February 2023 - tor-commits - lists.torproject.org

[Git][tpo/applications/tor-browser-build][main] Bug 40760: Add BSD packager contacts to release prep templates
by Richard Pospesel (＠richard) 02 Feb '23

02 Feb '23

Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: a9fb0000 by Richard Pospesel at 2023-02-02T13:07:18+00:00 Bug 40760: Add BSD packager contacts to release prep templates - - - - - 2 changed files: - .gitlab/issue_templates/Release Prep - Alpha.md - .gitlab/issue_templates/Release Prep - Stable.md Changes: ===================================== .gitlab/issue_templates/Release Prep - Alpha.md ===================================== @@ -200,6 +200,8 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - [ ] Tails dev mailing list: tails-dev(a)boum.org - [ ] Guardian Project: nathan(a)guardianproject.info - [ ] torbrowser-launcher: micah(a)micahflee.com + - [ ] FreeBSD port: freebsd(a)sysctl.cz  + - [ ] OpenBSD port: caspar(a)schutijser.com  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)` - [ ] Note any changes which may affect packaging/downstream integration - [ ] Email upstream stakeholders: ===================================== .gitlab/issue_templates/Release Prep - Stable.md ===================================== @@ -198,6 +198,8 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - [ ] Tails dev mailing list: tails-dev(a)boum.org - [ ] Guardian Project: nathan(a)guardianproject.info - [ ] torbrowser-launcher: micah(a)micahflee.com + - [ ] FreeBSD port: freebsd(a)sysctl.cz  + - [ ] OpenBSD port: caspar(a)schutijser.com  - [ ] Provide links to unsigned builds on `$(BUILD_SERVER)` - [ ] Note any changes which may affect packaging/downstream integration - [ ] Email upstream stakeholders: View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/a… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/a… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-102.7.0esr-12.5-1] fixup! Bug 18905: Hide unwanted items from help menu
by Pier Angelo Vendrame (＠pierov) 02 Feb '23

02 Feb '23

Pier Angelo Vendrame pushed to branch base-browser-102.7.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 5bece552 by Pier Angelo Vendrame at 2023-02-02T15:27:17+01:00 fixup! Bug 18905: Hide unwanted items from help menu - - - - - 1 changed file: - browser/base/content/browser-safebrowsing.js Changes: ===================================== browser/base/content/browser-safebrowsing.js ===================================== @@ -7,9 +7,12 @@ var gSafeBrowsing = { setReportPhishingMenu() { - // tor-browser#18905: disable these menu entries - /* eslint-disable no-unreachable */ - return; + // tor-browser#18905: hide these menu entries + if ( + !Services.prefs.getBoolPref("browser.safebrowsing.phishing.enabled", true) + ) { + return; + } // In order to detect whether or not we're at the phishing warning // page, we have to check the documentURI instead of the currentURI. View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5bece55… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5bece55… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-102.7.0esr-12.5-1] Bug 18905: Hide unwanted items from help menu
by Pier Angelo Vendrame (＠pierov) 02 Feb '23

02 Feb '23

Pier Angelo Vendrame pushed to branch base-browser-102.7.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 83880497 by Arthur Edelstein at 2023-02-02T15:24:05+01:00 Bug 18905: Hide unwanted items from help menu Bug 25660: Remove the "New Private Window" option - - - - - 3 changed files: - browser/base/content/appmenu-viewcache.inc.xhtml - browser/base/content/browser-menubar.inc - browser/base/content/browser-safebrowsing.js Changes: ===================================== browser/base/content/appmenu-viewcache.inc.xhtml ===================================== @@ -55,7 +55,8 @@ class="subviewbutton" data-l10n-id="appmenuitem-new-private-window" key="key_privatebrowsing" - command="Tools:PrivateBrowsing"/> + command="Tools:PrivateBrowsing" + hidden="true"/> <toolbarseparator/> <toolbarbutton id="appMenu-new-identity" class="subviewbutton" @@ -179,7 +180,8 @@ <toolbarbutton id="appMenu-restoreSession" data-l10n-id="appmenu-restore-session" class="subviewbutton" - command="Browser:RestoreLastSession"/> + command="Browser:RestoreLastSession" + hidden="true"/> <toolbarseparator/> <toolbarbutton id="appMenuClearRecentHistory" data-l10n-id="appmenu-clear-history" ===================================== browser/base/content/browser-menubar.inc ===================================== @@ -458,6 +458,7 @@ have their strings defined by appmenu-data-l10n-id. --> <menuitem id="menu_openHelp" oncommand="openHelpLink('firefox-help')" + hidden="true" data-l10n-id="menu-get-help" appmenu-data-l10n-id="appmenu-get-help" #ifdef XP_MACOSX @@ -467,14 +468,17 @@ #endif <menuitem id="feedbackPage" oncommand="openFeedbackPage()" + hidden="true" data-l10n-id="menu-help-share-ideas" appmenu-data-l10n-id="appmenu-help-share-ideas"/> <menuitem id="helpSafeMode" oncommand="safeModeRestart();" + hidden="true" data-l10n-id="menu-help-enter-troubleshoot-mode2" appmenu-data-l10n-id="appmenu-help-enter-troubleshoot-mode2"/> <menuitem id="troubleShooting" oncommand="openTroubleshootingPage()" + hidden="true" data-l10n-id="menu-help-more-troubleshooting-info" appmenu-data-l10n-id="appmenu-help-more-troubleshooting-info"/> <menuitem id="help_reportSiteIssue" ===================================== browser/base/content/browser-safebrowsing.js ===================================== @@ -7,6 +7,10 @@ var gSafeBrowsing = { setReportPhishingMenu() { + // tor-browser#18905: disable these menu entries + /* eslint-disable no-unreachable */ + return; + // In order to detect whether or not we're at the phishing warning // page, we have to check the documentURI instead of the currentURI. // This is because when the DocShell loads an error page, the View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8388049… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/8388049… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.7.0esr-12.5-1] 5 commits: dropme! Bug 10760: Integrate TorButton to TorBrowser core
by Pier Angelo Vendrame (＠pierov) 02 Feb '23

