May 2023 - tor-commits - lists.torproject.org

[tor] branch main updated (9ee71eaf5a -> e643a70879)
by gitolite role 10 May '23

10 May '23

This is an automated email from the git hooks/post-receive script. dgoulet pushed a change to branch main in repository tor. from 9ee71eaf5a CID 1524707: Quiet coverity noise new 95445f49f1 ext: Add Equi-X library new 5ef811b7d0 trunnel: INTRODUCE1 PoW cell extension new d79814f1b1 hs: PoW extension encoding new c611e328de hs: Add data structure needed for PoW new 51ce0bb6ef hs: Add solve and verify PoW functions new 26957b47ac hs: Descriptor support for PoW new 8b41e09a77 hs: Client now solve PoW if present new ca74530b40 hs: Setup service side PoW defenses new f0b63ca242 hs: Move rendezvous circuit data structure new 4eb783e97b hs: Priority queue for rendezvous requests new 35227a7a15 trunnel: Centralize the INTRO1 extension type new c2f6b057b8 hs: Don't expire RP circuits to HS with PoW new bc9fe5a6f8 hs: Handle multiple rend request per mainloop run new 047f8c63ee hs: Maximum rend request and trimming of the queue new 4571faf0c3 pass time around as a parameter new 85cba057e7 make a log message clearer about our actual intent new 8042379c44 new design for handling too many pending rend reqs new 4e55f28220 bump up some log messages for easier debugging new d0c2d4cb43 add a log line for when client succeeds new 5e768d5cb9 we were sorting our pqueue the wrong way new b95bd5017f track how many in-flight hs-side rend circs new dec3a0af7a make the rend_pqueue_cb event be postloop new 13f6258245 rate-limit low-effort rendezvous responses new a575e35c17 sort pqueue ties by time-added new e436ce2a3c drop the default min effort to 20 new ec7495d35a log_err is reserved for fatal failures new e605620744 clients defend themselves from absurd pow requests new 121766e6b8 Make the thing compile. new 5b3a067fe3 Replace the constant bottom-half rate with handled count. new ec9e95cf1e Implement AIMD effort estimation. new d36144ba31 Initialize startup effort at 0. new 0716cd7cb2 allow suggested effort to be 0 new a5b0c7b404 start the cpuworkers always, even for clients new aa41d4b939 refactor send_introduce1() new eba9190933 compute the client-side pow in a cpuworker thread new 09afc5eacf update_suggested_effort: avoid assert if the pqueue has emptied new 48c67263d9 hs_metrics: Proof of Work pqueue depth, suggested effort new a0b9f3546e hs_pow: check for expired params in can_client_refetch_desc new 98299e0f8b manpage: document HiddenServicePoWDefensesEnabled option new 20d7c8ce14 fix typo in HiddenServiceExportCircuitID new f3b98116b6 hs_pow: Rate limited dequeue new 0e271dda77 hs_pow: reduce min_effort default to 1 new 557eb81486 hs_pow_solve: use equix_solve more efficiently new 9d1a573977 configure: Add --enable-gpl option new dcb9c4df67 hs_pow: Make proof-of-work support optional in configure new 92f83347f7 test_crypto: add blake2b test vectors new ffa8531fe0 test_crypto: add equix and hashx tests new bfa2102c95 hs_pow: Replace libb2 dependency with hashx's internal blake2 new 246ced3a8c ext: build equix and hashx using automake new daa08557ad equix: Build cleanly with -Wall -Werror new ae86d98815 equix: Portability fixes for big endian platforms new 0c11411f35 hashx: trim trailing whitespace new c6b168e141 test_hs_pow: add test vectors for our hs_pow client puzzle new 3129910b11 hs_pow: use the compiled HashX implementation new 037dea2252 hs_pow: fix assert in services that receive unsolicited proof of work new 1a3afeb387 hs_pow: unswap byte order of seed_head field new 209a59face hs_pow: Don't require uint128_t new 00d9e0d252 hs_pow: Define seed_head as uint8_t[4] instead of uint32_t new 700814a3a1 hs_pow: Fix nonce cache entry leak new 287c78c5a8 sandbox: allow stack mmap with prot_none new 2de98a7f4e hs_pow: Represent equix_solution as a byte array new 18a2191a13 gitlab-ci: Try enabling GPL mode so we test hs_pow new d15bbf32da changes: Ticket 40634 (hs_pow) new 6a0809c4e3 hs_pow: stop having a "minimum effort", and let PoW effort start low new ac29c7209d hs_pow: bump client-side effort limit from 500 to 10000 new ac466a2219 hs_pow: leak fix, free the contents of pqueue entries in hs_pow_free_service_state new 903c6cf1ab hs_pow: client side effort adjustment new ff678d0fb5 hs_pow: update_suggested_effort fix and cleanup new ee63863dca hs_pow: Lower several logs from notice to info new a6138486f7 hs_pow: review feedback, use MAX for max_trimmed_effort new 50313d114f hs_pow: faster hs_circuitmap lookup for rend in pow_worker_job_t new 6023153631 hs_pow: modified approach to pqueue level thresholds new a13d7bd5e9 hs_pow: always give other events a chance to run between rend requests new cba1ffb43a hs_pow: swap out some comments new 971de27c07 hs_pow: fix error path with outdated assumption new 138fd57072 hs_pow: add per-circuit effort information to control port new e643a70879 hs_pow: Modify challenge format, include blinded HS id The 77 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .gitlab-ci.yml | 10 + Makefile.am | 7 +- changes/ticket40634 | 3 + configure.ac | 62 ++- doc/man/tor.1.txt | 44 +- scripts/ci/ci-driver.sh | 5 + src/app/config/config.c | 27 +- src/app/main/main.c | 8 +- src/core/crypto/onion_crypto.c | 3 + src/core/include.am | 1 + src/core/mainloop/cpuworker.c | 5 +- src/core/mainloop/cpuworker.h | 4 +- src/core/or/circuituse.c | 25 +- src/core/or/connection_edge.c | 18 +- src/core/or/entry_connection_st.h | 4 + src/core/or/origin_circuit_st.h | 14 + src/ext/.may_include | 4 +- src/ext/compat_blake2.h | 47 ++ src/ext/equix/CMakeLists.txt | 82 ++++ src/ext/equix/LICENSE | 165 +++++++ src/ext/equix/README.md | 77 +++ src/ext/equix/devlog.md | 178 +++++++ src/ext/equix/hashx/CMakeLists.txt | 99 ++++ src/ext/equix/hashx/LICENSE | 165 +++++++ src/ext/equix/hashx/README.md | 135 ++++++ src/ext/equix/hashx/include/hashx.h | 140 ++++++ src/ext/equix/hashx/src/bench.c | 135 ++++++ src/ext/equix/hashx/src/blake2.c | 462 ++++++++++++++++++ src/ext/equix/hashx/src/blake2.h | 73 +++ src/ext/equix/hashx/src/compiler.c | 18 + src/ext/equix/hashx/src/compiler.h | 41 ++ src/ext/equix/hashx/src/compiler_a64.c | 154 ++++++ src/ext/equix/hashx/src/compiler_x86.c | 151 ++++++ src/ext/equix/hashx/src/context.c | 81 ++++ src/ext/equix/hashx/src/context.h | 45 ++ src/ext/equix/hashx/src/force_inline.h | 9 + src/ext/equix/hashx/src/hashx.c | 146 ++++++ src/ext/equix/hashx/src/hashx_endian.h | 103 ++++ src/ext/equix/hashx/src/hashx_thread.c | 27 ++ src/ext/equix/hashx/src/hashx_thread.h | 27 ++ src/ext/equix/hashx/src/hashx_time.c | 35 ++ src/ext/equix/hashx/src/hashx_time.h | 9 + src/ext/equix/hashx/src/instruction.h | 31 ++ src/ext/equix/hashx/src/program.c | 773 +++++++++++++++++++++++++++++++ src/ext/equix/hashx/src/program.h | 48 ++ src/ext/equix/hashx/src/program_exec.c | 158 +++++++ src/ext/equix/hashx/src/siphash.c | 66 +++ src/ext/equix/hashx/src/siphash.h | 35 ++ src/ext/equix/hashx/src/siphash_rng.c | 31 ++ src/ext/equix/hashx/src/siphash_rng.h | 30 ++ src/ext/equix/hashx/src/test_utils.h | 60 +++ src/ext/equix/hashx/src/tests.c | 221 +++++++++ src/ext/equix/hashx/src/unreachable.h | 9 + src/ext/equix/hashx/src/virtual_memory.c | 127 +++++ src/ext/equix/hashx/src/virtual_memory.h | 19 + src/ext/equix/include/equix.h | 145 ++++++ src/ext/equix/src/bench.c | 175 +++++++ src/ext/equix/src/context.c | 57 +++ src/ext/equix/src/context.h | 18 + src/ext/equix/src/equix.c | 96 ++++ src/ext/equix/src/solver.c | 275 +++++++++++ src/ext/equix/src/solver.h | 44 ++ src/ext/equix/src/solver_heap.h | 108 +++++ src/ext/equix/src/tests.c | 124 +++++ src/ext/include.am | 59 ++- src/feature/control/control_fmt.c | 7 + src/feature/dirparse/parsecommon.h | 1 + src/feature/hs/hs_cache.c | 2 + src/feature/hs/hs_cell.c | 201 +++++++- src/feature/hs/hs_cell.h | 35 +- src/feature/hs/hs_circuit.c | 386 ++++++++++++++- src/feature/hs/hs_circuit.h | 31 +- src/feature/hs/hs_client.c | 219 ++++++--- src/feature/hs/hs_client.h | 12 + src/feature/hs/hs_config.c | 29 +- src/feature/hs/hs_config.h | 3 + src/feature/hs/hs_descriptor.c | 115 +++++ src/feature/hs/hs_descriptor.h | 4 + src/feature/hs/hs_metrics.c | 11 +- src/feature/hs/hs_metrics.h | 47 +- src/feature/hs/hs_metrics_entry.c | 12 + src/feature/hs/hs_metrics_entry.h | 10 +- src/feature/hs/hs_options.inc | 3 + src/feature/hs/hs_pow.c | 525 +++++++++++++++++++++ src/feature/hs/hs_pow.h | 226 +++++++++ src/feature/hs/hs_service.c | 284 ++++++++++++ src/feature/hs/hs_service.h | 18 + src/feature/hs/include.am | 9 + src/feature/relay/relay_config.c | 6 - src/lib/evloop/workqueue.c | 5 +- src/lib/sandbox/sandbox.c | 9 +- src/test/include.am | 2 + src/test/test.c | 1 + src/test/test.h | 2 + src/test/test_crypto.c | 178 +++++++ src/test/test_crypto_slow.c | 134 ++++++ src/test/test_hs_client.c | 2 + src/test/test_hs_metrics.c | 20 +- src/test/test_hs_pow.c | 500 ++++++++++++++++++++ src/test/test_hs_pow_slow.c | 272 +++++++++++ src/test/test_hs_service.c | 20 +- src/test/test_parseconf.sh | 6 + src/test/test_slow.c | 1 + src/trunnel/hs/cell_introduce1.c | 344 ++++++++++++++ src/trunnel/hs/cell_introduce1.h | 146 ++++++ src/trunnel/hs/cell_introduce1.trunnel | 37 ++ 106 files changed, 9246 insertions(+), 186 deletions(-) create mode 100644 changes/ticket40634 create mode 100644 src/ext/compat_blake2.h create mode 100644 src/ext/equix/CMakeLists.txt create mode 100644 src/ext/equix/LICENSE create mode 100644 src/ext/equix/README.md create mode 100644 src/ext/equix/devlog.md create mode 100644 src/ext/equix/hashx/CMakeLists.txt create mode 100644 src/ext/equix/hashx/LICENSE create mode 100644 src/ext/equix/hashx/README.md create mode 100644 src/ext/equix/hashx/include/hashx.h create mode 100644 src/ext/equix/hashx/src/bench.c create mode 100644 src/ext/equix/hashx/src/blake2.c create mode 100644 src/ext/equix/hashx/src/blake2.h create mode 100644 src/ext/equix/hashx/src/compiler.c create mode 100644 src/ext/equix/hashx/src/compiler.h create mode 100644 src/ext/equix/hashx/src/compiler_a64.c create mode 100644 src/ext/equix/hashx/src/compiler_x86.c create mode 100644 src/ext/equix/hashx/src/context.c create mode 100644 src/ext/equix/hashx/src/context.h create mode 100644 src/ext/equix/hashx/src/force_inline.h create mode 100644 src/ext/equix/hashx/src/hashx.c create mode 100644 src/ext/equix/hashx/src/hashx_endian.h create mode 100644 src/ext/equix/hashx/src/hashx_thread.c create mode 100644 src/ext/equix/hashx/src/hashx_thread.h create mode 100644 src/ext/equix/hashx/src/hashx_time.c create mode 100644 src/ext/equix/hashx/src/hashx_time.h create mode 100644 src/ext/equix/hashx/src/instruction.h create mode 100644 src/ext/equix/hashx/src/program.c create mode 100644 src/ext/equix/hashx/src/program.h create mode 100644 src/ext/equix/hashx/src/program_exec.c create mode 100644 src/ext/equix/hashx/src/siphash.c create mode 100644 src/ext/equix/hashx/src/siphash.h create mode 100644 src/ext/equix/hashx/src/siphash_rng.c create mode 100644 src/ext/equix/hashx/src/siphash_rng.h create mode 100644 src/ext/equix/hashx/src/test_utils.h create mode 100644 src/ext/equix/hashx/src/tests.c create mode 100644 src/ext/equix/hashx/src/unreachable.h create mode 100644 src/ext/equix/hashx/src/virtual_memory.c create mode 100644 src/ext/equix/hashx/src/virtual_memory.h create mode 100644 src/ext/equix/include/equix.h create mode 100644 src/ext/equix/src/bench.c create mode 100644 src/ext/equix/src/context.c create mode 100644 src/ext/equix/src/context.h create mode 100644 src/ext/equix/src/equix.c create mode 100644 src/ext/equix/src/solver.c create mode 100644 src/ext/equix/src/solver.h create mode 100644 src/ext/equix/src/solver_heap.h create mode 100644 src/ext/equix/src/tests.c create mode 100644 src/feature/hs/hs_pow.c create mode 100644 src/feature/hs/hs_pow.h create mode 100644 src/test/test_hs_pow.c create mode 100644 src/test/test_hs_pow_slow.c -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 77

[Git][tpo/applications/tor-browser-build] Pushed new tag tbb-12.0.6-build1
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed new tag tbb-12.0.6-build1 at The Tor Project / Applications / tor-browser-build -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/tree/tbb… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0] Bug 40820: Prepare stable release 12.0.6
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build Commits: 6b72e634 by Pier Angelo Vendrame at 2023-05-10T09:57:03+02:00 Bug 40820: Prepare stable release 12.0.6 - - - - - 8 changed files: - projects/browser/Bundle-Data/Docs/ChangeLog.txt - projects/browser/allowed_addons.json - projects/firefox/config - projects/geckoview/config - projects/go/config - projects/manual/config - projects/translation/config - rbm.conf Changes: ===================================== projects/browser/Bundle-Data/Docs/ChangeLog.txt ===================================== @@ -1,3 +1,89 @@ +Tor Browser 12.0.6 - May 09 2023 + * All Platforms + * Updated Translations + * Updated Go to 11.9.9 + * Bug 41728: Pin bridges.torproject.org domains to Let's Encrypt's root cert public key [tor-browser] + * Bug 41756: Rebase Tor Browser Stable to 102.11.0esr [tor-browser] + * Windows + macOS + Linux + * Updated Firefox to 102.11esr + * Bug 40501: High CPU load after tor exits unexpectedly [tor-browser] + * Windows + * Bug 41683: Disable the network process on Windows [tor-browser] + * Android + * Updated GeckoView to 102.11esr + * Build System + * Windows + macOS + Linux + * Bug 41730: Bridge lines in tools/torbrowser/bridges.js out of date [tor-browser] + * macOS + * Bug 40844: Fix DMG reproducibility problem on 12.0.5 [tor-browser-build] + +Tor Browser 12.5a5 - April 18 2023 + * All Platforms + * Updated Translations + * Updated NoScript to 11.4.21 + * Updated Go to 11.9.8 + * Bug 40833: base-browser nightly is using the default channel instead of nightly [tor-browser-build] + * Bug 41687: Rebase Tor Browser Alpha to 102.10.0esr [tor-browser] + * Bug 41689: Remove startup.homepage_override_url from Base Browser [tor-browser] + * Bug 41704: Immediately return on remoteSettings.pollChanges [tor-browser] + * Windows + macOS + Linux + * Updated Firefox to 102.10esr + * Bug 165: Fix maximization warning x button and preference [mullvad-browser] + * Bug 40501: High CPU load after tor exits unexpectedly [tor-browser] + * Bug 40701: Improve security warning when downloading a file [tor-browser] + * Bug 40788: Tor Browser 11.0.4-11.0.6 phoning home [tor-browser] + * Bug 40811: Make testing the updater easier [tor-browser-build] + * Bug 40831: Fix update URL for base-browser nightly [tor-browser-build] + * Bug 40958: The number of relays displayed for an onion site can be misleading [tor-browser] + * Bug 41038: Update "Click to Copy" button label in circuit display [tor-browser] + * Bug 41109: "New circuit..." button gets cut-off when onion name wraps [tor-browser] + * Bug 41350: Move the implementation of Bug 19273 out of Torbutton [tor-browser] + * Bug 41521: Improve localization notes [tor-browser] + * Bug 41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted [tor-browser] + * Bug 41600: Some users have difficulty finding the circuit display [tor-browser] + * Bug 41617: Improve the UX of the built-in bridges dialog [tor-browser] + * Bug 41668: Move part of the updater patches to base browser [tor-browser] + * Bug 41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser [tor-browser] + * Bug 41695: Port warning on maximized windows without letterboxing from torbutton [tor-browser] + * Bug 41699: Tighten up the tor onion alias regular expression [tor-browser] + * Bug 41701: Reporting an extension does not work [tor-browser] + * Bug 41702: The connection pill needs to be centered vertically [tor-browser] + * Bug 41709: sendCommand should not try to send a command forever [tor-browser] + * Bug 41711: Race condition when opening a new window in New Identity [tor-browser] + * Bug 41713: “Remove All Bridges” button only appears after hitting “Show All Bridges" [tor-browser] + * Bug 41714: “Show Fewer Bridges” button missing from refactored remove all bridges UI [tor-browser] + * Bug 41719: Update title and button strings in the new circuit display to sentence case [tor-browser] + * Bug 41722: Regression: window maximization warning cannot be closed by the X button [tor-browser] + * Bug 41725: Stray connectionPane.xhtml patch [tor-browser] + * Windows + * Bug 41459: WebRTC fails to build under mingw [tor-browser] + * Bug 41678: WebRTC build fix patches incorrectly defining pid_t [tor-browser] + * Bug 41683: Disable the network process on Windows [tor-browser] + * Linux + * Bug 40830: The fontconfig directory is missing in Base Browser [tor-browser-build] + * Bug 41163: Many bundled fonts are blocked in Ubuntu/Fedora because of RFP [tor-browser] + * Android + * Updated GeckoView to 102.10esr + * Bug 41724: Backport Android-specific security fixes from Firefox 112 to ESR 102.10-based Tor Browser [tor-browser] + * Build System + * All Platforms + * Bug 40828: Use http://archive.debian.org/debian-archive/ for jessie [tor-browser-build] + * Bug 40837: Rebase mullvad-browser build changes onto main [tor-browser-build] + * Windows + macOS + Linux + * Bug 40823: Update appname_* variables in projects/release/update_responses_config.yml [tor-browser-build] + * Bug 40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml [tor-browser-build] + * Bug 40827: MAR generation uses (mostly) hard-coded MAR update channel [tor-browser-build] + * Bug 41730: Bridge lines in tools/torbrowser/bridges.js out of date [tor-browser] + * Windows + * Bug 40822: The Tor Browser installer doesn't run with mandatory ASLR on (0xc000007b) [tor-browser-build] + * macOS + * Bug 40824: dmg2mar script using hardcoded project names for paths [tor-browser-build] + * Bug 40844: DMG reproducibility problem on 12.0.5 [tor-browser-build] + * Linux + * Bug 40835: Update faketime URLs in projects/container-image/config [tor-browser-build] + * Android + * Bug 41684: Android improvements for local dev builds [tor-browser] + Tor Browser 12.0.5 - April 12 2023 * All Platforms * Updated Translations ===================================== projects/browser/allowed_addons.json ===================================== @@ -17,7 +17,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/34/9734/13299734/13299734.pn…" } ], - "average_daily_users": 989098, + "average_daily_users": 976883, "categories": { "android": [ "experimental", @@ -31,7 +31,7 @@ "contributions_url": "https://opencollective.com/darkreader?utm_content=product-page-contribute&u…", "created": "2017-09-19T07:03:00Z", "current_version": { - "id": 5509244, + "id": 5550694, "compatibility": { "firefox": { "min": "54.0", @@ -42,7 +42,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/darkreader/versions/55092…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/darkreader/versions/55506…", "is_strict_compatibility_enabled": false, "license": { "id": 22, @@ -53,22 +53,22 @@ "url": "http://www.opensource.org/license/mit" }, "release_notes": { - "en-US": "- Fixed a edge case with extracting color numbers, it's now able to extract `rgb(0 0 0/0.04)`.\n- Improved IPv6 check.\n- Faster UI loading.\n- Users' fixes for websites." + "en-US": "- Site toggle panel (detect dark theme and shortcut).\n- App toggle panel (automation and shortcut).\n- Improved Site List indexing.\n- Users' fixes for websites." }, - "reviewed": "2023-01-09T12:25:16Z", - "version": "4.9.62", + "reviewed": "2023-04-13T13:17:06Z", + "version": "4.9.63", "files": [ { - "id": 4053589, - "created": "2023-01-08T17:15:31Z", - "hash": "sha256:e537a2cee45ed7c26f79ecd3ed362620e3f00d24c158532a58e163a63a3d60cc", + "id": 4095037, + "created": "2023-04-10T09:52:02Z", + "hash": "sha256:16ba6337fcff7ad85e08ad51b384ba26ff751b2b2ded12309f75e8337ace925a", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 636487, + "size": 658318, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/4053589/darkreader-4.9.62…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4095037/darkreader-4.9.63…", "permissions": [ "alarms", "contextMenus", @@ -146,7 +146,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2023-01-09T12:25:16Z", + "last_updated": "2023-04-13T13:17:06Z", "name": { "ar": "Dark Reader", "bn": "Dark Reader", @@ -221,10 +221,10 @@ "category": "recommended" }, "ratings": { - "average": 4.5565, - "bayesian_average": 4.5553226794282615, - "count": 4938, - "text_count": 1565 + "average": 4.5607, + "bayesian_average": 4.559531365183289, + "count": 4987, + "text_count": 1578 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/reviews/", "requires_payment": false, @@ -321,7 +321,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/darkreader/versions/", - "weekly_downloads": 27115 + "weekly_downloads": 24385 }, "notes": null }, @@ -337,7 +337,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/56/7656/6937656/6937656.png?…" } ], - "average_daily_users": 264748, + "average_daily_users": 258784, "categories": { "android": [ "security-privacy" @@ -553,10 +553,10 @@ "category": "recommended" }, "ratings": { - "average": 4.817, - "bayesian_average": 4.812343801154484, - "count": 1333, - "text_count": 235 + "average": 4.8166, + "bayesian_average": 4.811948101281903, + "count": 1336, + "text_count": 237 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/reviews/", "requires_payment": false, @@ -641,7 +641,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/versions/", - "weekly_downloads": 3669 + "weekly_downloads": 3623 }, "notes": null }, @@ -657,7 +657,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/73/4073/5474073/5474073.png?…" } ], - "average_daily_users": 1152290, + "average_daily_users": 1128787, "categories": { "android": [ "security-privacy" @@ -1180,10 +1180,10 @@ "category": "recommended" }, "ratings": { - "average": 4.7999, - "bayesian_average": 4.797100778126469, - "count": 2209, - "text_count": 428 + "average": 4.8012, + "bayesian_average": 4.79841359051625, + "count": 2223, + "text_count": 426 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/reviews/", "requires_payment": false, @@ -1207,7 +1207,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/versions/", - "weekly_downloads": 39372 + "weekly_downloads": 18076 }, "notes": null }, @@ -1223,7 +1223,7 @@ "picture_url": null } ], - "average_daily_users": 6459771, + "average_daily_users": 6319454, "categories": { "android": [ "security-privacy" @@ -1235,7 +1235,7 @@ "contributions_url": "", "created": "2015-04-25T07:26:22Z", "current_version": { - "id": 5547815, + "id": 5558705, "compatibility": { "firefox": { "min": "78.0", @@ -1246,7 +1246,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/ublock-origin/versions/55…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/ublock-origin/versions/55…", "is_strict_compatibility_enabled": false, "license": { "id": 6, @@ -1257,22 +1257,22 @@ "url": "http://www.gnu.org/licenses/gpl-3.0.html" }, "release_notes": { - "en-US": "See complete release notes for <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/9ba5436deff955b8634d3a…" rel=\"nofollow\">1.48.4</a>.