June 2023 - tor-commits - lists.torproject.org

[torspec] branch main updated: update 343-rend-caa to include guidance on the non mandatory state of CAA
by gitolite role 13 Jun '23

13 Jun '23

This is an automated email from the git hooks/post-receive script. dgoulet pushed a commit to branch main in repository torspec. The following commit(s) were added to refs/heads/main by this push: new 67f8481 update 343-rend-caa to include guidance on the non mandatory state of CAA new 4a14d01 Merge branch 'tor-gitlab/mr/139' 67f8481 is described below commit 67f8481596b010c58c406ee5c5631202a59bfc6f Author: Q <q(a)misell.cymru> AuthorDate: Tue Jun 6 23:27:36 2023 +0200 update 343-rend-caa to include guidance on the non mandatory state of CAA --- proposals/343-rend-caa.txt | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/proposals/343-rend-caa.txt b/proposals/343-rend-caa.txt index f5d449f..0859690 100644 --- a/proposals/343-rend-caa.txt +++ b/proposals/343-rend-caa.txt @@ -3,6 +3,7 @@ Title: CAA Extensions for the Tor Rendezvous Specification Author: Q Misell <q(a)as207960.net> Created: 2023-04-25 Status: Open +Ticket: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/716 Overview: The document defines extensions to the Tor Rendezvous Specification Hidden @@ -22,8 +23,11 @@ Motivation: As Tor hidden service domains are not in the DNS another way to provide the same security benefits as CAA does in the DNS needed to be devised. + It is important to note that a hidden service is not required to publish a CAA + record to obtain a certificate, as is the case in the DNS. + More information about this project in general can be found at - https://e.as207960.net/w4bdyj/Gm2AylEF + https://acmeforonions.org. Specification: To enable maximal code re-use in CA codebases the same CAA record format is @@ -62,10 +66,10 @@ Specification: [At most once] Security Considerations: - The second layer descriptor is signed and MACed in a way that only a party - with access to the secret key of the hidden service could manipulate what is - published there. Therefore, Tor CAA records have at least the same security as - those in the DNS secured by DNSSEC. + The second layer descriptor is signed, encrypted and MACed in a way that only + a party with access to the secret key of the hidden service could manipulate + what is published there. Therefore, Tor CAA records have at least the same + security as those in the DNS secured by DNSSEC. The "caa-critical" flag is visible to anyone with knowledge of the hidden service's public key, however it reveals no information that could be used to @@ -104,4 +108,4 @@ References: [tor-rend-spec-v3] The Tor Project, "Tor Rendezvous Specification - Version 3", - <https://spec.torproject.org/rend-spec-v3>. + <https://spec.torproject.org/rend-spec-v3>. \ No newline at end of file -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[torspec] branch main updated: Describe the behavior of our HSv3 crypto layers.
by gitolite role 13 Jun '23

13 Jun '23

This is an automated email from the git hooks/post-receive script. dgoulet pushed a commit to branch main in repository torspec. The following commit(s) were added to refs/heads/main by this push: new b345ca0 Describe the behavior of our HSv3 crypto layers. b345ca0 is described below commit b345ca044131b2eb18e6ae0d5f23643a92aeff34 Author: Nick Mathewson <nickm(a)torproject.org> AuthorDate: Tue Jun 13 11:15:47 2023 -0400 Describe the behavior of our HSv3 crypto layers. These layers use SHA3 instead of SHA1 and AES256 instead of AES128. Their SENDME tags are made with SHA3 too, but they are truncated to 20 bytes. Closes #204. --- rend-spec-v3.txt | 3 ++- tor-spec.txt | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt index 53880db..062b3d7 100644 --- a/rend-spec-v3.txt +++ b/rend-spec-v3.txt @@ -2080,7 +2080,8 @@ Table of contents: The hidden service host now also knows the keys generated by the handshake, which it will use to encrypt and authenticate data end-to-end between the client and the server. These keys are as - computed in tor-spec.txt section 5.1.4. + computed in tor-spec.txt section 5.1.4, except that instead of using + AES-128 and SHA1 for this hop, we use AES-256 and SHA3-256. 3.4. Authentication during the introduction phase. [INTRO-AUTH] diff --git a/tor-spec.txt b/tor-spec.txt index 72a3f19..8ab16d8 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -2175,6 +2175,11 @@ see tor-design.pdf. matched on the other side from the previous cell sent that the OR/OP must remember. + (Note that if the digest in use has an output length greater than 20 + bytes—as is the case for the hop of an onion service rendezvous + circuit created by the hs_ntor handshake—we truncate the digest + to 20 bytes here.) + If the VERSION is unrecognized or below the minimum accepted version (taken from the consensus), the circuit should be torn down. -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-13.0-1] fixup! Bug 21952: Implement Onion-Location
by Pier Angelo Vendrame (＠pierov) 13 Jun '23

13 Jun '23

Pier Angelo Vendrame pushed to branch tor-browser-102.12.0esr-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 9b41c038 by Pier Angelo Vendrame at 2023-06-13T10:10:05+02:00 fixup! Bug 21952: Implement Onion-Location Bug 41841: Use the new onion-site.svg icon in the onion-location pill - - - - - 3 changed files: - browser/components/onionservices/content/onionlocation.css - − browser/components/onionservices/content/onionlocation.svg - browser/components/onionservices/jar.mn Changes: ===================================== browser/components/onionservices/content/onionlocation.css ===================================== @@ -1,7 +1,7 @@ /* Copyright (c) 2020, The Tor Project, Inc. */ #onion-location-button { - list-style-image: url(chrome://browser/content/onionservices/onionlocation.svg); + list-style-image: url(chrome://browser/skin/onion-site.svg); -moz-context-properties: fill; fill: currentColor; } ===================================== browser/components/onionservices/content/onionlocation.svg deleted ===================================== @@ -1,3 +0,0 @@ -<svg width="16" height="16" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> - <path fill="context-fill" fill-opacity="context-fill-opacity" d="m8.016411 14.54499v-0.969784c3.071908-0.0089 5.559239-2.501304 5.559239-5.575429 0-3.073903-2.487331-5.566336-5.559239-5.575206v-0.9697843c3.607473 0.00909 6.528802 2.935521 6.528802 6.544991 0 3.609691-2.921329 6.536342-6.528802 6.545213zm0-3.394356c1.732661-0.0091 3.135111-1.415756 3.135111-3.150857 0-1.734878-1.402451-3.141542-3.135111-3.150634v-0.9695626c2.268448 0.00887 4.104895 1.849753 4.104895 4.120197 0 2.270666-1.836447 4.111549-4.104895 4.120419zm0-4.846926c0.9294227 0.00887 1.680545 0.7644289 1.680545 1.696069 0 0.9318627-0.7511226 1.687421-1.680545 1.696291zm-8.016411 1.696069c0 4.418473 3.581527 8.000222 8 8.000222 4.418251 0 8-3.581749 8-8.000222 0-4.418251-3.581749-7.999778-8-7.999778-4.418473 0-8 3.581527-8 7.999778z" /> -</svg> \ No newline at end of file ===================================== browser/components/onionservices/jar.mn ===================================== @@ -8,5 +8,4 @@ browser.jar: content/browser/onionservices/savedKeysDialog.js (content/savedKeysDialog.js) content/browser/onionservices/savedKeysDialog.xhtml (content/savedKeysDialog.xhtml) content/browser/onionservices/onionlocationPreferences.js (content/onionlocationPreferences.js) - content/browser/onionservices/onionlocation.svg (content/onionlocation.svg) skin/classic/browser/onionlocation.css (content/onionlocation.css) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9b41c03… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/9b41c03… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-12.5-1] fixup! Bug 21952: Implement Onion-Location
by ma1 (＠ma1) 13 Jun '23

13 Jun '23

ma1 pushed to branch tor-browser-102.12.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 5a49e443 by Pier Angelo Vendrame at 2023-06-13T09:08:07+02:00 fixup! Bug 21952: Implement Onion-Location Bug 41841: Use the new onion-site.svg icon in the onion-location pill - - - - - 3 changed files: - browser/components/onionservices/content/onionlocation.css - − browser/components/onionservices/content/onionlocation.svg - browser/components/onionservices/jar.mn Changes: ===================================== browser/components/onionservices/content/onionlocation.css ===================================== @@ -1,7 +1,7 @@ /* Copyright (c) 2020, The Tor Project, Inc. */ #onion-location-button { - list-style-image: url(chrome://browser/content/onionservices/onionlocation.svg); + list-style-image: url(chrome://browser/skin/onion-site.svg); -moz-context-properties: fill; fill: currentColor; } ===================================== browser/components/onionservices/content/onionlocation.svg deleted ===================================== @@ -1,3 +0,0 @@ -<svg width="16" height="16" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> - <path fill="context-fill" fill-opacity="context-fill-opacity" d="m8.016411 14.54499v-0.969784c3.071908-0.0089 5.559239-2.501304 5.559239-5.575429 0-3.073903-2.487331-5.566336-5.559239-5.575206v-0.9697843c3.607473 0.00909 6.528802 2.935521 6.528802 6.544991 0 3.609691-2.921329 6.536342-6.528802 6.545213zm0-3.394356c1.732661-0.0091 3.135111-1.415756 3.135111-3.150857 0-1.734878-1.402451-3.141542-3.135111-3.150634v-0.9695626c2.268448 0.00887 4.104895 1.849753 4.104895 4.120197 0 2.270666-1.836447 4.111549-4.104895 4.120419zm0-4.846926c0.9294227 0.00887 1.680545 0.7644289 1.680545 1.696069 0 0.9318627-0.7511226 1.687421-1.680545 1.696291zm-8.016411 1.696069c0 4.418473 3.581527 8.000222 8 8.000222 4.418251 0 8-3.581749 8-8.000222 0-4.418251-3.581749-7.999778-8-7.999778-4.418473 0-8 3.581527-8 7.999778z" /> -</svg> \ No newline at end of file ===================================== browser/components/onionservices/jar.mn ===================================== @@ -8,5 +8,4 @@ browser.jar: content/browser/onionservices/savedKeysDialog.js (content/savedKeysDialog.js) content/browser/onionservices/savedKeysDialog.xhtml (content/savedKeysDialog.xhtml) content/browser/onionservices/onionlocationPreferences.js (content/onionlocationPreferences.js) - content/browser/onionservices/onionlocation.svg (content/onionlocation.svg) skin/classic/browser/onionlocation.css (content/onionlocation.css) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5a49e44… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5a49e44… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-13.0-1] 2 commits: fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser
by Pier Angelo Vendrame (＠pierov) 13 Jun '23