02 Feb '23

Pier Angelo Vendrame pushed to branch tor-browser-102.7.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 153c0294 by Pier Angelo Vendrame at 2023-02-02T10:18:40+01:00 dropme! Bug 10760: Integrate TorButton to TorBrowser core Remove implementation of 18905 from Torbutton - - - - - 816d9867 by Arthur Edelstein at 2023-02-02T10:27:54+01:00 Bug 18905: Hide unwanted items from help menu Bug 25660: Remove the "New Private Window" option - - - - - 28ab7be0 by Pier Angelo Vendrame at 2023-02-02T10:28:18+01:00 fixup! Bug 10760: Integrate TorButton to TorBrowser core Bring back the new circuit entries. - - - - - aaa2f0dc by Pier Angelo Vendrame at 2023-02-02T10:28:19+01:00 fixup! Bug 11698: Incorporate Tor Browser Manual pages into Tor Browser Move the manual menu entry to the manual commit - - - - - 39eb835a by Pier Angelo Vendrame at 2023-02-02T11:44:32+01:00 fixup! Bug 18905: Hide unwanted items from help menu - - - - - 2 changed files: - browser/base/content/browser-menubar.inc - browser/base/content/browser-safebrowsing.js Changes: ===================================== browser/base/content/browser-menubar.inc ===================================== @@ -461,17 +461,11 @@ <menupopup id="menu_HelpPopup" onpopupshowing="buildHelpMenu();">  -  - <box id="feedbackPage"/> - <box id="helpSafeMode"/> - <box id="menu_HelpPopup_reportPhishingtoolmenu"/> - <box id="menu_HelpPopup_reportPhishingErrortoolmenu"/>  <menuitem id="torBrowserUserManual" oncommand="gBrowser.selectedTab = gBrowser.addTab('about:manual', {triggeringPrincipal: Services.scriptSecurityManager.getSystemPrincipal()});" label="&aboutTor.torbrowser_user_manual.label;" accesskey="&aboutTor.torbrowser_user_manual.accesskey;"/> -  <menuitem id="menu_openHelp" oncommand="openHelpLink('firefox-help')" hidden="true" @@ -485,8 +479,8 @@ <menuitem id="feedbackPage" oncommand="openFeedbackPage()" hidden="true" - data-l10n-id="menu-help-feedback-page" - appmenu-data-l10n-id="appmenu-help-feedback-page"/> + data-l10n-id="menu-help-share-ideas" + appmenu-data-l10n-id="appmenu-help-share-ideas"/> <menuitem id="helpSafeMode" oncommand="safeModeRestart();" hidden="true" ===================================== browser/base/content/browser-safebrowsing.js ===================================== @@ -7,6 +7,13 @@ var gSafeBrowsing = { setReportPhishingMenu() { + // tor-browser#18905: hide these menu entries + if ( + !Services.prefs.getBoolPref("browser.safebrowsing.phishing.enabled", true) + ) { + return; + } + // In order to detect whether or not we're at the phishing warning // page, we have to check the documentURI instead of the currentURI. // This is because when the DocShell loads an error page, the View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5ac078… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5ac078… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.7.0esr-12.0-1] fixup! Bug 10760: Integrate TorButton to TorBrowser core
by Richard Pospesel (＠richard) 01 Feb '23

01 Feb '23

Richard Pospesel pushed to branch tor-browser-102.7.0esr-12.0-1 at The Tor Project / Applications / Tor Browser Commits: 0bf68ade by Pier Angelo Vendrame at 2023-02-01T15:02:12+00:00 fixup! Bug 10760: Integrate TorButton to TorBrowser core Bug 41572: Check for userContextId also in the circuit display (cherry picked from commit e4496e7ab626686e07f7d93093b81247e7e26118) - - - - - 1 changed file: - toolkit/torbutton/chrome/content/tor-circuit-display.js Changes: ===================================== toolkit/torbutton/chrome/content/tor-circuit-display.js ===================================== @@ -306,21 +306,32 @@ let createTorCircuitDisplay = (function() { // Obtains the circuit used by the given browser. let currentCircuitData = function(browser) { if (browser) { - let firstPartyDomain = getDomainForBrowser(browser); - let domain = firstPartyDomain || "--unknown--"; - let domainMap = browserToCredentialsMap.get(browser); - let credentials = domainMap && domainMap.get(domain); + const firstPartyDomain = getDomainForBrowser(browser); + const userContextId = + browser.contentPrincipal.originAttributes.userContextId; + const key = firstPartyDomain + ? `${firstPartyDomain}:${userContextId}` + : "--unknown--"; + const credentialMap = browserToCredentialsMap.get(browser); + const credentials = credentialMap && credentialMap.get(key); if (credentials) { - let [SOCKS_username, SOCKS_password] = credentials; - let nodeData = credentialsToNodeDataMap.get( + const [SOCKS_username, SOCKS_password] = credentials; + const nodeData = credentialsToNodeDataMap.get( `${SOCKS_username}|${SOCKS_password}` ); - let domain = SOCKS_username; - if (browser.documentURI.host.endsWith(".tor.onion")) { - const service = Cc[ - "@torproject.org/onion-alias-service;1" - ].getService(Ci.IOnionAliasService); - domain = service.getOnionAlias(browser.documentURI.host); + let domain = firstPartyDomain; + try { + if (browser.documentURI.host.endsWith(".tor.onion")) { + const service = Cc[ + "@torproject.org/onion-alias-service;1" + ].getService(Ci.IOnionAliasService); + domain = service.getOnionAlias(browser.documentURI.host); + } + } catch (e) { + logger.eclog( + 3, + `[circuit display] Cannot verify if we are visiting an onion alias: ${e.message}\n${e.stack}` + ); } return { domain, nodeData }; } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0bf68ad… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/0bf68ad… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.7.0esr-12.0-1] fixup! Bug 10760: Integrate TorButton to TorBrowser core
by Richard Pospesel (＠richard) 01 Feb '23

