremental.mar"; - } - } -} - sub get_version_files { my ($config, $version) = @_; return if $config->{versions}{$version}{files}; @@ -124,13 +97,8 @@ sub get_version_files { opendir(my $d, $vdir) or exit_error "Error opening directory $vdir"; foreach my $file (readdir $d) { next unless -f "$vdir/$file"; - # Ignore the symlinks created by `symlink_ALL` to avoid adding the files - # twice. - # We can remove this line once we don't need to support the legacy channel with - # with the old file names. - next if -l "$vdir/$file"; if ($file !~ m/incremental\.mar$/ && - $file =~ m/^$appname-(.+)-${version}(_ALL)?\.mar$/) { + $file =~ m/^$appname-(.+)-${version}\.mar$/) { my $os = $1; $files->{$os}{complete} = { type => 'complete', @@ -143,7 +111,7 @@ sub get_version_files { }; next; } - if ($file =~ m/^$appname-(.+)--(.+)-${version}(_ALL)?\.incremental\.mar$/) { + if ($file =~ m/^$appname-(.+)--(.+)-${version}\.incremental\.mar$/) { my ($os, $from_version) = ($1, $2); $files->{$os}{partial}{$from_version} = { type => 'partial', @@ -320,7 +288,6 @@ sub create_incremental_mars_for_version { my $v = $config->{versions}{$version}; foreach my $from_version (@{$v->{incremental_from}}) { $config->{versions}{$from_version} //= {}; - symlink_ALL($config, $from_version); get_version_files($config, $from_version); my $from_v = $config->{versions}{$from_version}; foreach my $os (keys %{$v->{files}}) { @@ -430,7 +397,6 @@ sub write_responses { my (%oses, %from_versions); foreach my $version (@$versions) { get_version_files($config, $version); - symlink_ALL($config, $version); get_buildinfos($config, $version); my $files = $config->{versions}{$version}{files}; foreach my $os (keys %$files) { View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/f... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/f... You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications: https://gitlab.torproject.org/-/profile/notifications | Help: https://gitlab.torproject.org/help