13 Jun '23

Pier Angelo Vendrame pushed to branch tor-browser-102.12.0esr-13.0-1 at The Tor Project / Applications / Tor Browser Commits: 7fc2a294 by Henry Wilkes at 2023-06-13T08:25:26+02:00 fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser Bug 41826 - Tweak tor connect status styling in titlebar and connection preferences. - - - - - 45cbbcf8 by Henry Wilkes at 2023-06-13T08:25:41+02:00 fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection Bug 41826 - Tweak tor connect status styling in titlebar and connection preferences. - - - - - 7 changed files: - browser/base/content/navigator-toolbox.inc.xhtml - browser/components/torconnect/content/aboutTorConnect.css - browser/components/torconnect/content/tor-connect-broken.svg - browser/components/torconnect/content/tor-not-connected-to-connected-animated.svg - browser/components/torconnect/content/torConnectTitlebarStatus.css - browser/components/torconnect/content/torConnectTitlebarStatus.js - browser/components/torpreferences/content/torPreferences.css Changes: ===================================== browser/base/content/navigator-toolbox.inc.xhtml ===================================== @@ -94,8 +94,7 @@ <hbox class="private-browsing-indicator"/> <html:div id="tor-connect-titlebar-status" role="status"> - <html:img id="tor-connect-titlebar-status-icon" - alt="" + <html:img alt="" src="chrome://browser/content/torconnect/tor-not-connected-to-connected-animated.svg" /> <html:span id="tor-connect-titlebar-status-label"></html:span> </html:div> ===================================== browser/components/torconnect/content/aboutTorConnect.css ===================================== @@ -70,8 +70,9 @@ input[type="checkbox"]:focus, select:focus { display: inline list-item; height: 16px; list-style-position: inside; + -moz-context-properties: fill, stroke; fill: currentColor; - -moz-context-properties: fill; + stroke: currentColor; } .breadcrumb-item.active { @@ -315,6 +316,7 @@ body { -moz-context-properties: stroke, fill, fill-opacity; fill-opacity: var(--onion-opacity); fill: var(--onion-color); + stroke: var(--onion-color); } .title.offline { ===================================== browser/components/torconnect/content/tor-connect-broken.svg ===================================== @@ -7,5 +7,5 @@ <path d="M10.5086 11.2146L11.3423 12.0483C10.8375 12.4651 10.2534 12.7892 9.616 12.9947V11.744C9.93702 11.6057 10.2367 11.4271 10.5086 11.2146Z" fill="context-fill" fill-opacity="context-fill-opacity" /> <path d="M4.78492 5.49092L3.95137 4.65737C3.20058 5.56555 2.74933 6.73033 2.74933 8C2.74933 10.336 4.27467 12.3147 6.384 12.9947V11.744C4.936 11.12 3.92267 9.67733 3.92267 8C3.92267 7.05341 4.24455 6.18259 4.78492 5.49092Z" fill="context-fill" fill-opacity="context-fill-opacity" /> <path d="M7.16918 7.8752L8.12478 8.83079C8.08406 8.83686 8.04238 8.84 7.99997 8.84C7.53605 8.84 7.15997 8.46392 7.15997 8C7.15997 7.95759 7.16312 7.91592 7.16918 7.8752Z" fill="context-fill" fill-opacity="context-fill-opacity" /> - <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-fill" fill-opacity="context-fill-opacity" /> + <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-stroke" fill-opacity="context-fill-opacity" /> </svg> ===================================== browser/components/torconnect/content/tor-not-connected-to-connected-animated.svg ===================================== @@ -1,8 +1,15 @@ <svg width="176" height="16" viewBox="0 0 176 16" xmlns="http://www.w3.org/2000/svg"> - <path d="M 3.32745,2.13475 C 4.60904,1.11241 6.23317,0.50133 8,0.50133 c 4.1414,0 7.4987,3.35732 7.4987,7.49867 0,1.7671 -0.6111,3.3911 -1.6335,4.6725 L 13.0315,11.8388 C 13.8448,10.7747 14.328,9.4444 14.328,8 14.328,4.504 11.496,1.67199 8,1.67199 c -1.4438,0 -2.77436,0.48303 -3.83895,1.29636 z" fill="context-fill" /> - <path d="M 6.56042,5.36771 7.44805,6.25534 C 7.6222,6.20033 7.80763,6.17067 8,6.17067 c 1.0107,0 1.8294,0.81867 1.8294,1.82933 0,0.1924 -0.0297,0.3779 -0.0847,0.552 l 0.8877,0.8877 C 10.8667,9.0122 11,8.5216 11,8 11,6.34399 9.656,5 8,5 7.47846,5 6.98784,5.13332 6.56042,5.36771 Z" fill="context-fill" /> - <path d="M 12.2609,11.0682 C 12.8837,10.2055 13.2507,9.1457 13.2507,8 c 0,-2.89867 -2.352,-5.25067 -5.25073,-5.25067 -1.14511,0 -2.20491,0.36706 -3.06809,0.98988 l 0.84285,0.84286 c 0.6397,-0.41709 1.40395,-0.6594 2.22524,-0.6594 2.25333,0 4.07733,1.82399 4.07733,4.07733 0,0.8206 -0.2425,1.585 -0.6598,2.2248 z" fill="context-fill" /> - <path fill-rule="evenodd" d="M 14.0906,14.7921 1.15536,1.85684 c -0.26058,-0.26058 -0.68307,-0.26058 -0.94365,0 -0.26059,0.26059 -0.26059,0.68308 -1e-5,0.94366 L 1.56286,4.15166 C 0.88882,5.2767 0.50135,6.59311 0.50135,8 c 0,3.5867 2.51734,6.584 5.88267,7.3227 0.352,0.0773 0.70932,0.1306 1.07733,0.1546 v -5.4272 l 1.07735,1.0774 v 4.3498 C 8.9067,15.4533 9.264,15.4 9.616,15.3227 c 0.7992,-0.1755 1.5506,-0.4783 2.2318,-0.8861 l 1.2991,1.2991 c 0.2606,0.2606 0.6831,0.2606 0.9437,0 0.2606,-0.2606 0.2606,-0.683 0,-0.9436 z m -3.1017,-1.2144 -0.804,-0.804 c -0.1841,0.0843 -0.374,0.1582 -0.5689,0.221 v -0.7899 1.9125 c 0.4826,-0.1267 0.9427,-0.309 1.3729,-0.5396 z M 5.02472,7.6135 4.12828,6.71707 C 3.99487,7.1204 3.92268,7.5517 3.92268,8 c 0,1.6773 1.01333,3.12 2.46133,3.744 v 1.2507 C 4.27468,12.3147 2.74934,10.336 2.74934,8 c 0,-0.78002 0.17031,-1.52045 0.47575,-2.18611 L 2.42112,5.00992 C 1.94312,5.90024 1.67202,6.91834 1.67202,8 c 0,2.9387 2,5.4053 4.712,6.1173 V 10.528 C 5.55202,9.9947 5.00002,9.0613 5.00002,8 c 0,-0.1309 0.0084,-0.2599 0.0247,-0.3865 z" fill="context-fill" /> +  + <path d="M3.32745 2.13476C4.60904 1.11242 6.23317 0.501331 8 0.501331C12.1414 0.501331 15.4987 3.85866 15.4987 8C15.4987 9.76709 14.8876 11.3911 13.8652 12.6725L13.0315 11.8388C13.8448 10.7747 14.328 9.44438 14.328 8C14.328 4.50401 11.496 1.672 8 1.672C6.5562 1.672 5.22564 2.15503 4.16105 2.96836L3.32745 2.13476Z" fill="context-fill" /> + <path d="M2.35636 3.06235C1.20135 4.38144 0.501343 6.10899 0.501343 8C0.501343 11.5867 3.01868 14.584 6.38401 15.3227C6.73601 15.4 7.09333 15.4533 7.46134 15.4773V9.74933C6.71467 9.52 6.17068 8.82401 6.17068 8C6.17068 7.67615 6.25474 7.37202 6.40223 7.10822L5.55539 6.26138C5.20574 6.75196 5.00001 7.3521 5.00001 8C5.00001 9.06133 5.55201 9.99466 6.38401 10.528V14.1173C3.67201 13.4053 1.67201 10.9387 1.67201 8C1.67201 6.43179 2.24187 4.99718 3.18588 3.89187L2.35636 3.06235Z" fill="context-fill" /> + <path d="M6.56041 5.36771L7.44804 6.25534C7.62219 6.20033 7.80762 6.17067 8.00001 6.17067C9.01067 6.17067 9.82934 6.98934 9.82934 8C9.82934 8.19242 9.79968 8.37785 9.7447 8.552L10.6324 9.43967C10.8667 9.01221 11 8.52156 11 8C11 6.34399 9.65601 5 8.00001 5C7.47845 5 6.98783 5.13332 6.56041 5.36771Z" fill="context-fill" /> + <path d="M9.73889 10.4449L8.89214 9.59813C8.78095 9.66036 8.6626 9.71127 8.53868 9.74933V15.4773C8.90668 15.4533 9.26401 15.4 9.61601 15.3227C10.8695 15.0475 12.0054 14.459 12.9374 13.6434L12.1076 12.8136C11.396 13.4207 10.5481 13.8726 9.61601 14.1173V10.528C9.65768 10.5013 9.69865 10.4736 9.73889 10.4449Z" fill="context-fill" /> + <path d="M12.2609 11.0682C12.8837 10.2055 13.2507 9.14573 13.2507 8C13.2507 5.10133 10.8987 2.74933 7.99999 2.74933C6.85488 2.74933 5.79508 3.11639 4.9319 3.73921L5.77475 4.58207C6.41445 4.16498 7.1787 3.92267 7.99999 3.92267C10.2533 3.92267 12.0773 5.74666 12.0773 8C12.0773 8.82056 11.8348 9.58497 11.4175 10.2248L12.2609 11.0682Z" fill="context-fill" /> + <path d="M10.5086 11.2146L11.3423 12.0483C10.8375 12.4651 10.2534 12.7892 9.616 12.9947V11.744C9.93702 11.6057 10.2367 11.4271 10.5086 11.2146Z" fill="context-fill" /> + <path d="M4.78492 5.49092L3.95137 4.65737C3.20058 5.56555 2.74933 6.73033 2.74933 8C2.74933 10.336 4.27467 12.3147 6.384 12.9947V11.744C4.936 11.12 3.92267 9.67733 3.92267 8C3.92267 7.05341 4.24455 6.18259 4.78492 5.49092Z" fill="context-fill" /> + <path d="M7.16918 7.8752L8.12478 8.83079C8.08406 8.83686 8.04238 8.84 7.99997 8.84C7.53605 8.84 7.15997 8.46392 7.15997 8C7.15997 7.95759 7.16312 7.91592 7.16918 7.8752Z" fill="context-fill" /> + <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-stroke" /> +  <path d="m 26.5604,5.36771 0.8877,0.88763 C 27.6222,6.20033 27.8076,6.17067 28,6.17067 c 1.0107,0 1.8294,0.81867 1.8294,1.82933 0,0.1924 -0.0297,0.3779 -0.0847,0.552 l 0.8877,0.8877 C 30.8667,9.0122 31,8.5216 31,8 31,6.34399 29.656,5 28,5 27.4785,5 26.9878,5.13332 26.5604,5.36771 Z" fill="context-fill" /> <path d="M 32.2609,11.0682 C 32.8837,10.2055 33.2507,9.1457 33.2507,8 33.2507,5.10133 30.8987,2.74933 28,2.74933 c -1.1451,0 -2.2049,0.36706 -3.0681,0.98988 l 0.8428,0.84286 c 0.6397,-0.41709 1.404,-0.6594 2.2253,-0.6594 2.2533,0 4.0773,1.82399 4.0773,4.07733 0,0.8206 -0.2425,1.585 -0.6598,2.2248 z" fill="context-fill" /> <path fill-rule="evenodd" d="M 25.1667,1.05506 C 26.0409,0.69808 26.9975,0.50133 28,0.50133 c 4.1414,0 7.4987,3.35732 7.4987,7.49867 0,1.7671 -0.6111,3.3911 -1.6335,4.6725 L 33.0315,11.8388 C 33.8448,10.7747 34.328,9.4444 34.328,8 34.328,4.504 31.496,1.67199 28,1.67199 c -1.4438,0 -2.7744,0.48303 -3.8389,1.29636 L 24.1597,2.96703 c -0.3568,0.27263 -0.6838,0.58239 -0.9752,0.9235 l 0.0014,0.00134 C 22.2419,4.99718 21.672,6.43179 21.672,8 c 0,1.7592 0.7167,3.3492 1.8739,4.4949 0.473,0.4681 1.0196,0.862 1.6208,1.1628 0.385,0.1928 0.7924,0.3481 1.2173,0.4596 V 10.528 C 25.552,9.9947 25,9.0613 25,8 25,7.8685 25.0085,7.7389 25.0249,7.6118 L 24.1287,6.71563 C 23.995,7.11937 23.9227,7.5512 23.9227,8 c 0,1.6773 1.0133,3.12 2.4613,3.744 v 1.2507 C 24.2747,12.3147 22.7493,10.336 22.7493,8 c 0,-0.78053 0.1706,-1.52142 0.4764,-2.18742 L 22.8632,5.45009 c -0.2597,-0.2597 -0.2597,-0.68075 0,-0.94045 0.2597,-0.2597 0.6808,-0.2597 0.9405,0 L 34.0943,14.8002 c 0.2597,0.2597 0.2597,0.6808 0,0.9405 -0.2597,0.2597 -0.6808,0.2597 -0.9405,0 L 31.849,14.4359 c -0.6815,0.4082 -1.4333,0.7112 -2.233,0.8868 -0.352,0.0773 -0.7093,0.1306 -1.0773,0.1546 v -4.3518 l -1.0774,-1.0773 v 5.4291 C 27.0933,15.4533 26.736,15.4 26.384,15.3227 24.9758,15.0136 23.7161,14.309 22.7272,13.3313 21.3519,11.9723 20.5,10.0852 20.5,7.9987 20.5,4.85935 22.4292,2.17055 25.1667,1.05319 Z M 29.616,14.1173 v -1.9144 0.7918 c 0.1953,-0.063 0.3857,-0.1371 0.5702,-0.2216 l 0.804,0.804 c -0.4306,0.2309 -0.8911,0.4134 -1.3742,0.5402 z" fill="context-fill" /> ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.css ===================================== @@ -10,9 +10,10 @@ white-space: nowrap; } -#tor-connect-titlebar-status-icon { - -moz-context-properties: fill; +#tor-connect-titlebar-status img { + -moz-context-properties: fill, stroke; fill: currentColor; + stroke: currentColor; width: 16px; height: 16px; object-fit: none; @@ -24,28 +25,31 @@ object-position: var(--tor-not-connected-offset); } -#tor-connect-titlebar-status-icon.tor-connect-status-potentially-blocked:not( - .tor-connect-status-connected -) { - fill: #c50042; +#tor-connect-titlebar-status.tor-connect-status-potentially-blocked img { + /* NOTE: context-stroke is only used for the first "frame" for the slash. When + * we assign the potentially-blocked class, we do *not* expect to be connected + * at the same time, so we only expect this first frame to be visible in this + * state. */ + stroke: #c50042; } @media (prefers-color-scheme: dark) { - #tor-connect-titlebar-status-icon.tor-connect-status-potentially-blocked:not( - .tor-connect-status-connected - ){ - fill: #ff9aa2; + #tor-connect-titlebar-status.tor-connect-status-potentially-blocked img { + stroke: #ff9aa2; } } -#tor-connect-titlebar-status-icon.tor-connect-status-connected { - fill: var(--purple-60); +#tor-connect-titlebar-status.tor-connect-status-connected img { object-position: var(--tor-connected-offset); } +#tor-connect-titlebar-status.tor-connect-status-connected { + color: var(--purple-60); +} + @media (prefers-color-scheme: dark) { - #tor-connect-titlebar-status-icon.tor-connect-status-connected { - fill: var(--purple-30); + #tor-connect-titlebar-status.tor-connect-status-connected { + color: var(--purple-30); } } @@ -60,8 +64,11 @@ } @media (prefers-reduced-motion: no-preference) { - #tor-connect-titlebar-status-icon.tor-connect-status-connected { - transition: fill 1000ms; + #tor-connect-titlebar-status.tor-connect-status-connected { + transition: color 1000ms; + } + + #tor-connect-titlebar-status.tor-connect-status-connected img { animation-name: onion-not-connected-to-connected; animation-delay: 200ms; animation-fill-mode: both; ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.js ===================================== @@ -16,12 +16,6 @@ var gTorConnectTitlebarStatus = { * @type {Element} */ label: null, - /** - * The status icon. - * - * @type {Element} - */ - icon: null, /** * Initialize the component. @@ -34,7 +28,6 @@ var gTorConnectTitlebarStatus = { this._strings = TorStrings.torConnect; this.node = document.getElementById("tor-connect-titlebar-status"); - this.icon = document.getElementById("tor-connect-titlebar-status-icon"); this.label = document.getElementById("tor-connect-titlebar-status-label"); // The title also acts as an accessible name for the role="status". this.node.setAttribute("title", this._strings.titlebarStatusName); @@ -91,8 +84,8 @@ var gTorConnectTitlebarStatus = { break; } this.label.textContent = this._strings[textId]; - this.icon.classList.toggle("tor-connect-status-connected", connected); - this.icon.classList.toggle( + this.node.classList.toggle("tor-connect-status-connected", connected); + this.node.classList.toggle( "tor-connect-status-potentially-blocked", potentiallyBlocked ); ===================================== browser/components/torpreferences/content/torPreferences.css ===================================== @@ -32,8 +32,9 @@ html:dir(rtl) input[type="checkbox"].toggle-button::before { width: 18px; height: 18px; margin-inline-end: 8px; - -moz-context-properties: fill; - fill: var(--in-content-text-color); + -moz-context-properties: fill, stroke; + fill: currentColor; + stroke: currentColor; } #torPreferences-status-internet .torPreferences-status-icon { @@ -59,23 +60,16 @@ html:dir(rtl) input[type="checkbox"].toggle-button::before { #torPreferences-status-tor-connect.connected .torPreferences-status-icon { list-style-image: url("chrome://browser/content/torconnect/tor-connect.svg"); - fill: var(--purple-60); -} - -@media (prefers-color-scheme: dark) { - #torPreferences-status-tor-connect.connected .torPreferences-status-icon { - fill: var(--purple-30); - } } #torPreferences-status-tor-connect.blocked .torPreferences-status-icon { /* Same as .tor-connect-status-potentially-blocked. */ - fill: #c50042; + stroke: #c50042; } @media (prefers-color-scheme: dark) { #torPreferences-status-tor-connect.blocked .torPreferences-status-icon { - fill: #ff9aa2; + stroke: #ff9aa2; } } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/bdf8a6… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/bdf8a6… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] 5 commits: Bug 40851: Integrate android apk signing in do-all-signing
by richard (＠richard) 12 Jun '23