01 Feb '23

Richard Pospesel pushed to branch tor-browser-102.7.0esr-12.0-1 at The Tor Project / Applications / Tor Browser Commits: 6ec1fbad by trinity-1686a at 2023-02-01T15:00:25+00:00 fixup! Bug 10760: Integrate TorButton to TorBrowser core Bug 41066: isolate tor connections based on userContextId (cherry picked from commit 4a257dd55db4184672220c25a4f07b8999b8dd83) - - - - - 1 changed file: - toolkit/torbutton/components/domain-isolator.js Changes: ===================================== toolkit/torbutton/components/domain-isolator.js ===================================== @@ -58,7 +58,11 @@ let tor = {}; // __tor.noncesForDomains__. // A mutable map that records what nonce we are using for each domain. -tor.noncesForDomains = {}; +tor.noncesForDomains = new Map(); + +// __tor.noncesForUserContextId__. +// A mutable map that records what nonce we are using for each tab container. +tor.noncesForUserContextId = new Map(); // __tor.isolationEabled__. // A bool that controls if we use SOCKS auth for isolation or not. @@ -68,23 +72,37 @@ tor.isolationEnabled = true; // Specifies when the current catch-all circuit was first used tor.unknownDirtySince = Date.now(); -// __tor.socksProxyCredentials(originalProxy, domain)__. -// Takes a proxyInfo object (originalProxy) and returns a new proxyInfo -// object with the same properties, except the username is set to the -// the domain, and the password is a nonce. -tor.socksProxyCredentials = function(originalProxy, domain) { +tor.passwordForDomainAndUserContextId = function(domain, userContextId) { // Check if we already have a nonce. If not, create - // one for this domain. - if (!tor.noncesForDomains.hasOwnProperty(domain)) { - tor.noncesForDomains[domain] = tor.nonce(); + // one for this domain and userContextId. + if (!tor.noncesForDomains.has(domain)) { + tor.noncesForDomains.set(domain, tor.nonce()); + } + if (!tor.noncesForUserContextId.has(userContextId)) { + tor.noncesForUserContextId.set(userContextId, tor.nonce()); } + return ( + tor.noncesForDomains.get(domain) + + tor.noncesForUserContextId.get(userContextId) + ); +}; + +// __tor.socksProxyCredentials(originalProxy, domain, userContextId)__. +// Takes a proxyInfo object (originalProxy) and returns a new proxyInfo +// object with the same properties, except the username is set to the +// the domain and userContextId, and the password is a nonce. +tor.socksProxyCredentials = function(originalProxy, domain, userContextId) { let proxy = originalProxy.QueryInterface(Ci.nsIProxyInfo); + let proxyPassword = tor.passwordForDomainAndUserContextId( + domain, + userContextId + ); return mozilla.protocolProxyService.newProxyInfoWithAuth( "socks", proxy.host, proxy.port, - domain, // username - tor.noncesForDomains[domain], // password + `${domain}:${userContextId}`, // username + proxyPassword, "", // aProxyAuthorizationHeader "", // aConnectionIsolationKey proxy.flags, @@ -116,10 +134,21 @@ tor.newCircuitForDomain = function(domain) { if (domain === "") { domain = "--unknown--"; } - tor.noncesForDomains[domain] = tor.nonce(); + tor.noncesForDomains.set(domain, tor.nonce()); + logger.eclog( + 3, + `New domain isolation for ${domain}: ${tor.noncesForDomains.get(domain)}` + ); +}; + +tor.newCircuitForUserContextId = function(userContextId) { + // Re-generate the nonce for the context. + tor.noncesForUserContextId.set(userContextId, tor.nonce()); logger.eclog( 3, - "New domain isolation for " + domain + ": " + tor.noncesForDomains[domain] + `New container isolation for ${userContextId}: ${tor.noncesForUserContextId.get( + userContextId + )}` ); }; @@ -127,8 +156,9 @@ tor.newCircuitForDomain = function(domain) { // Clear the isolation state cache, forcing new circuits to be used for all // subsequent requests. tor.clearIsolation = function() { - // Per-domain nonces are stored in a map, so simply re-initialize the map. - tor.noncesForDomains = {}; + // Per-domain and per contextId nonces are stored in maps, so simply clear them. + tor.noncesForDomains.clear(); + tor.noncesForUserContextId.clear(); // Force a rotation on the next catch-all circuit use by setting the creation // time to the epoch. @@ -137,9 +167,9 @@ tor.clearIsolation = function() { // __tor.isolateCircuitsByDomain()__. // For every HTTPChannel, replaces the default SOCKS proxy with one that authenticates -// to the SOCKS server (the tor client process) with a username (the first party domain) -// and a nonce password. Tor provides a separate circuit for each username+password -// combination. +// to the SOCKS server (the tor client process) with a username (the first party domain +// and userContextId) and a nonce password. Tor provides a separate circuit for each +// username+password combination. tor.isolateCircuitsByDomain = function() { mozilla.registerProxyChannelFilter(function(aChannel, aProxy) { if (!tor.isolationEnabled) { @@ -147,7 +177,8 @@ tor.isolateCircuitsByDomain = function() { } try { let channel = aChannel.QueryInterface(Ci.nsIChannel), - firstPartyDomain = channel.loadInfo.originAttributes.firstPartyDomain; + firstPartyDomain = channel.loadInfo.originAttributes.firstPartyDomain, + userContextId = channel.loadInfo.originAttributes.userContextId; if (firstPartyDomain === "") { firstPartyDomain = "--unknown--"; if (Date.now() - tor.unknownDirtySince > 1000 * 10 * 60) { @@ -161,7 +192,8 @@ tor.isolateCircuitsByDomain = function() { } let replacementProxy = tor.socksProxyCredentials( aProxy, - firstPartyDomain + firstPartyDomain, + userContextId ); logger.eclog( 3, @@ -206,6 +238,9 @@ DomainIsolator.prototype = { newCircuitForDomain(domain) { tor.newCircuitForDomain(domain); }, + newCircuitForUserContextId(userContextId) { + tor.newCircuitForUserContextId(userContextId); + }, enableIsolation() { tor.isolationEnabled = true; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/6ec1fba… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/6ec1fba… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][base-browser-102.7.0esr-12.0-1] Bug 40283: Workaround for the file upload bug
by Richard Pospesel (＠richard) 01 Feb '23