\n\n<b>Fixes / changes</b>\n\n<ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/2881e29d212046e14a4f20…" rel=\"nofollow\">Fix presumed network filter not being a valid network filter</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/1d29de8f605dc6f4b7684f…" rel=\"nofollow\">Avoid using ! toolbar icon badge when inconsequential</a><ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/04728b2f874e135c8736ae…" rel=\"nofollow\">Clear unprocessed requests status on webNavigation reload event</a></li></ul></li></ul>\n<a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/e34f62492a00e2b8a221ca…" rel=\"nofollow\">Commits history since last version</a>." + "en-US": "See complete release notes for <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/24794abbbc5c8930eafab3…" rel=\"nofollow\">1.49.2</a>.\n\n<b>Fixes</b>\n\n<ul><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/812da480d7e6e2fa7d6fd1…" rel=\"nofollow\">Reverse usage of browser.alarms</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/53eab9764901466ecb7c1c…" rel=\"nofollow\">Mind rejected promises from vAPI.storage API</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/58bde6ecd0ff76608c1456…" rel=\"nofollow\">Properly handle promise rejection from webext.storage.local API</a></li><li><a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/3f0e0640ef4983e8fd2352…" rel=\"nofollow\">Add more checks against unexpected conditions re. assets.json</a></li></ul>\n<a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/deebdaa7a15172babdad3e…" rel=\"nofollow\">Commits history since last version</a>." }, - "reviewed": "2023-04-05T17:12:25Z", - "version": "1.48.4", + "reviewed": "2023-05-03T16:26:03Z", + "version": "1.49.2", "files": [ { - "id": 4092158, - "created": "2023-04-01T21:20:42Z", - "hash": "sha256:d7666b963c2969b0014937aae55472eea5098ff21ed3bea8a2e1f595f62856c1", + "id": 4103048, + "created": "2023-04-26T14:37:33Z", + "hash": "sha256:39266486f720cd31d291d2fdad78625b079782a05517e1936eec7e780bc2a84d", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 3343703, + "size": 3383174, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/4092158/ublock_origin-1.4…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4103048/ublock_origin-1.4…", "permissions": [ "dns", "menus", @@ -1388,7 +1388,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2023-04-05T17:12:25Z", + "last_updated": "2023-05-08T12:35:48Z", "name": { "ar": "uBlock Origin", "bg": "uBlock Origin", @@ -1533,10 +1533,10 @@ "category": "recommended" }, "ratings": { - "average": 4.78, - "bayesian_average": 4.7795951137081945, - "count": 15206, - "text_count": 3956 + "average": 4.7808, + "bayesian_average": 4.780398687268275, + "count": 15366, + "text_count": 3994 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/reviews/", "requires_payment": false, @@ -1598,7 +1598,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/versions/", - "weekly_downloads": 138089 + "weekly_downloads": 131497 }, "notes": null }, @@ -1614,19 +1614,20 @@ "picture_url": null } ], - "average_daily_users": 159972, + "average_daily_users": 167016, "categories": { "android": [ "photos-media" ], "firefox": [ - "games-entertainment" + "games-entertainment", + "photos-music-videos" ] }, "contributions_url": "", "created": "2017-05-03T08:36:43Z", "current_version": { - "id": 5220332, + "id": 5560463, "compatibility": { "firefox": { "min": "42.0", @@ -1637,7 +1638,7 @@ "max": "*" } }, - "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", + "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", "is_strict_compatibility_enabled": false, "license": { "id": 22, @@ -1648,24 +1649,24 @@ "url": "http://www.opensource.org/license/mit" }, "release_notes": { - "de": "Experimentelle Verbesserungen der Handhabung von Youtube.", - "en-US": "Experimental improvement of Youtube handling.", - "ro": "Îmbunătățiri experimentale pentru Youtube." + "de": "Neue Übersetzungen ergänzt", + "en-US": "Added new translations", + "ro": "Adăugat traduceri noi" }, - "reviewed": "2021-04-23T07:50:05Z", - "version": "1.6.0", + "reviewed": "2023-05-05T14:25:10Z", + "version": "1.7.0", "files": [ { - "id": 3764692, - "created": "2021-04-22T21:46:53Z", - "hash": "sha256:73cfa682e0398ca1b51890340e4a6df3fcea945f54e9e677e9db942152aa614d", + "id": 4104806, + "created": "2023-05-01T11:53:35Z", + "hash": "sha256:e8713a1720ffba236c40ebabd5ac1db88702d75c21edc23d61216a5897b3792a", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", - "size": 12088, + "size": 12968, "status": "public", - "url": "https://addons.mozilla.org/firefox/downloads/file/3764692/video_background_…", + "url": "https://addons.mozilla.org/firefox/downloads/file/4104806/video_background_…", "permissions": [ "*://*.youtube.com/*", "*://*.youtube-nocookie.com/*", @@ -1678,9 +1679,9 @@ }, "default_locale": "en-US", "description": { - "de": "ACHTUNG: Im neuen Firefox für Android (Version 79 und neuer) funktioniert Videowiedergabe im Hintergrund erst <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">ab Firefox 82</a> korrekt.\n\nUnterstützt momentan folgende Seiten:\n<ul><li>Youtube</li><li>Vimeo (Wiedergabe nicht unterbrechen wenn Vollbildmodus beendet wird)</li></ul>", - "en-US": "ATTENTION: With the new Firefox on Android (Firefox 79 and newer), background playback only properly works starting <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">from Firefox 82</a>.\n\nThe following pages are currently supported:\n<ul><li>Youtube</li><li>Vimeo (don't stop playback when existing fullscreen)</li></ul>", - "ro": "ATENȚIE: În noul Firefox pentru Android (versiunea 79+), redarea video în fundal funcționează corect abia de la <a href=\"https://prod.outgoing.prod.webservices.mozgcp.net/v1/05bb7b1ef7f63358eeabcd…" rel=\"nofollow\">Firefox 82</a>.\n\nÎn prezent este compatibil cu următoarele site-uri:\n<ul><li>Youtube</li><li>Vimeo (nu întrerupeți redarea atunci când ieșiți din modul fullscreen)</li></ul>" + "de": "Unterstützt momentan folgende Seiten:\n<ul><li>Youtube</li><li>Vimeo (Wiedergabe nicht unterbrechen wenn Vollbildmodus beendet wird)</li></ul>", + "en-US": "The following pages are currently supported:\n<ul><li>Youtube</li><li>Vimeo (don't stop playback when existing fullscreen)</li></ul>", + "ro": "În prezent este compatibil cu următoarele site-uri:\n<ul><li>Youtube</li><li>Vimeo (nu întrerupeți redarea atunci când ieșiți din modul fullscreen)</li></ul>" }, "developer_comments": null, "edit_url": "https://addons.mozilla.org/en-US/developers/addon/video-background-play-fix…", @@ -1698,7 +1699,7 @@ }, "is_disabled": false, "is_experimental": false, - "last_updated": "2021-04-23T07:50:05Z", + "last_updated": "2023-05-05T14:25:10Z", "name": { "de": "Videowiedergabe im Hintergrund", "en-US": "Video Background Play Fix", @@ -1712,10 +1713,10 @@ "category": "recommended" }, "ratings": { - "average": 4.5069, - "bayesian_average": 4.501656166558232, - "count": 1093, - "text_count": 405 + "average": 4.4874, + "bayesian_average": 4.4822747330216925, + "count": 1114, + "text_count": 416 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/re…", "requires_payment": false, @@ -1737,7 +1738,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/video-background-play-fix/ve…", - "weekly_downloads": 386 + "weekly_downloads": 411 }, "notes": null }, @@ -1753,7 +1754,7 @@ "picture_url": null } ], - "average_daily_users": 90974, + "average_daily_users": 88255, "categories": { "android": [ "experimental", @@ -1867,9 +1868,9 @@ "promoted": null, "ratings": { "average": 4.3684, - "bayesian_average": 4.354634977381083, + "bayesian_average": 4.354580970236878, "count": 399, - "text_count": 113 + "text_count": 112 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/reviews/", "requires_payment": false, @@ -1891,7 +1892,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/versions/", - "weekly_downloads": 1200 + "weekly_downloads": 900 }, "notes": null }, @@ -1907,7 +1908,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/64/9064/12929064/12929064.pn…" } ], - "average_daily_users": 261805, + "average_daily_users": 259842, "categories": { "android": [ "photos-media", @@ -2126,9 +2127,9 @@ "category": "recommended" }, "ratings": { - "average": 