12 Jun '23

richard pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build Commits: e36799bf by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40851: Integrate android apk signing in do-all-signing - - - - - f3e593e4 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40875: Update Windows signing config - - - - - f0ab4b7d by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40875: Re-enable Windows code signing in do-all-signing - - - - - 8a7319b1 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40877: Update osslsigncode to more recent version - - - - - bb16c7d2 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40878: Fix default permission on gpg signature files - - - - - 20 changed files: - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md - projects/android-toolchain/config - − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch - projects/osslsigncode/build - projects/osslsigncode/config - − projects/osslsigncode/timestamping.patch - − tools/signing/android-signing.mullvadbrowser - − tools/signing/android-signing.torbrowser - tools/signing/authenticode-timestamping.sh - tools/signing/do-all-signing - tools/signing/linux-signer-gpg-sign - + tools/signing/linux-signer-sign-android-apks - + tools/signing/linux-signer-sign-android-apks.torbrowser - tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/sudoers.d/sign-apk - tools/signing/machines-setup/upload-tbb-to-signing-machine - − tools/signing/set-config.android-signing - tools/signing/android-signing → tools/signing/wrappers/sign-apk - tools/signing/wrappers/sign-exe Changes: ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.torbrowser` ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.sh` ===================================== projects/android-toolchain/config ===================================== @@ -95,9 +95,8 @@ steps: #!/bin/bash set -e mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %] - var: - container: - use_container: 0 + container: + use_container: 0 input_files: - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]' name: build_tools ===================================== projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted ===================================== @@ -1,324 +0,0 @@ -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger(a)gmx.de> -Date: Sun, 12 Mar 2017 23:00:12 +0100 -Subject: [PATCH] Make code work with OpenSSL 1.1. - -Changes in consist of: -- Use EVP_MD_CTX_new/free API instead of on-stack allocation -- Remove some M_ prefixes like for ASN1_IA5STRING_new -- Remove pagehash functionality because it is useless to me and - fixing it would be a pain. Would require declaring a few - ASN_SEQUENCES and use that to get the required i2d functions - from what I could find out. -- Remove OBJ_create calls that seem to serve no purpose, - now crash because NULL pointers are no longer handled - (who changes API that way?!) and even if that was fixed - lead to errors when these objects are later created - again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, - did not investigate further). - -diff --git a/osslsigncode.c b/osslsigncode.c -index 2978c02..3797458 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) - if (desc) { - info->programName = SpcString_new(); - info->programName->type = 1; -- info->programName->value.ascii = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, -+ info->programName->value.ascii = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->programName->value.ascii, - (const unsigned char*)desc, strlen(desc)); - } - - if (url) { - info->moreInfo = SpcLink_new(); - info->moreInfo->type = 0; -- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, -+ info->moreInfo->value.url = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->moreInfo->value.url, - (const unsigned char*)url, strlen(url)); - } - -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const - - if (rfc3161) { - unsigned char mdbuf[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - - TimeStampReq *req = TimeStampReq_new(); - ASN1_INTEGER_set(req->version, 1); - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; -- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); -+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); - req->certReq = (void*)0x1; - - len = i2d_TimeStampReq(req, NULL); -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { - 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 - }; - --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, -- unsigned int sigpos, int phtype, unsigned int *phlen); -- --DECLARE_STACK_OF(ASN1_OCTET_STRING) --#ifndef sk_ASN1_OCTET_STRING_new_null --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) --{ -- unsigned int phlen; -- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); -- if (!ph) { -- fprintf(stderr, "Failed to calculate page hash\n"); -- exit(-1); -- } -- -- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); -- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); -- free(ph); -- -- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); -- sk_ASN1_OCTET_STRING_push(oset, ostr); -- unsigned char *p, *tmp; -- unsigned int l; -- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- ASN1_OCTET_STRING_free(ostr); -- sk_ASN1_OCTET_STRING_free(oset); -- -- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); -- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); -- aval->value = ASN1_TYPE_new(); -- aval->value->type = V_ASN1_SET; -- aval->value->value.set = ASN1_STRING_new(); -- ASN1_STRING_set(aval->value->value.set, p, l); -- OPENSSL_free(p); -- -- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); -- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- sk_SpcAttributeTypeAndOptionalValue_free(aset); -- SpcAttributeTypeAndOptionalValue_free(aval); -- -- SpcSerializedObject *so = SpcSerializedObject_new(); -- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); -- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); -- OPENSSL_free(p); -- -- SpcLink *link = SpcLink_new(); -- link->type = 1; -- link->value.moniker = so; -- return link; --} -- - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, -- int pagehash, char *indata, unsigned int peheader, int pe32plus, -+ char *indata, unsigned int peheader, int pe32plus, - unsigned int sigpos) - { - static const unsigned char msistr[] = { -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - } else if (type == FILE_TYPE_PE) { - SpcPeImageData *pid = SpcPeImageData_new(); - ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); -- if (pagehash) { -- int phtype = NID_sha1; -- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) -- phtype = NID_sha256; -- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); -- } else { -- pid->file = get_obsolete_link(); -- } -+ pid->file = get_obsolete_link(); - l = i2d_SpcPeImageData(pid, NULL); - p = OPENSSL_malloc(l); - i2d_SpcPeImageData(pid, &p); -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - ASN1_INTEGER_set(si->d, 0); - ASN1_INTEGER_set(si->e, 0); - ASN1_INTEGER_set(si->f, 0); -- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); -+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); - l = i2d_SpcSipInfo(si, NULL); - p = OPENSSL_malloc(l); - i2d_SpcSipInfo(si, &p); -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - hashlen = EVP_MD_size(md); - hash = OPENSSL_malloc(hashlen); - memset(hash, 0, hashlen); -- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); -+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); - OPENSSL_free(hash); - - *len = i2d_SpcIndirectDataContent(idc, NULL); -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - unsigned int peheader, int pe32plus, unsigned int fileend) - { - static unsigned char bfb[16*1024*1024]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - - memset(mdbuf, 0, EVP_MAX_MD_SIZE); - - (void)BIO_seek(bio, 0); - BIO_read(bio, bfb, peheader + 88); -- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); -+ EVP_DigestUpdate(mdctx, bfb, peheader + 88); - BIO_read(bio, bfb, 4); - BIO_read(bio, bfb, 60+pe32plus*16); -- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); -+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); - BIO_read(bio, bfb, 8); - - unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - int l = BIO_read(bio, bfb, want); - if (l <= 0) - break; -- EVP_DigestUpdate(&mdctx, bfb, l); -+ EVP_DigestUpdate(mdctx, bfb, l); - n += l; - } - -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); - } - - -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - int phlen = pphlen * (3 + nsections + sigpos / pagesize); - unsigned char *res = malloc(phlen); - unsigned char *zeroes = calloc(pagesize, 1); -- EVP_MD_CTX mdctx; -- -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, indata, peheader + 88); -- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); -- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); -+ -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, indata, peheader + 88); -+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); -+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); - memset(res, 0, 4); -- EVP_DigestFinal(&mdctx, res + 4, NULL); -+ EVP_DigestFinal(mdctx, res + 4, NULL); - - unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); - char *sections = indata + peheader + 24 + sizeofopthdr; -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - unsigned int l; - for (l=0; l < rs; l+=pagesize, pi++) { - PUT_UINT32_LE(ro + l, res + pi*pphlen); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - if (rs - l < pagesize) { -- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); -+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); - } else { -- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); -+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); - } -- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); -+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); - } - lastpos = ro + rs; - sections += 40; - } -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - PUT_UINT32_LE(lastpos, res + pi*pphlen); - memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); - pi++; -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) - int nturl = 0, ntsurl = 0; - int addBlob = 0; - u_char *p = NULL; -- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; -+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; - unsigned int tmp, peheader = 0, padlen = 0; - off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; - file_type_t type; -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - -- /* create some MS Authenticode OIDS we need later on */ -- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || -- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || -- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || -- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) -- DO_EXIT_0("Failed to add objects\n"); -- - md = EVP_sha1(); - - if (argc > 1) { -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) - readpass = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { - comm = 1; -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { -- pagehash = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) - p7x = NULL; - } - -- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); -+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); - len -= EVP_MD_size(md); - memcpy(buf, p, len); - OPENSSL_free(p); --- -2.34.1 - ===================================== projects/osslsigncode/build ===================================== @@ -4,11 +4,10 @@ distdir=$(pwd)/dist mkdir -p $distdir/[% project %] tar xf [% project %]-[% c('version') %].tar.gz cd [% project %]-[% c('version') %] -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch -patch -p1 < ../timestamping.patch -./autogen.sh -./configure --prefix=/[% project %] +mkdir build +cd build +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S .. make make DESTDIR=$distdir install ===================================== projects/osslsigncode/config ===================================== @@ -1,20 +1,16 @@ # vim: filetype=yaml sw=2 version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 0 var: deps: - - autoconf - - libtool - - pkg-config + - cmake - libssl-dev - libcurl4-openssl-dev input_files: - - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - - filename: timestamping.patch - filename: '[% c("var/srcfile") %]' enable: '[% c("var/no-git") %]' ===================================== projects/osslsigncode/timestamping.patch deleted ===================================== @@ -1,56 +0,0 @@ -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 -From: Georg Koppen <gk(a)torproject.org> -Date: Fri, 5 Feb 2016 09:23:10 +0000 -Subject: [PATCH] Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 32e37c8..2978c02 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) - if (--argc < 1) usage(argv0); - url = *(++argv); - #ifdef ENABLE_CURL -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { - if (--argc < 1) usage(argv0); - turl[nturl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { - if (--argc < 1) usage(argv0); - tsurl[ntsurl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { - if (--argc < 1) usage(argv0); - proxy = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { - noverifypeer = 1; - #endif - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { --- -2.7.0 - - -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 -From: Georg Koppen <gk(a)torproject.org> -Date: Sat, 11 Apr 2020 05:50:36 +0000 -Subject: [PATCH] fixup! Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 3797458..4f4b897 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { - if (--argc < 1) usage(argv0); - ++argv; - if (!strcmp(*argv, "md5")) { --- -2.26.0 ===================================== tools/signing/android-signing.