01 Feb '23

Richard Pospesel pushed to branch base-browser-102.7.0esr-12.0-1 at The Tor Project / Applications / Tor Browser Commits: f8403767 by p13dz at 2023-02-01T14:22:02+00:00 Bug 40283: Workaround for the file upload bug (cherry picked from commit c23f2f397327ee46a1a4de57acf206fd83e8e170) - - - - - 1 changed file: - mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java Changes: ===================================== mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java ===================================== @@ -4726,12 +4726,19 @@ public class GeckoSession { return super.confirm(); } + private static String normalizePath(String input) { + // For an unclear reason, Android media picker delivers file paths + // starting with double slash. Firefox performs path validation on + // all paths, and double slash is deemed invalid. + return input.startsWith("//") ? input.substring(1) : input; + } + private static String getFile(final @NonNull Context context, final @NonNull Uri uri) { if (uri == null) { return null; } if ("file".equals(uri.getScheme())) { - return uri.getPath(); + return normalizePath(uri.getPath()); } final ContentResolver cr = context.getContentResolver(); final Cursor cur = @@ -4753,7 +4760,7 @@ public class GeckoSession { try { final String path = cur.getString(idx); if (path != null && !path.isEmpty()) { - return path; + return normalizePath(path); } } catch (final Exception e) { } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f840376… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f840376… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.7.0esr-12.0-1] Bug 40283: Workaround for the file upload bug
by Richard Pospesel (＠richard) 01 Feb '23

01 Feb '23

Richard Pospesel pushed to branch tor-browser-102.7.0esr-12.0-1 at The Tor Project / Applications / Tor Browser Commits: 97cd9671 by p13dz at 2023-02-01T14:21:34+00:00 Bug 40283: Workaround for the file upload bug (cherry picked from commit c23f2f397327ee46a1a4de57acf206fd83e8e170) - - - - - 1 changed file: - mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java Changes: ===================================== mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java ===================================== @@ -4726,12 +4726,19 @@ public class GeckoSession { return super.confirm(); } + private static String normalizePath(String input) { + // For an unclear reason, Android media picker delivers file paths + // starting with double slash. Firefox performs path validation on + // all paths, and double slash is deemed invalid. + return input.startsWith("//") ? input.substring(1) : input; + } + private static String getFile(final @NonNull Context context, final @NonNull Uri uri) { if (uri == null) { return null; } if ("file".equals(uri.getScheme())) { - return uri.getPath(); + return normalizePath(uri.getPath()); } final ContentResolver cr = context.getContentResolver(); final Cursor cur = @@ -4753,7 +4760,7 @@ public class GeckoSession { try { final String path = cur.getString(idx); if (path != null && !path.isEmpty()) { - return path; + return normalizePath(path); } } catch (final Exception e) { } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/97cd967… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/97cd967… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-bundle-testsuite][main] Bug 40072: Fix torbrowser-incrementals-nightly-*
by boklm (＠boklm) 01 Feb '23