4.653, - "bayesian_average": 4.6482048070516955, - "count": 1242, + "average": 4.6521, + "bayesian_average": 4.647356516825427, + "count": 1256, "text_count": 241 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/reviews/", @@ -2150,7 +2151,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/search_by_image/versions/", - "weekly_downloads": 7262 + "weekly_downloads": 4089 }, "notes": null }, @@ -2173,7 +2174,7 @@ "picture_url": null } ], - "average_daily_users": 110023, + "average_daily_users": 110772, "categories": { "android": [ "other" @@ -2456,10 +2457,10 @@ "category": "recommended" }, "ratings": { - "average": 4.4449, - "bayesian_average": 4.440238588001734, - "count": 1207, - "text_count": 321 + "average": 4.443, + "bayesian_average": 4.438340772354168, + "count": 1210, + "text_count": 322 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/reviews/", "requires_payment": false, @@ -2479,7 +2480,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/google-search-fixer/versions/", - "weekly_downloads": 34 + "weekly_downloads": 40 }, "notes": null }, @@ -2495,7 +2496,7 @@ "picture_url": "https://addons.mozilla.org/user-media/userpics/43/0143/143/143.png?modified…" } ], - "average_daily_users": 324182, + "average_daily_users": 313446, "categories": { "android": [ "performance", @@ -2685,10 +2686,10 @@ "category": "recommended" }, "ratings": { - "average": 4.4039, - "bayesian_average": 4.401185759316559, - "count": 2055, - "text_count": 801 + "average": 4.4106, + "bayesian_average": 4.407881097196251, + "count": 2058, + "text_count": 799 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/reviews/", "requires_payment": false, @@ -2732,7 +2733,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/", - "weekly_downloads": 7852 + "weekly_downloads": 7698 }, "notes": null }, @@ -2748,7 +2749,7 @@ "picture_url": null } ], - "average_daily_users": 148389, + "average_daily_users": 150188, "categories": { "android": [ "performance", @@ -2863,10 +2864,10 @@ "category": "recommended" }, "ratings": { - "average": 3.9106, - "bayesian_average": 3.906291934298175, - "count": 1119, - "text_count": 397 + "average": 3.9071, + "bayesian_average": 3.902833394829747, + "count": 1130, + "text_count": 402 }, "ratings_url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/revi…", "requires_payment": false, @@ -2885,7 +2886,7 @@ "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/", "versions_url": "https://addons.mozilla.org/en-US/firefox/addon/youtube-high-definition/vers…", - "weekly_downloads": 1519 + "weekly_downloads": 2266 }, "notes": null } ===================================== projects/firefox/config ===================================== @@ -12,10 +12,10 @@ container: use_container: 1 var: - firefox_platform_version: 102.10.0 + firefox_platform_version: 102.11.0 firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_branch: '12.0-1' - browser_build: 2 + browser_build: 1 branding_directory: 'browser/branding/alpha' copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' nightly_updates_osname: '[% c("var/osname") %]' ===================================== projects/geckoview/config ===================================== @@ -12,9 +12,9 @@ container: use_container: 1 var: - geckoview_version: 102.10.0esr + geckoview_version: 102.11.0esr torbrowser_branch: 12.0-1 - browser_build: 2 + browser_build: 1 copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' deps: - build-essential ===================================== projects/go/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: 1.19.8 +version: 1.19.9 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 @@ -121,7 +121,7 @@ input_files: enable: '[% ! c("var/linux") %]' - URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz' name: go - sha256sum: 1d7a67929dccafeaf8a29e55985bc2b789e0499cb1a17100039f084e3238da2f + sha256sum: 131190a4697a70c5b1d232df5d3f55a3f9ec0e78e40516196ffb3f09ae6a5744 - URL: 'https://golang.org/dl/go[% c("var/go14_version") %].src.tar.gz' name: go14 sha256sum: 9947fc705b0b841b5938c48b22dc33e9647ec0752bae66e50278df4f23f64959 ===================================== projects/manual/config ===================================== @@ -1,7 +1,7 @@ # vim: filetype=yaml sw=2 # To update, see doc/how-to-update-the-manual.txt # Remember to update also the package's hash, with the version! -version: 72637 +version: 74065 filename: 'manual-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 @@ -17,8 +17,8 @@ var: input_files: - project: container-image - - URL: 'https://people.torproject.org/~ma1/tbb_files/manual_[% c("version") %].zip' + - URL: 'https://people.torproject.org/~pierov/tbb_files/manual_[% c("version") %].zip' name: manual - sha256sum: 28379bdb31989d26a4cb735b9cbcd9ee52089f72153881f3802d291743b8cf06 + sha256sum: 788c2dc2bfacbc6961ce443c5639706cc23fbb7b7730ed7f71a26396511305be - filename: packagemanual.py name: package_script ===================================== projects/translation/config ===================================== @@ -6,19 +6,19 @@ version: '[% c("abbrev") %]' steps: base-browser: base-browser: '[% INCLUDE build %]' - git_hash: a7f7d59e21395ba563033060a55903f4f7163c02 + git_hash: 97c76d5183b16b069e66feaaf10e00c1d2c7d9e0 targets: nightly: git_hash: 'base-browser' base-browser-fluent: base-browser-fluent: '[% INCLUDE build %]' - git_hash: 32c09e1c5282cf3c7369d45fc199eb35c10a4fcc + git_hash: d473c4dd005325d1be40bae0f816974e195a972d targets: nightly: git_hash: 'basebrowser-newidentityftl' tor-browser: tor-browser: '[% INCLUDE build %]' - git_hash: a7be13f5b46a2bd3684146556390d62b1caa2f52 + git_hash: 267f3c208a323df636ed11e7143164956d3d9d9b targets: nightly: git_hash: 'tor-browser' @@ -26,7 +26,7 @@ steps: fenix: '[% INCLUDE build %]' # We need to bump the commit before releasing but just pointing to a branch # might cause too much rebuidling of the Firefox part. - git_hash: b2691020553c5e81bacfe3ed33cc66226754c98d + git_hash: 0deec2a78dea0013e8c4eaec1d40ef5aac4e43b0 targets: nightly: git_hash: 'fenix-torbrowserstringsxml' ===================================== rbm.conf ===================================== @@ -71,10 +71,13 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '12.0.5' - torbrowser_build: 'build2' + torbrowser_version: '12.0.6' + torbrowser_build: 'build1' torbrowser_incremental_from: + # Build incrementals also from 12.0.4 until we have a new certificate for + # Windows installers. - 12.0.4 + - 12.0.5 build_mar: 1 # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/6… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build] Pushed new tag mb-12.0.6-build1
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed new tag mb-12.0.6-build1 at The Tor Project / Applications / tor-browser-build -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/tree/mb-… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] Bug 40853: Prepare Mullvad Browser Release 12.0.6
by Pier Angelo Vendrame (＠pierov) 10 May '23

10 May '23