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file ===================================== tools/signing/android-signing.torbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file ===================================== tools/signing/authenticode-timestamping.sh ===================================== @@ -35,7 +35,7 @@ set -e script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz" test -f "$osslsigncode_file" || exit_error "$osslsigncode_file is missing." \ ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,12 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -#test -f "$steps_dir/linux-signer-authenticode-signing.done" || -# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -#echo +test -f "$steps_dir/linux-signer-sign-android-apks.done" || + read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS +echo +test -f "$steps_dir/linux-signer-authenticode-signing.done" || + read -sp "Enter windows authenticode passphrase: " YUBIPASS +echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -106,6 +109,18 @@ function sync-after-signmars { "$script_dir/sync-linux-signer-to-local" } +function linux-signer-sign-android-apks { + ssh "$ssh_host_linux_signer" 'bash -s' << EOF + export KSPASS=$KSPASS + ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME +EOF + unset KSPASS +} + +function sync-after-sign-android-apks { + "$script_dir/sync-linux-signer-to-local" +} + function download-unsigned-sha256sums-gpg-signatures-from-people-tpo { "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo" } @@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -#do_step linux-signer-authenticode-signing -#do_step sync-after-authenticode-signing -#do_step authenticode-timestamping -#do_step sync-after-authenticode-timestamping +is_project torbrowser && \ + do_step linux-signer-sign-android-apks +is_project torbrowser && \ + do_step sync-after-sign-android-apks +do_step linux-signer-authenticode-signing +do_step sync-after-authenticode-signing +do_step authenticode-timestamping +do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -20,4 +20,5 @@ do tmpsig=$(mktemp) echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" mv -f "$tmpsig" "${i}.asc" + chmod 644 "${i}.asc" done ===================================== tools/signing/linux-signer-sign-android-apks ===================================== @@ -0,0 +1,83 @@ +#!/bin/bash + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.generated-config" + +topdir="$script_dir/../.." +ARCHS="armv7 aarch64 x86 x86_64" +projname=$(project-name) +# tbb_version_type is used in wrappers/sign-apk, so we export it +export tbb_version_type + +check_installed_packages() { + local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' + for package in $packages + do + dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ + exit_error "package $package is missing" + done +} + +setup_build_tools() { + build_tools_dir=/signing/android-build-tools + test -f "$build_tools_dir"/android-12/apksigner || \ + exit_error "$build_tools_dir/android-12/apksigner is missing" + export PATH="$build_tools_dir/android-12:${PATH}" +} + +sign_apk() { + sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2" +} + +verify_apk() { + verified=$(apksigner verify --print-certs --verbose "$1") + scheme_v1="Verified using v1 scheme (JAR signing): true" + scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" + + # Verify the expected signing key was used, Alpha verses Release based on the filename. + if test "$tbb_version_type" = "alpha"; then + cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" + pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" + else + cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" + pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" + fi + for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do + if ! echo "${verified}" | grep -q "${digest}"; then + echo "Expected digest not found:" + echo ${digest} + echo "in:" + echo ${verified} + exit 1 + fi + done +} + +check_installed_packages + +if [ -z "$KSPASS" ]; then + echo "Enter keystore passphrase" + stty -echo; read KSPASS; stty echo + export KSPASS +fi + +setup_build_tools + +mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" + +# Sign all packages +for arch in ${ARCHS}; do + qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk + signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk + sign_apk "$qa_apk" "$signed_apk" + verify_apk "$signed_apk" + cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version" +done + +rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" ===================================== tools/signing/linux-signer-sign-android-apks.torbrowser ===================================== @@ -0,0 +1 @@ +linux-signer-sign-android-apks \ No newline at end of file ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -83,11 +83,12 @@ create_group signing create_user signing-gpg create_user signing-mar create_user signing-win yubihsm - +create_user signing-apk signing sudoers_file sign-gpg sudoers_file sign-mar sudoers_file sign-exe +sudoers_file sign-apk authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub create_user richard signing @@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl # Install deps for building yubihsm-shell install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec +# Install deps for android/apk signing +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless + # Build and install yubihsm-pkcs11 package create_user build-pkgs if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then @@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then chmod go+rX "$tmpdir/mar-tools"/* mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools fi + +for rel in release alpha; do + keypath=/home/signing-apk/keys/tba_$rel.p12 + if ! test -f "$keypath"; then + echo "$rel key for android should be put in $keypath" + else + chown signing-apk "$keypath" + chmod 700 "$keypath" + fi +done ===================================== tools/signing/machines-setup/sudoers.d/sign-apk ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS" +%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then echo "Fetched $yubihsm_filename" fi +android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename) +if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then + ./rbm/rbm build --step get_build_tools android-toolchain + echo "Fetched $android_build_tools_filename" +fi + signing_machine='linux-signer' setup_user='setup' signing_dir='/signing' @@ -43,14 +49,26 @@ signing_dir='/signing' echo "Uploading $osslsigncodefile to $signing_machine" chmod go+r "./out/osslsigncode/$osslsigncodefile" rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" + echo "Uploading rbm.tar to $signing_machine" rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" + echo "Uploading $martools_filename" chmod go+r "./out/mar-tools/$martools_filename" rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" + echo "Uploading $yubihsm_filename" chmod go+r "./out/yubihsm-shell/$yubihsm_filename" rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" + +echo "Uploading $android_build_tools_filename" +chmod go+r "./out/android-toolchain/$android_build_tools_filename" +rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename" +echo "Extracting $android_build_tools_filename" +ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools +ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename" +ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename" + echo "Uploading tor-browser-build.tar to $signing_machine" scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" echo "Extracting tor-browser-build.tar on $signing_machine" ===================================== tools/signing/set-config.android-signing deleted ===================================== @@ -1,7 +0,0 @@ -# The following line should be uncommented and updated: - -#ssh_host_pkgstage=tbbuild -#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build -#android_signing_key_dir=/path/to/signing/key/dir - -var_is_defined ssh_host_pkgstage android_signing_key_dir ===================================== tools/signing/android-signing → tools/signing/wrappers/sign-apk ===================================== @@ -1,69 +1,34 @@ #!/bin/bash - -# Sign apk for each target architecture. -# This script does not require command line argument, but it needs -# some configuration options to be set in set-config.android-signing: -# - ssh_host_pkgstage is the host which you use for staging packages -# during signing. The script will download the unsigned .apk files -# from this host, and upload the signed .apk there -# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build -# on pkgstage -# - android_signing_key_dir: the local path where the android signing -# keys are located. That directory should contains files tba_alpha.p12 -# and tba_release.p12 for alpha and release signing keys. -# The Tor Browser version is taken from set-config.tbb-version - set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.android-signing" -topdir="$script_dir/../.." -ARCHS="armv7 aarch64 x86 x86_64" -projname=$(project-name) - -android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" -test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" - -check_installed_packages() { - local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' - for package in $packages +function exit_error { + for msg in "$@" do - dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ - exit_error "package $package is missing" + echo "$msg" >&2 done + exit 1 } +if test "$tbb_version_type" != 'release' \ + && test "$tbb_version_type" != 'alpha'; then + exit_error "Unexpected value for tbb_version_type: $tbb_version_type" +fi + +android_signing_key_dir=/home/signing-apk/keys +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" + setup_build_tools() { - local rbm="$topdir/rbm/rbm" - local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)" - if ! test -f "$build_tools_zipfile"; then - "$rbm" build --step get_build_tools android-toolchain - test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing" - fi - local build_tools_dir=$(mktemp -d) - trap "rm -Rf $build_tools_dir" EXIT - unzip -d "$build_tools_dir" "$build_tools_zipfile" + build_tools_dir=/signing/android-build-tools test -f "$build_tools_dir"/android-12/apksigner || \ exit_error "$build_tools_dir/android-12/apksigner is missing" export PATH="$build_tools_dir/android-12:${PATH}" } -download_unsigned_apks() { - apks_dir=$(mktemp -d) - trap "rm -Rf $apks_dir" EXIT - rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/" -} - -upload_signed_apks() { - rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \ - --exclude="*-unsigned.apk" "$apks_dir/" \ - "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/" -} - # Sign individual apk sign_apk() { INPUTAPK="$1" + OUTPUTAPK="$2" # https://developer.android.com/studio/publish/app-signing#sign-manually # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk @@ -75,10 +40,11 @@ sign_apk() { echo Aligning and signing ${INPUTAPK} # Append the different stages of signing - UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'` + UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'` UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'` SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'` + # ${INPUTAPK} is full path. We copy to local tmp directory. cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}" # Step 1: Align @@ -117,67 +83,16 @@ sign_apk() { exit 1 fi + mv -f "${SIGNED_APK}" "$OUTPUTAPK" echo apksigner verify succeeded } -# Rename and verify signing certificate -finalize() { - for arch in ${ARCHS}; do - mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk - done - - for arch in ${ARCHS}; do - verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk` - scheme_v1= - scheme_v2= - cert_digest= - pubkey_digest= - - # Verify the expected signing key was used, Alpha verses Release based on the filename. - if test "$tbb_version_type" = "alpha"; then - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" - pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" - else - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" - pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" - fi - for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do - if ! `echo "${verified}" | grep -q "${digest}"`; then - echo "Expected digest not found:" - echo ${digest} - echo "in:" - echo ${verified} - exit 1 - fi - done - done - - echo Done. -} - -check_installed_packages - -if [ -z "$KSPASS" ]; then - echo "Enter keystore passphrase" - stty -echo; read KSPASS; stty echo - export KSPASS -fi - setup_build_tools -download_unsigned_apks - -cd $apks_dir - -# Sign all packages -for arch in ${ARCHS}; do - sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk -done +tmpdir=$(mktemp -d) +cd "$tmpdir" -finalize +sign_apk "$1" "$2" -upload_signed_apks +cd - +rm -Rf "$tmpdir" ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then exit 2 fi -yubipass="$1" +pass="$1" to_sign_exe="$2" -tpo_cert=/home/signing-win/tpo-cert.crt +key_dir=/home/signing-win/keys/key-1 +tpo_cert=$key_dir/the_tor_project_inc.crt +tpo_key=$key_dir/private.pem if ! test -f "$tpo_cert"; then echo "File $tpo_cert is missing" >&2 @@ -26,12 +28,10 @@ rm -f "$output_signed_exe" export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' /home/signing-win/osslsigncode/bin/osslsigncode \ - -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ - -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ - -pass "$yubipass" \ + -pass "$pass" \ -h sha256 \ -certs "$tpo_cert" \ - -key 1c40 \ + -key "$tpo_key" \ "$to_sign_exe" "$output_signed_exe" chmod 644 "$output_signed_exe" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] 5 commits: Bug 40851: Integrate android apk signing in do-all-signing
by richard (＠richard) 12 Jun '23