01 Feb '23

boklm pushed to branch main at The Tor Project / Applications / tor-browser-bundle-testsuite Commits: 695bb8ef by Nicolas Vigier at 2023-02-01T11:18:27+01:00 Bug 40072: Fix torbrowser-incrementals-nightly-* With tor-browser-build#40737 the nightly/ directory is now prefixed with the $projectname, and with tor-browser-build#40742 the makefile rule to generate the incrementals is now $projectname-incrementals-nightly. - - - - - 1 changed file: - TBBTestSuite/TestSuite/TorBrowserBuild.pm Changes: ===================================== TBBTestSuite/TestSuite/TorBrowserBuild.pm ===================================== @@ -46,6 +46,7 @@ sub set_tests { descr => 'create incrementals for tor-browser nightly linux-x86_64', type => 'make_incrementals', publish_dir => 'nightly-linux-x86_64', + projectname => 'torbrowser', }, { name => 'torbrowser-nightly-linux-i686', @@ -65,6 +66,7 @@ sub set_tests { descr => 'create incrementals for tor-browser nightly linux-i686', type => 'make_incrementals', publish_dir => 'nightly-linux-i686', + projectname => 'torbrowser', }, { name => 'torbrowser-nightly-windows-i686', @@ -84,6 +86,7 @@ sub set_tests { descr => 'create incrementals for tor-browser nightly windows-i686', type => 'make_incrementals', publish_dir => 'nightly-windows-i686', + projectname => 'torbrowser', }, { name => 'torbrowser-nightly-windows-x86_64', @@ -103,6 +106,7 @@ sub set_tests { descr => 'create incrementals for tor-browser nightly windows-x86_64', type => 'make_incrementals', publish_dir => 'nightly-windows-x86_64', + projectname => 'torbrowser', }, { name => 'torbrowser-nightly-macos', @@ -122,6 +126,7 @@ sub set_tests { descr => 'create incrementals for tor-browser nightly macos (universal)', type => 'make_incrementals', publish_dir => 'nightly-macos', + projectname => 'torbrowser', }, { name => 'torbrowser-nightly-android-armv7', @@ -247,17 +252,21 @@ sub set_tests { sub make_incrementals { my ($testsuite, $test) = @_; $test->{results}{success} = 0; - mkdir 'nightly' unless -d 'nightly'; + my $projectname = $test->{projectname}; + my $nightlydir = "$projectname/nightly"; + for my $dir ($projectname, $nightlydir) { + mkdir $dir unless -d $dir; + } # Clean the nightly directory - foreach my $subdir (path('nightly')->children) { + foreach my $subdir (path($nightlydir)->children) { unlink $subdir if -l $subdir; } foreach my $builddir (path($testsuite->{publish_dir} . '/..')->children) { if (-f "$builddir/$test->{publish_dir}/sha256sums-unsigned-build.txt") { - symlink("$builddir/$test->{publish_dir}", 'nightly/' . $builddir->basename); + symlink("$builddir/$test->{publish_dir}", "$nightlydir/$builddir->basename"); } } - my @cmd = ('make', 'incrementals-nightly'); + my @cmd = ('make', $test->{projectname} . '-incrementals-nightly'); run_to_file("$testsuite->{'results-dir'}/$test->{name}.build.txt", @cmd) or return; $test->{results}{success} = 1; View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-bundle-testsuite… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-bundle-testsuite… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0] 6 commits: Bug 28124: Switch to Mozilla's libdmg-hfsplus
by Pier Angelo Vendrame (＠pierov) 01 Feb '23