Pier Angelo Vendrame pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build Commits: 05a3e330 by Pier Angelo Vendrame at 2023-05-10T07:42:24+02:00 Bug 40853: Prepare Mullvad Browser Release 12.0.6 - - - - - 3 changed files: - projects/browser/config - projects/firefox/config - rbm.conf Changes: ===================================== projects/browser/config ===================================== @@ -106,9 +106,9 @@ input_files: - URL: https://addons.mozilla.org/firefox/downloads/file/4090970/noscript-11.4.21.… name: noscript sha256sum: 0fd3b66a2780d03a5b3cd460216105f3df2b27c6d3a552c1769c5de48c9e2338 - - URL: https://addons.mozilla.org/firefox/downloads/file/4092158/ublock_origin-1.4… + - URL: https://addons.mozilla.org/firefox/downloads/file/4103048/ublock_origin-1.4… name: ublock-origin - sha256sum: d7666b963c2969b0014937aae55472eea5098ff21ed3bea8a2e1f595f62856c1 + sha256sum: 39266486f720cd31d291d2fdad78625b079782a05517e1936eec7e780bc2a84d enable: '[% c("var/mullvad-browser") %]' - URL: https://github.com/mullvad/browser-extension/releases/download/v0.7.9-firef… name: mullvad-extension ===================================== projects/firefox/config ===================================== @@ -11,11 +11,11 @@ container: use_container: 1 var: - firefox_platform_version: 102.10.0 + firefox_platform_version: 102.11.0 firefox_version: '[% c("var/firefox_platform_version") %]esr' browser_series: '12.0' - browser_branch: '[% c("var/browser_series") %]-2' - browser_build: 2 + browser_branch: '[% c("var/browser_series") %]-1' + browser_build: 1 branding_directory_prefix: 'tb' copyright_year: '[% exec("git show -s --format=%ci").remove("-.*") %]' nightly_updates_publish_dir: '[% c("var/nightly_updates_publish_dir_prefix") %][% c("var/osname") %]' ===================================== rbm.conf ===================================== @@ -71,10 +71,13 @@ buildconf: git_signtag_opt: '-s' var: - torbrowser_version: '12.0.5' + torbrowser_version: '12.0.6' torbrowser_build: 'build1' torbrowser_incremental_from: + # Build incrementals also from 12.0.4 until we have a new certificate for + # Windows installers. - 12.0.4 + - 12.0.5 updater_enabled: 1 build_mar: 1 mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]' View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/0… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] 2 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build Commits: 42213fb6 by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 4875b3ec by Nicolas Vigier at 2023-05-09T20:55:38+00:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -87,7 +87,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,38 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 - fi - if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1 - fi -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -70,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \ || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \ || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME" +export SIGNING_PROJECTNAME + test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm" . "$script_dir/set-config.tbb-version" @@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: deb60089 by Nicolas Vigier at 2023-05-09T20:40:31+00:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 5adcbf38 by Nicolas Vigier at 2023-05-09T20:40:31+00:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -87,7 +87,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$SIGNING_PROJECTNAME-$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,38 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 - fi - if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then - NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1 - fi -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -70,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \ || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \ || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME" +export SIGNING_PROJECTNAME + test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm" . "$script_dir/set-config.tbb-version" @@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0] 3 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build Commits: 24c07ab6 by Nicolas Vigier at 2023-04-20T16:58:30+02:00 Bug 40841: Add signing machine setup scripts and adapt signing scripts Use separate accounts to store the different keys. - - - - - 985f768a by Nicolas Vigier at 2023-04-20T16:58:32+02:00 Bug 40841: Set SIGNING_PROJECTNAME=torbrowser in signing scripts For compatibility with signing scripts on the main branch. - - - - - 43f474b4 by Nicolas Vigier at 2023-04-20T16:58:33+02:00 Bug 40846: Temporarily disable Windows signing - - - - - 25 changed files: - + projects/mar-tools/config - projects/osslsigncode/config - + projects/yubihsm-shell/build - + projects/yubihsm-shell/config - rbm.conf - tools/signing/do-all-signing - tools/signing/linux-signer-authenticode-signing - tools/signing/linux-signer-gpg-sign - tools/signing/linux-signer-signmars - + tools/signing/machines-setup/build-yubihsm-shell-pkg - + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules - + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf - + tools/signing/machines-setup/setup-osslsigncode - + tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub - + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub - + tools/signing/machines-setup/ssh-keys/richard.pub - + tools/signing/machines-setup/sudoers.d/sign-exe - + tools/signing/machines-setup/sudoers.d/sign-gpg - + tools/signing/machines-setup/sudoers.d/sign-mar - + tools/signing/machines-setup/upload-tbb-to-signing-machine - tools/signing/set-config - + tools/signing/wrappers/sign-exe - + tools/signing/wrappers/sign-gpg - + tools/signing/wrappers/sign-mar Changes: ===================================== projects/mar-tools/config ===================================== @@ -0,0 +1,20 @@ +# vim: filetype=yaml sw=2 +# +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine +# to fetch mar-tools for signing machine setup +# +version: 12.0.4 +filename: 'mar-tools-linux64.zip' +container: + use_container: 0 +gpg_keyring: torbrowser.gpg +tag_gpg_id: 1 +input_files: + - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip' + sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584 + +steps: + fetch_martools: + fetch_martools: | + #!/bin/bash + echo ok ===================================== projects/osslsigncode/config ===================================== @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' @@ -15,3 +15,12 @@ var: input_files: - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - filename: timestamping.patch + - filename: '[% c("var/srcfile") %]' + enable: '[% c("var/no-git") %]' + +targets: + no-git: + git_url: '' + var: + no-git: 1 + srcfile: '[% project %]-[% c("version") %].tar.gz' ===================================== projects/yubihsm-shell/build ===================================== @@ -0,0 +1,11 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +dpkg-buildpackage -us -uc +mkdir -p "$distdir" +mv ../*.deb "$distdir" +dest=[% dest_dir _ '/' _ c('filename') %] +rm -Rf "$dest" +mv "$distdir" "$dest" ===================================== projects/yubihsm-shell/config ===================================== @@ -0,0 +1,16 @@ +# vim: filetype=yaml sw=2 +version: 2.4.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]' +container: + use_container: 0 +var: + src_filename: 'yubihsm-shell-[% c("version") %].tar.gz' +input_files: + - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]' + sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0 + +steps: + fetch_src: + fetch_src: | + #!