12 Jun '23

richard pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 143097f5 by Nicolas Vigier at 2023-06-12T16:49:23+02:00 Bug 40851: Integrate android apk signing in do-all-signing - - - - - 9281ddbf by Nicolas Vigier at 2023-06-12T16:49:25+02:00 Bug 40875: Update Windows signing config - - - - - d511d4ac by Nicolas Vigier at 2023-06-12T16:49:27+02:00 Bug 40875: Re-enable Windows code signing in do-all-signing - - - - - 867cd64c by Nicolas Vigier at 2023-06-12T16:49:29+02:00 Bug 40877: Update osslsigncode to more recent version - - - - - 8213c52c by Nicolas Vigier at 2023-06-12T16:49:30+02:00 Bug 40878: Fix default permission on gpg signature files - - - - - 20 changed files: - .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md - projects/android-toolchain/config - − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch - projects/osslsigncode/build - projects/osslsigncode/config - − projects/osslsigncode/timestamping.patch - − tools/signing/android-signing.mullvadbrowser - − tools/signing/android-signing.torbrowser - tools/signing/authenticode-timestamping.sh - tools/signing/do-all-signing - tools/signing/linux-signer-gpg-sign - + tools/signing/linux-signer-sign-android-apks - + tools/signing/linux-signer-sign-android-apks.torbrowser - tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/sudoers.d/sign-apk - tools/signing/machines-setup/upload-tbb-to-signing-machine - − tools/signing/set-config.android-signing - tools/signing/android-signing → tools/signing/wrappers/sign-apk - tools/signing/wrappers/sign-exe Changes: ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.torbrowser` ===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.sh` ===================================== projects/android-toolchain/config ===================================== @@ -95,9 +95,8 @@ steps: #!/bin/bash set -e mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %] - var: - container: - use_container: 0 + container: + use_container: 0 input_files: - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]' name: build_tools ===================================== projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted ===================================== @@ -1,324 +0,0 @@ -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger(a)gmx.de> -Date: Sun, 12 Mar 2017 23:00:12 +0100 -Subject: [PATCH] Make code work with OpenSSL 1.1. - -Changes in consist of: -- Use EVP_MD_CTX_new/free API instead of on-stack allocation -- Remove some M_ prefixes like for ASN1_IA5STRING_new -- Remove pagehash functionality because it is useless to me and - fixing it would be a pain. Would require declaring a few - ASN_SEQUENCES and use that to get the required i2d functions - from what I could find out. -- Remove OBJ_create calls that seem to serve no purpose, - now crash because NULL pointers are no longer handled - (who changes API that way?!) and even if that was fixed - lead to errors when these objects are later created - again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, - did not investigate further). - -diff --git a/osslsigncode.c b/osslsigncode.c -index 2978c02..3797458 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) - if (desc) { - info->programName = SpcString_new(); - info->programName->type = 1; -- info->programName->value.ascii = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, -+ info->programName->value.ascii = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->programName->value.ascii, - (const unsigned char*)desc, strlen(desc)); - } - - if (url) { - info->moreInfo = SpcLink_new(); - info->moreInfo->type = 0; -- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, -+ info->moreInfo->value.url = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->moreInfo->value.url, - (const unsigned char*)url, strlen(url)); - } - -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const - - if (rfc3161) { - unsigned char mdbuf[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - - TimeStampReq *req = TimeStampReq_new(); - ASN1_INTEGER_set(req->version, 1); - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; -- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); -+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); - req->certReq = (void*)0x1; - - len = i2d_TimeStampReq(req, NULL); -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { - 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 - }; - --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, -- unsigned int sigpos, int phtype, unsigned int *phlen); -- --DECLARE_STACK_OF(ASN1_OCTET_STRING) --#ifndef sk_ASN1_OCTET_STRING_new_null --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) --{ -- unsigned int phlen; -- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); -- if (!ph) { -- fprintf(stderr, "Failed to calculate page hash\n"); -- exit(-1); -- } -- -- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); -- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); -- free(ph); -- -- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); -- sk_ASN1_OCTET_STRING_push(oset, ostr); -- unsigned char *p, *tmp; -- unsigned int l; -- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- ASN1_OCTET_STRING_free(ostr); -- sk_ASN1_OCTET_STRING_free(oset); -- -- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); -- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); -- aval->value = ASN1_TYPE_new(); -- aval->value->type = V_ASN1_SET; -- aval->value->value.set = ASN1_STRING_new(); -- ASN1_STRING_set(aval->value->value.set, p, l); -- OPENSSL_free(p); -- -- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); -- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- sk_SpcAttributeTypeAndOptionalValue_free(aset); -- SpcAttributeTypeAndOptionalValue_free(aval); -- -- SpcSerializedObject *so = SpcSerializedObject_new(); -- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); -- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); -- OPENSSL_free(p); -- -- SpcLink *link = SpcLink_new(); -- link->type = 1; -- link->value.moniker = so; -- return link; --} -- - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, -- int pagehash, char *indata, unsigned int peheader, int pe32plus, -+ char *indata, unsigned int peheader, int pe32plus, - unsigned int sigpos) - { - static const unsigned char msistr[] = { -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - } else if (type == FILE_TYPE_PE) { - SpcPeImageData *pid = SpcPeImageData_new(); - ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); -- if (pagehash) { -- int phtype = NID_sha1; -- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) -- phtype = NID_sha256; -- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); -- } else { -- pid->file = get_obsolete_link(); -- } -+ pid->file = get_obsolete_link(); - l = i2d_SpcPeImageData(pid, NULL); - p = OPENSSL_malloc(l); - i2d_SpcPeImageData(pid, &p); -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - ASN1_INTEGER_set(si->d, 0); - ASN1_INTEGER_set(si->e, 0); - ASN1_INTEGER_set(si->f, 0); -- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); -+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); - l = i2d_SpcSipInfo(si, NULL); - p = OPENSSL_malloc(l); - i2d_SpcSipInfo(si, &p); -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - hashlen = EVP_MD_size(md); - hash = OPENSSL_malloc(hashlen); - memset(hash, 0, hashlen); -- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); -+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); - OPENSSL_free(hash); - - *len = i2d_SpcIndirectDataContent(idc, NULL); -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - unsigned int peheader, int pe32plus, unsigned int fileend) - { - static unsigned char bfb[16*1024*1024]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - - memset(mdbuf, 0, EVP_MAX_MD_SIZE); - - (void)BIO_seek(bio, 0); - BIO_read(bio, bfb, peheader + 88); -- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); -+ EVP_DigestUpdate(mdctx, bfb, peheader + 88); - BIO_read(bio, bfb, 4); - BIO_read(bio, bfb, 60+pe32plus*16); -- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); -+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); - BIO_read(bio, bfb, 8); - - unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - int l = BIO_read(bio, bfb, want); - if (l <= 0) - break; -- EVP_DigestUpdate(&mdctx, bfb, l); -+ EVP_DigestUpdate(mdctx, bfb, l); - n += l; - } - -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); - } - - -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - int phlen = pphlen * (3 + nsections + sigpos / pagesize); - unsigned char *res = malloc(phlen); - unsigned char *zeroes = calloc(pagesize, 1); -- EVP_MD_CTX mdctx; -- -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, indata, peheader + 88); -- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); -- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); -+ -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, indata, peheader + 88); -+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); -+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); - memset(res, 0, 4); -- EVP_DigestFinal(&mdctx, res + 4, NULL); -+ EVP_DigestFinal(mdctx, res + 4, NULL); - - unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); - char *sections = indata + peheader + 24 + sizeofopthdr; -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - unsigned int l; - for (l=0; l < rs; l+=pagesize, pi++) { - PUT_UINT32_LE(ro + l, res + pi*pphlen); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - if (rs - l < pagesize) { -- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); -+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); - } else { -- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); -+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); - } -- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); -+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); - } - lastpos = ro + rs; - sections += 40; - } -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - PUT_UINT32_LE(lastpos, res + pi*pphlen); - memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); - pi++; -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) - int nturl = 0, ntsurl = 0; - int addBlob = 0; - u_char *p = NULL; -- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; -+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; - unsigned int tmp, peheader = 0, padlen = 0; - off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; - file_type_t type; -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - -- /* create some MS Authenticode OIDS we need later on */ -- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || -- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || -- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || -- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) -- DO_EXIT_0("Failed to add objects\n"); -- - md = EVP_sha1(); - - if (argc > 1) { -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) - readpass = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { - comm = 1; -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { -- pagehash = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) - p7x = NULL; - } - -- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); -+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); - len -= EVP_MD_size(md); - memcpy(buf, p, len); - OPENSSL_free(p); --- -2.34.1 - ===================================== projects/osslsigncode/build ===================================== @@ -4,11 +4,10 @@ distdir=$(pwd)/dist mkdir -p $distdir/[% project %] tar xf [% project %]-[% c('version') %].tar.gz cd [% project %]-[% c('version') %] -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch -patch -p1 < ../timestamping.patch -./autogen.sh -./configure --prefix=/[% project %] +mkdir build +cd build +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S .. make make DESTDIR=$distdir install ===================================== projects/osslsigncode/config ===================================== @@ -1,20 +1,16 @@ # vim: filetype=yaml sw=2 version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 0 var: deps: - - autoconf - - libtool - - pkg-config + - cmake - libssl-dev - libcurl4-openssl-dev input_files: - - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - - filename: timestamping.patch - filename: '[% c("var/srcfile") %]' enable: '[% c("var/no-git") %]' ===================================== projects/osslsigncode/timestamping.patch deleted ===================================== @@ -1,56 +0,0 @@ -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 -From: Georg Koppen <gk(a)torproject.org> -Date: Fri, 5 Feb 2016 09:23:10 +0000 -Subject: [PATCH] Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 32e37c8..2978c02 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) - if (--argc < 1) usage(argv0); - url = *(++argv); - #ifdef ENABLE_CURL -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { - if (--argc < 1) usage(argv0); - turl[nturl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { - if (--argc < 1) usage(argv0); - tsurl[ntsurl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { - if (--argc < 1) usage(argv0); - proxy = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { - noverifypeer = 1; - #endif - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { --- -2.7.0 - - -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 -From: Georg Koppen <gk(a)torproject.org> -Date: Sat, 11 Apr 2020 05:50:36 +0000 -Subject: [PATCH] fixup! Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 3797458..4f4b897 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { - if (--argc < 1) usage(argv0); - ++argv; - if (!strcmp(*argv, "md5")) { --- -2.26.0 ===================================== tools/signing/android-signing.