01 Feb '23

Pier Angelo Vendrame pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build Commits: 9b54da11 by Pier Angelo Vendrame at 2023-02-01T10:53:27+01:00 Bug 28124: Switch to Mozilla's libdmg-hfsplus To show the DMG icon it seems we need to create the DMG from a HFS filesystem, rather than an ISO one. So, to then do so, with this commit I am switching to Mozilla's fork of libdmg-hfsplus, I am updating its build script and using it to build also the hfsplus tool. Also, add the hfsplus project, which is needed to create the HFS filesystem in the first place. - - - - - 3eb81812 by Pier Angelo Vendrame at 2023-02-01T10:53:34+01:00 Bug 28124: Switch from ISO to HFS and show the disk icon Use the new tools from the previous commit to build the DMG from a HFS filesystem, and configure it to show the custom volume icon. - - - - - 6f5d0bed by Pier Angelo Vendrame at 2023-02-01T10:53:34+01:00 Bug 28124: Update the macOS volume icon - - - - - 70ffd274 by Pier Angelo Vendrame at 2023-02-01T10:53:47+01:00 Bug 40744: Ensure reproducibility with HFS DMG - - - - - 1dc2335c by Nicolas Vigier at 2023-02-01T10:55:27+01:00 Bug 40755: Use openssl-1.0.2 for building libdmg-hfsplus outside containers libdmg-hfsplus fails to build with openssl1.1: https://github.com/planetbeing/libdmg-hfsplus/issues/14 - - - - - 1ec878d6 by Nicolas Vigier at 2023-02-01T10:55:34+01:00 Bug 40755: Allow building hfsplus-tools without container If clang is insalled, building hfsplus-tools should work without container. - - - - - 14 changed files: - projects/browser/Bundle-Data/mac-applications.dmg/.VolumeIcon.icns - − projects/browser/Bundle-Data/mac-applications.dmg/Applications - projects/browser/build - projects/browser/config - projects/browser/ddmg.sh - + projects/hfsplus-tools/build - + projects/hfsplus-tools/config - + projects/hfsplus-tools/newfs_hfs.diff - projects/libdmg-hfsplus/build - projects/libdmg-hfsplus/config - + projects/openssl-1.0.2/build - + projects/openssl-1.0.2/config - tools/signing/ddmg.sh - tools/signing/gatekeeper-bundling.sh Changes: ===================================== projects/browser/Bundle-Data/mac-applications.dmg/.VolumeIcon.icns ===================================== Binary files a/projects/browser/Bundle-Data/mac-applications.dmg/.VolumeIcon.icns and b/projects/browser/Bundle-Data/mac-applications.dmg/.VolumeIcon.icns differ ===================================== projects/browser/Bundle-Data/mac-applications.dmg/Applications deleted ===================================== @@ -1 +0,0 @@ -/Applications \ No newline at end of file ===================================== projects/browser/build ===================================== @@ -33,8 +33,9 @@ touch "$GENERATEDPREFSPATH" TORBINPATH=Contents/MacOS/Tor TORCONFIGPATH=Contents/Resources/TorBrowser/Tor + tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/hfsplus-tools') %] tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/libdmg') %] - export PATH=/var/tmp/dist/libdmg-hfsplus:$PATH + export PATH=/var/tmp/dist/hfsplus-tools:/var/tmp/dist/libdmg-hfsplus:$PATH [% ELSE %] TBDIR=$TB_STAGE_DIR/Browser TBDIRS=("$TBDIR") ===================================== projects/browser/config ===================================== @@ -33,7 +33,6 @@ targets: macos: var: arch_deps: - - genisoimage - faketime - python3-dev - python3-pip @@ -106,6 +105,9 @@ input_files: sha256sum: 14af6a3cbc269c045f2d950e1e4f7c29981b35a7abc61d2413f5bb8bd7311857 - filename: 'gtk3-settings.ini' enable: '[% c("var/linux") %]' + - project: hfsplus-tools + name: hfsplus-tools + enable: '[% c("var/macos") %]' - project: libdmg-hfsplus name: libdmg enable: '[% c("var/macos") %]' ===================================== projects/browser/ddmg.sh ===================================== @@ -1,3 +1,6 @@ +#!/bin/bash +set -e + [% SET src = c('dmg_src', { error_if_undef => 1 }) -%] find [% src %] -executable -exec chmod 0755 {} \; find [% src %] ! -executable -exec chmod 0644 {} \; @@ -5,17 +8,33 @@ find [% src %] ! -executable -exec chmod 0644 {} \; find [% src %] -exec [% c("touch") %] {} \; dmg_tmpdir=\$(mktemp -d) -[% SET filelist = '"\$dmg_tmpdir/filelist.txt"' %] -pushd [% src %] -find . -type f | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" > [% filelist %] -find . -type l | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" >> [% filelist %] +hfsfile="\$dmg_tmpdir/tbb-uncompressed.dmg" +# hfsplus sets all the times to time(NULL) export LD_PRELOAD=[% c("var/faketime_path") %] export FAKETIME="[% USE date; GET date.format(c('timestamp'), format = '%Y-%m-%d %H:%M:%S') %]" -genisoimage -D -V "Tor Browser" -no-pad -R -apple -o "\$dmg_tmpdir/tbb-uncompressed.dmg" -path-list [% filelist %] -graft-points -gid 20 -dir-mode 0755 -new-dir-mode 0755 +# Use a similar strategy to Mozilla (they have 1.02, we have 1.1) +size=\$(du -ms [% src %] | awk '{ print int( \$1 * 1.1 ) }') +dd if=/dev/zero of="\$hfsfile" bs=1M count=\$size +newfs_hfs -v "[% c("var/Project_Name") %]" "\$hfsfile" + +pushd [% src %] + +find -type d -mindepth 1 | sed -e 's/^\.\///' | sort | while read dirname; do + hfsplus "\$hfsfile" mkdir "/\$dirname" + hfsplus "\$hfsfile" chmod 0755 "/\$dirname" +done +find -type f | sed -e 's/^\.