/bin/bash + echo ok ===================================== rbm.conf ===================================== @@ -84,7 +84,7 @@ var: build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]' build_id_txt: | [% c("version") %] - [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] + [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %] [% IF c("container/use_container") && ! c("container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -test -f "$steps_dir/linux-signer-authenticode-signing.done" || - read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -echo +#test -f "$steps_dir/linux-signer-authenticode-signing.done" || +# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS +#echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -193,10 +193,10 @@ do_step dmg2mar do_step sync-scripts-to-linux-signer do_step linux-signer-signmars do_step sync-after-signmars -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +#do_step linux-signer-authenticode-signing +#do_step sync-after-authenticode-signing +#do_step authenticode-timestamping +#do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-authenticode-signing ===================================== @@ -9,26 +9,14 @@ cd ~/"$tbb_version" test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS echo -tmpdir=$(mktemp -d) -chgrp yubihsm "$tmpdir" -chmod g+rwx "$tmpdir" - cwd=$(pwd) for i in `find . -name "*.exe" -print` do echo "Signing $i" - echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \ - /home/yubihsm/osslsigncode/osslsigncode \ - -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ - -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \ - -pass "'$YUBIPASS'" \ - -h sha256 \ - -certs /home/yubihsm/tpo-cert.crt \ - -key 1c40 \ - "$cwd/$i" "$tmpdir/$i" \ - | sudo su - yubihsm - mv -vf "$tmpdir/$i" "$cwd/$i" + sudo -u signing-win -- "$wrappers_dir/sign-exe" \ + "$YUBIPASS" \ + "$cwd/$i" + cp /home/signing-win/last-signed-file.exe "$cwd/$i" done unset YUBIPASS -rmdir "$tmpdir" ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -7,6 +7,7 @@ source "$script_dir/functions" cd ~/"$tbb_version" test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS +currentdir=$(pwd) for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -15,5 +16,8 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i + i="$currentdir/$i" + tmpsig=$(mktemp) + echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" + mv -f "$tmpsig" "${i}.asc" done ===================================== tools/signing/linux-signer-signmars ===================================== @@ -1,8 +1,4 @@ #!/bin/bash -# -# -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script -# (if you don't want to use the default values). set -e set -u @@ -10,33 +6,15 @@ set -u script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=/home/boklm/marsigning/nssdb7 -fi - -if [ -z "${NSS_CERTNAME+x}" ]; then - NSS_CERTNAME=marsigner -fi - export LC_ALL=C -# Check some prerequisites. -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then - >&2 echo "Please create and populate the $NSS_DB_DIR directory" - exit 2 -fi - -# Extract the MAR tools so we can use the signmar program. -MARTOOLS_TMP_DIR=$(mktemp -d) -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" -if [ -z "${LD_LIBRARY_PATH+x}" ]; then - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" -else - export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 3 fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" # Prompt for the NSS password. # TODO: Test that the entered NSS password is correct. But how? Unfortunately, @@ -65,9 +43,8 @@ for marfile in *.mar; do continue; fi - echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" tmp.mar - mv -f tmp.mar "$marfile" + echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile" + cp /home/signing-mar/last-signed-mar.mar "$marfile" COUNT=$((COUNT + 1)) echo "Signed MAR file $COUNT ($marfile)" done ===================================== tools/signing/machines-setup/build-yubihsm-shell-pkg ===================================== @@ -0,0 +1,26 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'build-pkgs'; then + echo 'This script should be run as the build-pkgs user' >&2 + exit 1 +fi + +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/build-pkgs +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +mkdir -p out/yubihsm-shell +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell +./rbm/rbm build yubihsm-shell +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename) +rm -Rf "$destdir" +mkdir -p $(dirname $destdir) +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir" ===================================== tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules ===================================== @@ -0,0 +1,2 @@ +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm" ===================================== tools/signing/machines-setup/etc/yubihsm_pkcs11.conf ===================================== @@ -0,0 +1,5 @@ +connector = yhusb:// +#debug +#dinout +#libdebug +#debug-file = /tmp/yubihsm_pkcs11_debug ===================================== tools/signing/machines-setup/setup-osslsigncode ===================================== @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 1 +fi + +destdir=/home/signing-win/osslsigncode +if test -d "$destdir"; then + echo "$destdir already exists. Doing nothing." + exit 0 +fi + +cd /home/signing-win +tar xf /signing/tor-browser-build.tar +cd tor-browser-build +tar xf /signing/rbm.tar +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +mkdir -p out/osslsigncode +cp "/signing/$osslsigncodefile" out/osslsigncode +./rbm/rbm build osslsigncode --target no-git +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git) +cd /home/signing-win +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild" +chmod -R 755 /home/signing-win/osslsigncode +echo "Extracted osslsigncode to /home/signing-win/osslsigncode" ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -0,0 +1,134 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +function create_user { + user="$1" + groups="$2" + id "$user" > /dev/null 2>&1 && return 0 + test -n "$groups" && groups="--groups $groups" + useradd -s /bin/bash -m "$user" $groups +} + +function create_group { + group="$1" + getent group "$group" > /dev/null 2>&1 && return 0 + groupadd "$group" +} + +function authorized_keys { + user="$1" + shift + tmpfile=$(mktemp) + for file in "$@"; do + cat "$script_dir/ssh-keys/$file" >> "$tmpfile" + done + sshdir="/home/$user/.ssh" + authkeysfile="$sshdir/authorized_keys" + if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then + rm "$tmpfile" + return 0 + fi + echo "Update authorized_keys for user $user" + if ! test -d "$sshdir"; then + mkdir "$sshdir" + chmod 700 "$sshdir" + chown $user:$user "$sshdir" + fi + mv "$tmpfile" "$authkeysfile" + chown $user:$user "$authkeysfile" + chmod 600 "$authkeysfile" +} + +function sudoers_file { + sfile="$1" + cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile" + chown root:root "/etc/sudoers.d/$sfile" + chmod 0440 "/etc/sudoers.d/$sfile" +} + +function udev_rule { + udevrule="$1" + rulepath="/etc/udev/rules.d/$udevrule" + if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then + cp "$script_dir$rulepath" "$rulepath" + udevadm control --reload-rules + fi +} + +function install_packages { + for pkg in "$@" + do + dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue + apt-get install -y "$pkg" + done +} + +install_packages build-essential rsync unzip +install_packages sudo vim tmux gnupg + +create_user setup +authorized_keys setup boklm-yk1.pub +mkdir -p /signing +chmod 0755 /signing +chown setup /signing + +create_user yubihsm +create_group yubihsm +udev_rule 70-yubikey.rules + +create_user signing +create_group signing +create_user signing-gpg +create_user signing-mar +create_user signing-win yubihsm + + +sudoers_file sign-gpg +sudoers_file sign-mar +sudoers_file sign-exe + +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub +create_user richard signing +authorized_keys richard richard.pub + +# Install rbm deps +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \ + libio-handle-util-perl libio-all-perl \ + libio-captureoutput-perl libjson-perl libpath-tiny-perl \ + libstring-shellquote-perl libsort-versions-perl \ + libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \ + libfile-copy-recursive-perl libfile-slurp-perl + +# Install deps for building osslsigncode +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode + +# Packages needed for windows signing +install_packages opensc libengine-pkcs11-openssl + +# Install deps for building yubihsm-shell +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec + +# Build and install yubihsm-pkcs11 package +create_user build-pkgs +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then + yubishm_version=2.4.0 + sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg + pushd /home/build-pkgs/packages/yubihsm-shell-pkgs + apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \ + ./libyubihsm1_${yubishm_version}_amd64.deb \ + ./libyubihsm-http1_${yubishm_version}_amd64.deb \ + ./libyubihsm-usb1_${yubishm_version}_amd64.deb + popd +fi + +# install mar-tools +if ! test -d /home/signing-mar/mar-tools; then + tmpdir=$(mktemp -d) + unzip -d "$tmpdir" /signing/mar-tools-linux64.zip + chown -R signing-mar:signing-mar "$tmpdir/mar-tools" + chmod go+rX "$tmpdir/mar-tools"/* + mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools +fi ===================================== tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release ===================================== tools/signing/machines-setup/ssh-keys/boklm-yk1.