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file ===================================== tools/signing/android-signing.torbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file ===================================== tools/signing/authenticode-timestamping.sh ===================================== @@ -35,7 +35,7 @@ set -e script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" -osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz" test -f "$osslsigncode_file" || exit_error "$osslsigncode_file is missing." \ ===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,12 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -#test -f "$steps_dir/linux-signer-authenticode-signing.done" || -# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -#echo +test -f "$steps_dir/linux-signer-sign-android-apks.done" || + read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS +echo +test -f "$steps_dir/linux-signer-authenticode-signing.done" || + read -sp "Enter windows authenticode passphrase: " YUBIPASS +echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -106,6 +109,18 @@ function sync-after-signmars { "$script_dir/sync-linux-signer-to-local" } +function linux-signer-sign-android-apks { + ssh "$ssh_host_linux_signer" 'bash -s' << EOF + export KSPASS=$KSPASS + ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME +EOF + unset KSPASS +} + +function sync-after-sign-android-apks { + "$script_dir/sync-linux-signer-to-local" +} + function download-unsigned-sha256sums-gpg-signatures-from-people-tpo { "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo" } @@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -#do_step linux-signer-authenticode-signing -#do_step sync-after-authenticode-signing -#do_step authenticode-timestamping -#do_step sync-after-authenticode-timestamping +is_project torbrowser && \ + do_step linux-signer-sign-android-apks +is_project torbrowser && \ + do_step sync-after-sign-android-apks +do_step linux-signer-authenticode-signing +do_step sync-after-authenticode-signing +do_step authenticode-timestamping +do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign ===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -20,4 +20,5 @@ do tmpsig=$(mktemp) echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" mv -f "$tmpsig" "${i}.asc" + chmod 644 "${i}.asc" done ===================================== tools/signing/linux-signer-sign-android-apks ===================================== @@ -0,0 +1,83 @@ +#!/bin/bash + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.generated-config" + +topdir="$script_dir/../.." +ARCHS="armv7 aarch64 x86 x86_64" +projname=$(project-name) +# tbb_version_type is used in wrappers/sign-apk, so we export it +export tbb_version_type + +check_installed_packages() { + local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' + for package in $packages + do + dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ + exit_error "package $package is missing" + done +} + +setup_build_tools() { + build_tools_dir=/signing/android-build-tools + test -f "$build_tools_dir"/android-12/apksigner || \ + exit_error "$build_tools_dir/android-12/apksigner is missing" + export PATH="$build_tools_dir/android-12:${PATH}" +} + +sign_apk() { + sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2" +} + +verify_apk() { + verified=$(apksigner verify --print-certs --verbose "$1") + scheme_v1="Verified using v1 scheme (JAR signing): true" + scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" + + # Verify the expected signing key was used, Alpha verses Release based on the filename. + if test "$tbb_version_type" = "alpha"; then + cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" + pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" + else + cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" + pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" + fi + for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do + if ! echo "${verified}" | grep -q "${digest}"; then + echo "Expected digest not found:" + echo ${digest} + echo "in:" + echo ${verified} + exit 1 + fi + done +} + +check_installed_packages + +if [ -z "$KSPASS" ]; then + echo "Enter keystore passphrase" + stty -echo; read KSPASS; stty echo + export KSPASS +fi + +setup_build_tools + +mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" + +# Sign all packages +for arch in ${ARCHS}; do + qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk + signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk + sign_apk "$qa_apk" "$signed_apk" + verify_apk "$signed_apk" + cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version" +done + +rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" ===================================== tools/signing/linux-signer-sign-android-apks.torbrowser ===================================== @@ -0,0 +1 @@ +linux-signer-sign-android-apks \ No newline at end of file ===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -83,11 +83,12 @@ create_group signing create_user signing-gpg create_user signing-mar create_user signing-win yubihsm - +create_user signing-apk signing sudoers_file sign-gpg sudoers_file sign-mar sudoers_file sign-exe +sudoers_file sign-apk authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub create_user richard signing @@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl # Install deps for building yubihsm-shell install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec +# Install deps for android/apk signing +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless + # Build and install yubihsm-pkcs11 package create_user build-pkgs if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then @@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then chmod go+rX "$tmpdir/mar-tools"/* mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools fi + +for rel in release alpha; do + keypath=/home/signing-apk/keys/tba_$rel.p12 + if ! test -f "$keypath"; then + echo "$rel key for android should be put in $keypath" + else + chown signing-apk "$keypath" + chmod 700 "$keypath" + fi +done ===================================== tools/signing/machines-setup/sudoers.d/sign-apk ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS" +%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk ===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then echo "Fetched $yubihsm_filename" fi +android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename) +if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then + ./rbm/rbm build --step get_build_tools android-toolchain + echo "Fetched $android_build_tools_filename" +fi + signing_machine='linux-signer' setup_user='setup' signing_dir='/signing' @@ -43,14 +49,26 @@ signing_dir='/signing' echo "Uploading $osslsigncodefile to $signing_machine" chmod go+r "./out/osslsigncode/$osslsigncodefile" rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" + echo "Uploading rbm.tar to $signing_machine" rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" + echo "Uploading $martools_filename" chmod go+r "./out/mar-tools/$martools_filename" rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" + echo "Uploading $yubihsm_filename" chmod go+r "./out/yubihsm-shell/$yubihsm_filename" rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" + +echo "Uploading $android_build_tools_filename" +chmod go+r "./out/android-toolchain/$android_build_tools_filename" +rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename" +echo "Extracting $android_build_tools_filename" +ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools +ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename" +ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename" + echo "Uploading tor-browser-build.tar to $signing_machine" scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" echo "Extracting tor-browser-build.tar on $signing_machine" ===================================== tools/signing/set-config.android-signing deleted ===================================== @@ -1,7 +0,0 @@ -# The following line should be uncommented and updated: - -#ssh_host_pkgstage=tbbuild -#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build -#android_signing_key_dir=/path/to/signing/key/dir - -var_is_defined ssh_host_pkgstage android_signing_key_dir ===================================== tools/signing/android-signing → tools/signing/wrappers/sign-apk ===================================== @@ -1,69 +1,34 @@ #!/bin/bash - -# Sign apk for each target architecture. -# This script does not require command line argument, but it needs -# some configuration options to be set in set-config.android-signing: -# - ssh_host_pkgstage is the host which you use for staging packages -# during signing. The script will download the unsigned .apk files -# from this host, and upload the signed .apk there -# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build -# on pkgstage -# - android_signing_key_dir: the local path where the android signing -# keys are located. That directory should contains files tba_alpha.p12 -# and tba_release.p12 for alpha and release signing keys. -# The Tor Browser version is taken from set-config.tbb-version - set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.android-signing" -topdir="$script_dir/../.." -ARCHS="armv7 aarch64 x86 x86_64" -projname=$(project-name) - -android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" -test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" - -check_installed_packages() { - local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' - for package in $packages +function exit_error { + for msg in "$@" do - dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ - exit_error "package $package is missing" + echo "$msg" >&2 done + exit 1 } +if test "$tbb_version_type" != 'release' \ + && test "$tbb_version_type" != 'alpha'; then + exit_error "Unexpected value for tbb_version_type: $tbb_version_type" +fi + +android_signing_key_dir=/home/signing-apk/keys +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" + setup_build_tools() { - local rbm="$topdir/rbm/rbm" - local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)" - if ! test -f "$build_tools_zipfile"; then - "$rbm" build --step get_build_tools android-toolchain - test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing" - fi - local build_tools_dir=$(mktemp -d) - trap "rm -Rf $build_tools_dir" EXIT - unzip -d "$build_tools_dir" "$build_tools_zipfile" + build_tools_dir=/signing/android-build-tools test -f "$build_tools_dir"/android-12/apksigner || \ exit_error "$build_tools_dir/android-12/apksigner is missing" export PATH="$build_tools_dir/android-12:${PATH}" } -download_unsigned_apks() { - apks_dir=$(mktemp -d) - trap "rm -Rf $apks_dir" EXIT - rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/" -} - -upload_signed_apks() { - rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \ - --exclude="*-unsigned.apk" "$apks_dir/" \ - "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/" -} - # Sign individual apk sign_apk() { INPUTAPK="$1" + OUTPUTAPK="$2" # https://developer.android.com/studio/publish/app-signing#sign-manually # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk @@ -75,10 +40,11 @@ sign_apk() { echo Aligning and signing ${INPUTAPK} # Append the different stages of signing - UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'` + UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'` UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'` SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'` + # ${INPUTAPK} is full path. We copy to local tmp directory. cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}" # Step 1: Align @@ -117,67 +83,16 @@ sign_apk() { exit 1 fi + mv -f "${SIGNED_APK}" "$OUTPUTAPK" echo apksigner verify succeeded } -# Rename and verify signing certificate -finalize() { - for arch in ${ARCHS}; do - mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk - done - - for arch in ${ARCHS}; do - verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk` - scheme_v1= - scheme_v2= - cert_digest= - pubkey_digest= - - # Verify the expected signing key was used, Alpha verses Release based on the filename. - if test "$tbb_version_type" = "alpha"; then - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" - pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" - else - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" - pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" - fi - for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do - if ! `echo "${verified}" | grep -q "${digest}"`; then - echo "Expected digest not found:" - echo ${digest} - echo "in:" - echo ${verified} - exit 1 - fi - done - done - - echo Done. -} - -check_installed_packages - -if [ -z "$KSPASS" ]; then - echo "Enter keystore passphrase" - stty -echo; read KSPASS; stty echo - export KSPASS -fi - setup_build_tools -download_unsigned_apks - -cd $apks_dir - -# Sign all packages -for arch in ${ARCHS}; do - sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk -done +tmpdir=$(mktemp -d) +cd "$tmpdir" -finalize +sign_apk "$1" "$2" -upload_signed_apks +cd - +rm -Rf "$tmpdir" ===================================== tools/signing/wrappers/sign-exe ===================================== @@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then exit 2 fi -yubipass="$1" +pass="$1" to_sign_exe="$2" -tpo_cert=/home/signing-win/tpo-cert.crt +key_dir=/home/signing-win/keys/key-1 +tpo_cert=$key_dir/the_tor_project_inc.crt +tpo_key=$key_dir/private.pem if ! test -f "$tpo_cert"; then echo "File $tpo_cert is missing" >&2 @@ -26,12 +28,10 @@ rm -f "$output_signed_exe" export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' /home/signing-win/osslsigncode/bin/osslsigncode \ - -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ - -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ - -pass "$yubipass" \ + -pass "$pass" \ -h sha256 \ -certs "$tpo_cert" \ - -key 1c40 \ + -key "$tpo_key" \ "$to_sign_exe" "$output_signed_exe" chmod 644 "$output_signed_exe" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-12.5-1] 2 commits: fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser
by richard (＠richard) 12 Jun '23