\///' | sort | while read filename; do + hfsplus "\$hfsfile" add "\$filename" "/\$filename" + hfsplus "\$hfsfile" chmod \$(stat --format '0%a' "\$filename") "/\$filename" +done +# hfsplus does not play well with dangling links +hfsplus "\$hfsfile" symlink /Applications /Applications +# Show the volume icon +hfsplus "\$hfsfile" attr / C -dmg dmg "\$dmg_tmpdir/tbb-uncompressed.dmg" [% c('dmg_out', { error_if_undef => 1 }) %] +dmg dmg "\$hfsfile" [% c('dmg_out', { error_if_undef => 1 }) %] popd rm -Rf "\$dmg_tmpdir" ===================================== projects/hfsplus-tools/build ===================================== @@ -0,0 +1,24 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=/var/tmp/dist/[% project %] +mkdir /var/tmp/dist +[% IF ! c("container/global_disable") -%] + tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/clang') %] + export PATH="/var/tmp/dist/clang/bin:$PATH" +[% END -%] + +tar -xf diskdev_cmds-[% c("version") %].tar.gz +cd diskdev_cmds-[% c("version") %] + +patch -p1 < $rootdir/newfs_hfs.diff + +make -j[% c("num_procs") %] + +mkdir -p "$distdir" +cp newfs_hfs.tproj/newfs_hfs "$distdir/" + +cd /var/tmp/dist +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] ===================================== projects/hfsplus-tools/config ===================================== @@ -0,0 +1,23 @@ +# vim: filetype=yaml sw=2 +version: 540.1.linux3 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +container: + use_container: 1 +var: + deps: + - build-essential + - libssl-dev + - uuid-dev +input_files: + # See hfsplus-tools in taskcluster/ci/fetch/toolchains.yml + - URL: https://src.fedoraproject.org/repo/pkgs/hfsplus-tools/diskdev_cmds-540.1.li… c("version") %].tar.gz + sha256: b01b203a97f9a3bf36a027c13ddfc59292730552e62722d690d33bd5c24f5497 + - project: container-image + # The project uses a flag that is not supported by GCC + - name: clang + project: clang + enable: '[% ! c("container/global_disable") %]' + # Build only newfs (we do not care of fsck), remove a header that does not + # exist on Linux (at that path) and is not required on Linux either, and make + # the UUID deterministic. + - filename: newfs_hfs.diff ===================================== projects/hfsplus-tools/newfs_hfs.diff ===================================== @@ -0,0 +1,38 @@ +diff '--color=auto' -Naur diskdev_cmds-540.1.linux3_orig/Makefile diskdev_cmds-540.1.linux3/Makefile +--- diskdev_cmds-540.1.linux3_orig/Makefile 2023-01-17 11:36:56.341279443 +0100 ++++ diskdev_cmds-540.1.linux3/Makefile 2023-01-17 11:44:12.496479981 +0100 +@@ -3,7 +3,7 @@ + CC := clang + CFLAGS := -g3 -Wall -fblocks -I$(PWD)/BlocksRunTime -I$(PWD)/include -DDEBUG_BUILD=0 -D_FILE_OFFSET_BITS=64 -D LINUX=1 -D BSD=1 -D VERSION=\"$(VERSION)\" + LDFLAGS := -Wl,--build-id -L$(PWD)/BlocksRunTime +-SUBDIRS := BlocksRunTime newfs_hfs.tproj fsck_hfs.tproj ++SUBDIRS := newfs_hfs.tproj + + all clean: + for d in $(SUBDIRS); do $(MAKE) -C $$d -f Makefile.lnx $@; done +diff '--color=auto' -Naur diskdev_cmds-540.1.linux3_orig/newfs_hfs.tproj/makehfs.c diskdev_cmds-540.1.linux3/newfs_hfs.tproj/makehfs.c +--- diskdev_cmds-540.1.linux3_orig/newfs_hfs.tproj/makehfs.c 2023-01-17 11:36:56.341279443 +0100 ++++ diskdev_cmds-540.1.linux3/newfs_hfs.tproj/makehfs.c 2023-01-17 11:58:15.972059719 +0100 +@@ -38,8 +38,8 @@ + #endif + #include <sys/errno.h> + #include <sys/stat.h> +-#include <sys/sysctl.h> + #if !LINUX ++#include <sys/sysctl.h> + #include <sys/vmmeter.h> + #endif + +@@ -571,8 +571,10 @@ + /* Adjust free blocks to reflect everything we have allocated. */ + hp->freeBlocks -= blocksUsed; + +- /* Generate and write UUID for the HFS+ disk */ +- GenerateVolumeUUID(&newVolumeUUID); ++ /* Use a deterministic UUID for reproducibility */ ++ memset(&newVolumeUUID, 0, sizeof(newVolumeUUID)); ++ strncpy(&newVolumeUUID, defaults->volumeName, sizeof(newVolumeUUID)); ++ + finderInfoUUIDPtr = (VolumeUUID *)(&hp->finderInfo[24]); + finderInfoUUIDPtr->v.high = OSSwapHostToBigInt32(newVolumeUUID.v.high); + finderInfoUUIDPtr->v.low = OSSwapHostToBigInt32(newVolumeUUID.v.low); ===================================== projects/libdmg-hfsplus/build ===================================== @@ -1,16 +1,26 @@ #!/bin/bash [% c("var/set_default_env") -%] -distdir=$(pwd)/dist -mkdir -p $distdir/[% project %] -tar xf [% project %]-[% c('version') %].tar.gz -cd [% project %]-[% c('version') %] -patch -p1 < ../libdmg.patch -cmake -DCMAKE_INSTALL_PREFIX:PATH=$distdir/[% project %] CMakeLists.txt -cd dmg -make -j[% c("num_procs") %] -make install -cd $distdir +distdir=/var/tmp/dist/[% project %] +mkdir -p /var/tmp/dist +tar -C /var/tmp/dist -xf [% c('input_files_by_name/cmake') %] +tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %] +[% IF c("container/global_disable") -%] + tar -C /var/tmp/dist -xf [% c('input_files_by_name/openssl-1.0.2') %] +[% END -%] +export PATH="/var/tmp/dist/ninja:/var/tmp/dist/cmake/bin:$PATH" + +mkdir /var/tmp/build +tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz +cd /var/tmp/build/[% project %]-[% c('version') %] +patch -p1 < "$rootdir/libdmg.patch" +cmake . -GNinja -DCMAKE_BUILD_TYPE=Release [% c("var/cmake_opts") %] +ninja -j[% c("num_procs") %] -v + +mkdir $distdir +# We take only dmg and hfsplus like Mozilla does +cp dmg/dmg hfs/hfsplus $distdir/ +cd /var/tmp/dist [% c('tar', { tar_src => [ project ], tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), - }) %] + }) %] ===================================== projects/libdmg-hfsplus/config ===================================== @@ -1,16 +1,28 @@ # vim: filetype=yaml sw=2 version: '[% c("abbrev") %]' -git_url: https://github.com/vasi/libdmg-hfsplus -git_hash: dfd5e5cc3dc1191e37d3c3a6118975afdd1d7014 +git_url: https://github.com/mozilla/libdmg-hfsplus +git_hash: 2ee327795680101d36f9700bd0fb618362237718 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 var: deps: - build-essential - - cmake - zlib1g-dev - libbz2-dev +targets: + no_containers: + var: + cmake_opts: | + -DOPENSSL_USE_STATIC_LIBS=1 \ + -DOPENSSL_ROOT_DIR=/var/tmp/dist/openssl input_files: - project: container-image + - name: cmake + project: cmake + - name: ninja + project: ninja - filename: libdmg.patch + - name: openssl-1.0.2 + project: openssl-1.0.2 + enable: '[% c("container/global_disable") %]' ===================================== projects/openssl-1.0.2/build ===================================== @@ -0,0 +1,15 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=/var/tmp/dist/openssl +mkdir -p /var/tmp/build +tar -C /var/tmp/build -xf openssl-[% c('version') %].tar.gz +cd /var/tmp/build/openssl-[% c('version') %] +export SOURCE_DATE_EPOCH='[% c("timestamp") %]' +./Configure --prefix="$distdir" -shared enable-ec_nistp_64_gcc_128 linux-x86_64 +make -j[% c("num_procs") %] +make -j[% c("num_procs") %] install +cd /var/tmp/dist +[% c('tar', { + tar_src => [ 'openssl' ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] ===================================== projects/openssl-1.0.2/config ===================================== @@ -0,0 +1,11 @@ +# vim: filetype=yaml sw=2 +# +# We need openssl-1.0.2 for building libdmg-hfsplus: +# https://github.com/planetbeing/libdmg-hfsplus/issues/14 +# +version: 1.0.2u +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' + +input_files: + - URL: 'https://www.openssl.org/source/openssl-[% c("version") %].tar.gz' + sha256sum: ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16 ===================================== tools/signing/ddmg.sh ===================================== @@ -21,20 +21,40 @@ find $src_dir ! -executable -exec chmod 0644 {} \; 2> /dev/null find $src_dir -exec touch -m -t 200001010101 {} \; 2> /dev/null set -e +VOLUME_LABEL="${VOLUME_LABEL:-Tor Browser}" + dmg_tmpdir=$(mktemp -d) -filelist="$dmg_tmpdir/filelist.txt" -cd $src_dir -find . -type f | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" > $filelist -find . -type l | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" >> $filelist +hfsfile="$dmg_tmpdir/tbb-uncompressed.dmg" export LD_PRELOAD=$faketime_path export FAKETIME="2000-01-01 01:01:01" echo "Starting: " $(basename $dest_file) -genisoimage -D -V "Tor Browser" -no-pad -R -apple -o "$dmg_tmpdir/tbb-uncompressed.dmg" -path-list $filelist -graft-points -gid 20 -dir-mode 0755 -new-dir-mode 0755 +# Use a similar strategy to Mozilla (they have 1.02, we have 1.1) +size=$(du -ms "$src_dir" | awk '{ print int( $1 * 1.1 ) }') +dd if=/dev/zero of="$hfsfile" bs=1M count=$size +newfs_hfs -v "$VOLUME_LABEL" "$hfsfile" + +cd $src_dir -dmg dmg "$dmg_tmpdir/tbb-uncompressed.dmg" "$dest_file" +# hfsplus does not play well with dangling links, so remove /Applications, and +# add it back again with the special command to do so. +rm -f Applications + +find -type d -mindepth 1 | sed -e 's/^\.\///' | sort | while read dirname; do + hfsplus "$hfsfile" mkdir "/$dirname" + hfsplus "$hfsfile" chmod 0755 "/$dirname" +done +find -type f | sed -e 's/^\.\///' | sort | while read filename; do + hfsplus "$hfsfile" add "$filename" "/$filename" + hfsplus "$hfsfile" chmod $(stat --format '0%a' "$filename") "/$filename" +done +hfsplus "$hfsfile" symlink /Applications /Applications +# Show the volume icon +hfsplus "$hfsfile" attr / C + +dmg dmg "$hfsfile" "$dest_file" echo "Finished: " $(basename $dest_file) ===================================== tools/signing/gatekeeper-bundling.sh ===================================== @@ -35,18 +35,22 @@ set -e script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -which genisoimage > /dev/null || \ - exit_error 'genisoimage is missing. You should install the genisoimage package.' test -f $faketime_path || \ exit_error "$faketime_path is missing" test -d $macos_stapled_dir || \ exit_error "The stapled macos zip files should be placed in directory $macos_stapled_dir" -libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-dfd5e5cc3dc1-c9296e.tar.gz" +libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-2ee327795680-555a7e.tar.gz" test -f "$libdmg_file" || \ exit_error "$libdmg_file is missing." \ "You can build it with:" \ " ./rbm/rbm build --target no_containers libdmg-hfsplus" \ "See var/deps in projects/libdmg-hfsplus/config for the list of build dependencies" +hfstools_file="$script_dir/../../out/hfsplus-tools/hfsplus-tools-540.1.linux3-66de66.tar.gz" +test -f "$hfstools_file" || \ + exit_error "$hfstools_file is missing." \ + "You can build it with:" \ + " ./rbm/rbm build --target no_containers hfsplus-tools" \ + "You will need the clang and uuid-dev packages installed" test -d "$macos_signed_dir" || mkdir "$macos_signed_dir" tmpdir="$macos_stapled_dir/tmp" @@ -55,7 +59,8 @@ mkdir "$tmpdir" cp -rT "$script_dir/../../projects/browser/Bundle-Data/mac-applications.dmg" "$tmpdir/dmg" tar -C "$tmpdir" -xf "$libdmg_file" -export PATH="$PATH:$tmpdir/libdmg-hfsplus" +tar -C "$tmpdir" -xf "$hfstools_file" +export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools" for lang in $bundle_locales do View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0