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1 ===================================== tools/signing/machines-setup/ssh-keys/richard.pub ===================================== @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a ===================================== tools/signing/machines-setup/sudoers.d/sign-exe ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-win env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe ===================================== tools/signing/machines-setup/sudoers.d/sign-gpg ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg ===================================== tools/signing/machines-setup/sudoers.d/sign-mar ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -0,0 +1,59 @@ +#!/bin/bash +# Upload tor-browser-build directory from current HEAD commit and other +# dependencies to signing machine +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +cd "$script_dir/../../.." +tmpdir=$(mktemp -d) +tbbtar=$tmpdir/tor-browser-build.tar +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD . + +echo "Created $tbbtar" + +make submodule-update +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile) +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then + ./rbm/rbm tar osslsigncode + echo "Created $osslsigncodefile" +fi + +cd rbm +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD . +echo "Created rbm.tar" +cd .. + +martools_filename=mar-tools-linux64.zip +if ! test -f "./out/mar-tools/$martools_filename"; then + ./rbm/rbm build --step fetch_martools mar-tools + echo "Downloaded $martools_filename" +fi + +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename) +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then + ./rbm/rbm build yubihsm-shell --step fetch_src + echo "Fetched $yubihsm_filename" +fi + +signing_machine='linux-signer' +setup_user='setup' +signing_dir='/signing' + +echo "Uploading $osslsigncodefile to $signing_machine" +chmod go+r "./out/osslsigncode/$osslsigncodefile" +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" +echo "Uploading rbm.tar to $signing_machine" +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" +echo "Uploading $martools_filename" +chmod go+r "./out/mar-tools/$martools_filename" +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" +echo "Uploading $yubihsm_filename" +chmod go+r "./out/yubihsm-shell/$yubihsm_filename" +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" +echo "Uploading tor-browser-build.tar to $signing_machine" +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" +echo "Extracting tor-browser-build.tar on $signing_machine" +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar +echo "You can now run this command on $signing_machine to update signing machine setup:" +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine" ===================================== tools/signing/set-config ===================================== @@ -2,6 +2,7 @@ . "$script_dir/set-config.hosts" bundle_locales="ALL" +export SIGNING_PROJECTNAME=torbrowser signed_dir="$script_dir/../../$tbb_version_type/signed" signed_version_dir="$signed_dir/$tbb_version" @@ -15,3 +16,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" tb_builders='boklm dan henry ma1 pierov richard' +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +if test "$#" -ne 2; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-win'; then + echo 'This script should be run as the signing-win user' >&2 + exit 2 +fi + +yubipass="$1" +to_sign_exe="$2" + +tpo_cert=/home/signing-win/tpo-cert.crt + +if ! test -f "$tpo_cert"; then + echo "File $tpo_cert is missing" >&2 + exit 2 +fi + +output_signed_exe=/home/signing-win/last-signed-file.exe +rm -f "$output_signed_exe" + +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' +/home/signing-win/osslsigncode/bin/osslsigncode \ + -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ + -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ + -pass "$yubipass" \ + -h sha256 \ + -certs "$tpo_cert" \ + -key 1c40 \ + "$to_sign_exe" "$output_signed_exe" + +chmod 644 "$output_signed_exe" ===================================== tools/signing/wrappers/sign-gpg ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 2 +fi + +if test $(whoami) != 'signing-gpg'; then + echo 'This script should be run as the signing-gpg user' >&2 + exit 1 +fi + +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1" ===================================== tools/signing/wrappers/sign-mar ===================================== @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +if test "$#" -ne 1; then + echo "Wrong number of arguments" >&2 + exit 1 +fi + +if test $(whoami) != 'signing-mar'; then + echo 'This script should be run as the signing-mar user' >&2 + exit 2 +fi + +output_signed_mar=/home/signing-mar/last-signed-mar.mar +rm -f "$output_signed_mar" + +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then + NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1 +else + echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME" + exit 3 +fi +NSS_CERTNAME=marsigner + +if ! test -d "$NSS_DB_DIR"; then + echo "$NSS_DB_DIR is missing" >&2 + exit 3 +fi + +martools_dir=/home/signing-mar/mar-tools +if ! test -d "$martools_dir"; then + >&2 echo "Please create $martools_dir" + exit 4 +fi +export LD_LIBRARY_PATH="$martools_dir" +export PATH="$martools_dir:$PATH" + +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar" +chmod 644 "$output_signed_mar" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.11.0esr-12.5-1] fixup! Bug 41600: Add a tor circuit display panel.
by Richard Pospesel (＠richard) 09 May '23

09 May '23

Richard Pospesel pushed to branch tor-browser-102.11.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 9f9de549 by Henry Wilkes at 2023-05-09T14:54:55+01:00 fixup! Bug 41600: Add a tor circuit display panel. Bug 41770 - Stop blocking event propagation of keydown events that we do not handle. This lets the arrow key events pass on to ToolbarKeyboardNavigator. - - - - - 1 changed file: - browser/components/torcircuit/content/torCircuitPanel.js Changes: ===================================== browser/components/torcircuit/content/torCircuitPanel.js ===================================== @@ -221,10 +221,10 @@ var gTorCircuitPanel = { // rather than a <html:button>, or <xul:toolbarbutton>, so we need to set up // listeners for both "click" and "keydown", and not for "command". this.toolbarButton.addEventListener("keydown", event => { - event.stopPropagation(); if (event.key !== "Enter" && event.key !== " ") { return; } + event.stopPropagation(); this.show(); }); this.toolbarButton.addEventListener("click", event => { View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9f9de54… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9f9de54… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag base-browser-102.11.0esr-12.5-1-build1
by Pier Angelo Vendrame (＠pierov) 09 May '23

09 May '23

Pier Angelo Vendrame pushed new tag base-browser-102.11.0esr-12.5-1-build1 at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/base-brow… You're receiving this email because of your account on gitlab.torproject.org.

1 0