12 Jun '23

richard pushed to branch tor-browser-102.12.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: ed4de432 by Henry Wilkes at 2023-06-12T18:34:45+01:00 fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser Bug 41826 - Tweak tor connect status styling in titlebar and connection preferences. - - - - - 5e9deb63 by Henry Wilkes at 2023-06-12T18:34:46+01:00 fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection Bug 41826 - Tweak tor connect status styling in titlebar and connection preferences. - - - - - 7 changed files: - browser/base/content/navigator-toolbox.inc.xhtml - browser/components/torconnect/content/aboutTorConnect.css - browser/components/torconnect/content/tor-connect-broken.svg - browser/components/torconnect/content/tor-not-connected-to-connected-animated.svg - browser/components/torconnect/content/torConnectTitlebarStatus.css - browser/components/torconnect/content/torConnectTitlebarStatus.js - browser/components/torpreferences/content/torPreferences.css Changes: ===================================== browser/base/content/navigator-toolbox.inc.xhtml ===================================== @@ -94,8 +94,7 @@ <hbox class="private-browsing-indicator"/> <html:div id="tor-connect-titlebar-status" role="status"> - <html:img id="tor-connect-titlebar-status-icon" - alt="" + <html:img alt="" src="chrome://browser/content/torconnect/tor-not-connected-to-connected-animated.svg" /> <html:span id="tor-connect-titlebar-status-label"></html:span> </html:div> ===================================== browser/components/torconnect/content/aboutTorConnect.css ===================================== @@ -70,8 +70,9 @@ input[type="checkbox"]:focus, select:focus { display: inline list-item; height: 16px; list-style-position: inside; + -moz-context-properties: fill, stroke; fill: currentColor; - -moz-context-properties: fill; + stroke: currentColor; } .breadcrumb-item.active { @@ -315,6 +316,7 @@ body { -moz-context-properties: stroke, fill, fill-opacity; fill-opacity: var(--onion-opacity); fill: var(--onion-color); + stroke: var(--onion-color); } .title.offline { ===================================== browser/components/torconnect/content/tor-connect-broken.svg ===================================== @@ -7,5 +7,5 @@ <path d="M10.5086 11.2146L11.3423 12.0483C10.8375 12.4651 10.2534 12.7892 9.616 12.9947V11.744C9.93702 11.6057 10.2367 11.4271 10.5086 11.2146Z" fill="context-fill" fill-opacity="context-fill-opacity" /> <path d="M4.78492 5.49092L3.95137 4.65737C3.20058 5.56555 2.74933 6.73033 2.74933 8C2.74933 10.336 4.27467 12.3147 6.384 12.9947V11.744C4.936 11.12 3.92267 9.67733 3.92267 8C3.92267 7.05341 4.24455 6.18259 4.78492 5.49092Z" fill="context-fill" fill-opacity="context-fill-opacity" /> <path d="M7.16918 7.8752L8.12478 8.83079C8.08406 8.83686 8.04238 8.84 7.99997 8.84C7.53605 8.84 7.15997 8.46392 7.15997 8C7.15997 7.95759 7.16312 7.91592 7.16918 7.8752Z" fill="context-fill" fill-opacity="context-fill-opacity" /> - <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-fill" fill-opacity="context-fill-opacity" /> + <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-stroke" fill-opacity="context-fill-opacity" /> </svg> ===================================== browser/components/torconnect/content/tor-not-connected-to-connected-animated.svg ===================================== @@ -1,8 +1,15 @@ <svg width="176" height="16" viewBox="0 0 176 16" xmlns="http://www.w3.org/2000/svg"> - <path d="M 3.32745,2.13475 C 4.60904,1.11241 6.23317,0.50133 8,0.50133 c 4.1414,0 7.4987,3.35732 7.4987,7.49867 0,1.7671 -0.6111,3.3911 -1.6335,4.6725 L 13.0315,11.8388 C 13.8448,10.7747 14.328,9.4444 14.328,8 14.328,4.504 11.496,1.67199 8,1.67199 c -1.4438,0 -2.77436,0.48303 -3.83895,1.29636 z" fill="context-fill" /> - <path d="M 6.56042,5.36771 7.44805,6.25534 C 7.6222,6.20033 7.80763,6.17067 8,6.17067 c 1.0107,0 1.8294,0.81867 1.8294,1.82933 0,0.1924 -0.0297,0.3779 -0.0847,0.552 l 0.8877,0.8877 C 10.8667,9.0122 11,8.5216 11,8 11,6.34399 9.656,5 8,5 7.47846,5 6.98784,5.13332 6.56042,5.36771 Z" fill="context-fill" /> - <path d="M 12.2609,11.0682 C 12.8837,10.2055 13.2507,9.1457 13.2507,8 c 0,-2.89867 -2.352,-5.25067 -5.25073,-5.25067 -1.14511,0 -2.20491,0.36706 -3.06809,0.98988 l 0.84285,0.84286 c 0.6397,-0.41709 1.40395,-0.6594 2.22524,-0.6594 2.25333,0 4.07733,1.82399 4.07733,4.07733 0,0.8206 -0.2425,1.585 -0.6598,2.2248 z" fill="context-fill" /> - <path fill-rule="evenodd" d="M 14.0906,14.7921 1.15536,1.85684 c -0.26058,-0.26058 -0.68307,-0.26058 -0.94365,0 -0.26059,0.26059 -0.26059,0.68308 -1e-5,0.94366 L 1.56286,4.15166 C 0.88882,5.2767 0.50135,6.59311 0.50135,8 c 0,3.5867 2.51734,6.584 5.88267,7.3227 0.352,0.0773 0.70932,0.1306 1.07733,0.1546 v -5.4272 l 1.07735,1.0774 v 4.3498 C 8.9067,15.4533 9.264,15.4 9.616,15.3227 c 0.7992,-0.1755 1.5506,-0.4783 2.2318,-0.8861 l 1.2991,1.2991 c 0.2606,0.2606 0.6831,0.2606 0.9437,0 0.2606,-0.2606 0.2606,-0.683 0,-0.9436 z m -3.1017,-1.2144 -0.804,-0.804 c -0.1841,0.0843 -0.374,0.1582 -0.5689,0.221 v -0.7899 1.9125 c 0.4826,-0.1267 0.9427,-0.309 1.3729,-0.5396 z M 5.02472,7.6135 4.12828,6.71707 C 3.99487,7.1204 3.92268,7.5517 3.92268,8 c 0,1.6773 1.01333,3.12 2.46133,3.744 v 1.2507 C 4.27468,12.3147 2.74934,10.336 2.74934,8 c 0,-0.78002 0.17031,-1.52045 0.47575,-2.18611 L 2.42112,5.00992 C 1.94312,5.90024 1.67202,6.91834 1.67202,8 c 0,2.9387 2,5.4053 4.712,6.1173 V 10.528 C 5.55202,9.9947 5.00002,9.0613 5.00002,8 c 0,-0.1309 0.0084,-0.2599 0.0247,-0.3865 z" fill="context-fill" /> +  + <path d="M3.32745 2.13476C4.60904 1.11242 6.23317 0.501331 8 0.501331C12.1414 0.501331 15.4987 3.85866 15.4987 8C15.4987 9.76709 14.8876 11.3911 13.8652 12.6725L13.0315 11.8388C13.8448 10.7747 14.328 9.44438 14.328 8C14.328 4.50401 11.496 1.672 8 1.672C6.5562 1.672 5.22564 2.15503 4.16105 2.96836L3.32745 2.13476Z" fill="context-fill" /> + <path d="M2.35636 3.06235C1.20135 4.38144 0.501343 6.10899 0.501343 8C0.501343 11.5867 3.01868 14.584 6.38401 15.3227C6.73601 15.4 7.09333 15.4533 7.46134 15.4773V9.74933C6.71467 9.52 6.17068 8.82401 6.17068 8C6.17068 7.67615 6.25474 7.37202 6.40223 7.10822L5.55539 6.26138C5.20574 6.75196 5.00001 7.3521 5.00001 8C5.00001 9.06133 5.55201 9.99466 6.38401 10.528V14.1173C3.67201 13.4053 1.67201 10.9387 1.67201 8C1.67201 6.43179 2.24187 4.99718 3.18588 3.89187L2.35636 3.06235Z" fill="context-fill" /> + <path d="M6.56041 5.36771L7.44804 6.25534C7.62219 6.20033 7.80762 6.17067 8.00001 6.17067C9.01067 6.17067 9.82934 6.98934 9.82934 8C9.82934 8.19242 9.79968 8.37785 9.7447 8.552L10.6324 9.43967C10.8667 9.01221 11 8.52156 11 8C11 6.34399 9.65601 5 8.00001 5C7.47845 5 6.98783 5.13332 6.56041 5.36771Z" fill="context-fill" /> + <path d="M9.73889 10.4449L8.89214 9.59813C8.78095 9.66036 8.6626 9.71127 8.53868 9.74933V15.4773C8.90668 15.4533 9.26401 15.4 9.61601 15.3227C10.8695 15.0475 12.0054 14.459 12.9374 13.6434L12.1076 12.8136C11.396 13.4207 10.5481 13.8726 9.61601 14.1173V10.528C9.65768 10.5013 9.69865 10.4736 9.73889 10.4449Z" fill="context-fill" /> + <path d="M12.2609 11.0682C12.8837 10.2055 13.2507 9.14573 13.2507 8C13.2507 5.10133 10.8987 2.74933 7.99999 2.74933C6.85488 2.74933 5.79508 3.11639 4.9319 3.73921L5.77475 4.58207C6.41445 4.16498 7.1787 3.92267 7.99999 3.92267C10.2533 3.92267 12.0773 5.74666 12.0773 8C12.0773 8.82056 11.8348 9.58497 11.4175 10.2248L12.2609 11.0682Z" fill="context-fill" /> + <path d="M10.5086 11.2146L11.3423 12.0483C10.8375 12.4651 10.2534 12.7892 9.616 12.9947V11.744C9.93702 11.6057 10.2367 11.4271 10.5086 11.2146Z" fill="context-fill" /> + <path d="M4.78492 5.49092L3.95137 4.65737C3.20058 5.56555 2.74933 6.73033 2.74933 8C2.74933 10.336 4.27467 12.3147 6.384 12.9947V11.744C4.936 11.12 3.92267 9.67733 3.92267 8C3.92267 7.05341 4.24455 6.18259 4.78492 5.49092Z" fill="context-fill" /> + <path d="M7.16918 7.8752L8.12478 8.83079C8.08406 8.83686 8.04238 8.84 7.99997 8.84C7.53605 8.84 7.15997 8.46392 7.15997 8C7.15997 7.95759 7.16312 7.91592 7.16918 7.8752Z" fill="context-fill" /> + <path d="M1.15533 1.85684L14.0906 14.7921C14.3511 15.0527 14.3511 15.4751 14.0906 15.7357L14.0906 15.7357C13.83 15.9963 13.4075 15.9963 13.1469 15.7357L0.211679 2.8005C-0.048903 2.53992 -0.0489032 2.11743 0.211682 1.85684C0.472265 1.59626 0.894753 1.59626 1.15533 1.85684Z" fill="context-stroke" /> +  <path d="m 26.5604,5.36771 0.8877,0.88763 C 27.6222,6.20033 27.8076,6.17067 28,6.17067 c 1.0107,0 1.8294,0.81867 1.8294,1.82933 0,0.1924 -0.0297,0.3779 -0.0847,0.552 l 0.8877,0.8877 C 30.8667,9.0122 31,8.5216 31,8 31,6.34399 29.656,5 28,5 27.4785,5 26.9878,5.13332 26.5604,5.36771 Z" fill="context-fill" /> <path d="M 32.2609,11.0682 C 32.8837,10.2055 33.2507,9.1457 33.2507,8 33.2507,5.10133 30.8987,2.74933 28,2.74933 c -1.1451,0 -2.2049,0.36706 -3.0681,0.98988 l 0.8428,0.84286 c 0.6397,-0.41709 1.404,-0.6594 2.2253,-0.6594 2.2533,0 4.0773,1.82399 4.0773,4.07733 0,0.8206 -0.2425,1.585 -0.6598,2.2248 z" fill="context-fill" /> <path fill-rule="evenodd" d="M 25.1667,1.05506 C 26.0409,0.69808 26.9975,0.50133 28,0.50133 c 4.1414,0 7.4987,3.35732 7.4987,7.49867 0,1.7671 -0.6111,3.3911 -1.6335,4.6725 L 33.0315,11.8388 C 33.8448,10.7747 34.328,9.4444 34.328,8 34.328,4.504 31.496,1.67199 28,1.67199 c -1.4438,0 -2.7744,0.48303 -3.8389,1.29636 L 24.1597,2.96703 c -0.3568,0.27263 -0.6838,0.58239 -0.9752,0.9235 l 0.0014,0.00134 C 22.2419,4.99718 21.672,6.43179 21.672,8 c 0,1.7592 0.7167,3.3492 1.8739,4.4949 0.473,0.4681 1.0196,0.862 1.6208,1.1628 0.385,0.1928 0.7924,0.3481 1.2173,0.4596 V 10.528 C 25.552,9.9947 25,9.0613 25,8 25,7.8685 25.0085,7.7389 25.0249,7.6118 L 24.1287,6.71563 C 23.995,7.11937 23.9227,7.5512 23.9227,8 c 0,1.6773 1.0133,3.12 2.4613,3.744 v 1.2507 C 24.2747,12.3147 22.7493,10.336 22.7493,8 c 0,-0.78053 0.1706,-1.52142 0.4764,-2.18742 L 22.8632,5.45009 c -0.2597,-0.2597 -0.2597,-0.68075 0,-0.94045 0.2597,-0.2597 0.6808,-0.2597 0.9405,0 L 34.0943,14.8002 c 0.2597,0.2597 0.2597,0.6808 0,0.9405 -0.2597,0.2597 -0.6808,0.2597 -0.9405,0 L 31.849,14.4359 c -0.6815,0.4082 -1.4333,0.7112 -2.233,0.8868 -0.352,0.0773 -0.7093,0.1306 -1.0773,0.1546 v -4.3518 l -1.0774,-1.0773 v 5.4291 C 27.0933,15.4533 26.736,15.4 26.384,15.3227 24.9758,15.0136 23.7161,14.309 22.7272,13.3313 21.3519,11.9723 20.5,10.0852 20.5,7.9987 20.5,4.85935 22.4292,2.17055 25.1667,1.05319 Z M 29.616,14.1173 v -1.9144 0.7918 c 0.1953,-0.063 0.3857,-0.1371 0.5702,-0.2216 l 0.804,0.804 c -0.4306,0.2309 -0.8911,0.4134 -1.3742,0.5402 z" fill="context-fill" /> ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.css ===================================== @@ -10,9 +10,10 @@ white-space: nowrap; } -#tor-connect-titlebar-status-icon { - -moz-context-properties: fill; +#tor-connect-titlebar-status img { + -moz-context-properties: fill, stroke; fill: currentColor; + stroke: currentColor; width: 16px; height: 16px; object-fit: none; @@ -24,28 +25,31 @@ object-position: var(--tor-not-connected-offset); } -#tor-connect-titlebar-status-icon.tor-connect-status-potentially-blocked:not( - .tor-connect-status-connected -) { - fill: #c50042; +#tor-connect-titlebar-status.tor-connect-status-potentially-blocked img { + /* NOTE: context-stroke is only used for the first "frame" for the slash. When + * we assign the potentially-blocked class, we do *not* expect to be connected + * at the same time, so we only expect this first frame to be visible in this + * state. */ + stroke: #c50042; } @media (prefers-color-scheme: dark) { - #tor-connect-titlebar-status-icon.tor-connect-status-potentially-blocked:not( - .tor-connect-status-connected - ){ - fill: #ff9aa2; + #tor-connect-titlebar-status.tor-connect-status-potentially-blocked img { + stroke: #ff9aa2; } } -#tor-connect-titlebar-status-icon.tor-connect-status-connected { - fill: var(--purple-60); +#tor-connect-titlebar-status.tor-connect-status-connected img { object-position: var(--tor-connected-offset); } +#tor-connect-titlebar-status.tor-connect-status-connected { + color: var(--purple-60); +} + @media (prefers-color-scheme: dark) { - #tor-connect-titlebar-status-icon.tor-connect-status-connected { - fill: var(--purple-30); + #tor-connect-titlebar-status.tor-connect-status-connected { + color: var(--purple-30); } } @@ -60,8 +64,11 @@ } @media (prefers-reduced-motion: no-preference) { - #tor-connect-titlebar-status-icon.tor-connect-status-connected { - transition: fill 1000ms; + #tor-connect-titlebar-status.tor-connect-status-connected { + transition: color 1000ms; + } + + #tor-connect-titlebar-status.tor-connect-status-connected img { animation-name: onion-not-connected-to-connected; animation-delay: 200ms; animation-fill-mode: both; ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.js ===================================== @@ -16,12 +16,6 @@ var gTorConnectTitlebarStatus = { * @type {Element} */ label: null, - /** - * The status icon. - * - * @type {Element} - */ - icon: null, /** * Initialize the component. @@ -34,7 +28,6 @@ var gTorConnectTitlebarStatus = { this._strings = TorStrings.torConnect; this.node = document.getElementById("tor-connect-titlebar-status"); - this.icon = document.getElementById("tor-connect-titlebar-status-icon"); this.label = document.getElementById("tor-connect-titlebar-status-label"); // The title also acts as an accessible name for the role="status". this.node.setAttribute("title", this._strings.titlebarStatusName); @@ -91,8 +84,8 @@ var gTorConnectTitlebarStatus = { break; } this.label.textContent = this._strings[textId]; - this.icon.classList.toggle("tor-connect-status-connected", connected); - this.icon.classList.toggle( + this.node.classList.toggle("tor-connect-status-connected", connected); + this.node.classList.toggle( "tor-connect-status-potentially-blocked", potentiallyBlocked ); ===================================== browser/components/torpreferences/content/torPreferences.css ===================================== @@ -32,8 +32,9 @@ html:dir(rtl) input[type="checkbox"].toggle-button::before { width: 18px; height: 18px; margin-inline-end: 8px; - -moz-context-properties: fill; - fill: var(--in-content-text-color); + -moz-context-properties: fill, stroke; + fill: currentColor; + stroke: currentColor; } #torPreferences-status-internet .torPreferences-status-icon { @@ -59,23 +60,16 @@ html:dir(rtl) input[type="checkbox"].toggle-button::before { #torPreferences-status-tor-connect.connected .torPreferences-status-icon { list-style-image: url("chrome://browser/content/torconnect/tor-connect.svg"); - fill: var(--purple-60); -} - -@media (prefers-color-scheme: dark) { - #torPreferences-status-tor-connect.connected .torPreferences-status-icon { - fill: var(--purple-30); - } } #torPreferences-status-tor-connect.blocked .torPreferences-status-icon { /* Same as .tor-connect-status-potentially-blocked. */ - fill: #c50042; + stroke: #c50042; } @media (prefers-color-scheme: dark) { #torPreferences-status-tor-connect.blocked .torPreferences-status-icon { - fill: #ff9aa2; + stroke: #ff9aa2; } } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5e35ef… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/5e35ef… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-13.0-1] fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser
by Pier Angelo Vendrame (＠pierov) 12 Jun '23

12 Jun '23

Pier Angelo Vendrame pushed to branch tor-browser-102.12.0esr-13.0-1 at The Tor Project / Applications / Tor Browser Commits: bdf8a647 by Henry Wilkes at 2023-06-12T18:06:58+02:00 fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser Bug 41836: Rename deinit to uninit. - - - - - 2 changed files: - browser/components/torconnect/content/torConnectTitlebarStatus.js - browser/components/torconnect/content/torConnectUrlbarButton.js Changes: ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.js ===================================== @@ -56,7 +56,7 @@ var gTorConnectTitlebarStatus = { /** * De-initialize the component. */ - deinit() { + uninit() { Services.obs.removeObserver(this._stateListener, this._observeTopic); }, ===================================== browser/components/torconnect/content/torConnectUrlbarButton.js ===================================== @@ -89,7 +89,7 @@ var gTorConnectUrlbarButton = { /** * Deactivate and de-initialize the button. */ - deinit() { + uninit() { if (!this._isActive) { return; } @@ -115,7 +115,7 @@ var gTorConnectUrlbarButton = { TorConnect.state === TorConnectState.Bootstrapped || TorConnect.state === TorConnectState.Disabled ) { - this.deinit(); + this.uninit(); return; } this._updateButtonVisibility(); View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/bdf8a64… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/bdf8a64… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-12.5-1] fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser
by Pier Angelo Vendrame (＠pierov) 12 Jun '23

12 Jun '23

Pier Angelo Vendrame pushed to branch tor-browser-102.12.0esr-12.5-1 at The Tor Project / Applications / Tor Browser Commits: 5e35ef8d by Henry Wilkes at 2023-06-12T16:04:27+01:00 fixup! Bug 27476: Implement about:torconnect captive portal within Tor Browser Bug 41836: Rename deinit to uninit. - - - - - 2 changed files: - browser/components/torconnect/content/torConnectTitlebarStatus.js - browser/components/torconnect/content/torConnectUrlbarButton.js Changes: ===================================== browser/components/torconnect/content/torConnectTitlebarStatus.js ===================================== @@ -56,7 +56,7 @@ var gTorConnectTitlebarStatus = { /** * De-initialize the component. */ - deinit() { + uninit() { Services.obs.removeObserver(this._stateListener, this._observeTopic); }, ===================================== browser/components/torconnect/content/torConnectUrlbarButton.js ===================================== @@ -89,7 +89,7 @@ var gTorConnectUrlbarButton = { /** * Deactivate and de-initialize the button. */ - deinit() { + uninit() { if (!this._isActive) { return; } @@ -115,7 +115,7 @@ var gTorConnectUrlbarButton = { TorConnect.state === TorConnectState.Bootstrapped || TorConnect.state === TorConnectState.Disabled ) { - this.deinit(); + this.uninit(); return; } this._updateButtonVisibility(); View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5e35ef8… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/5e35ef8… You're receiving this email because of your account on gitlab.torproject.org.

1 0