richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

30 changed files:

Changes:

  • tools/signing/do-all-signing
    ... ... @@ -8,19 +8,9 @@ NON_INTERACTIVE=1
    8 8
     steps_dir="$signed_version_dir.steps"
    
    9 9
     test -d "$steps_dir" || mkdir -p "$steps_dir"
    
    10 10
     
    
    11
    -if test -n "$use_rcodesign"
    
    12
    -then
    
    13
    -  test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
    
    14
    -    read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
    
    15
    -  echo
    
    16
    -else
    
    17
    -  test -f "$steps_dir/macos-signer-gatekeeper-signing.done" ||
    
    18
    -    read -sp "Enter macos keychain passphrase: " KEYCHAIN_PW
    
    19
    -  echo
    
    20
    -  test -f "$steps_dir/macos-signer-notarization.done" ||
    
    21
    -    read -sp "Enter macos notarization passphrase: " NOTARIZATION_PW
    
    22
    -  echo
    
    23
    -fi
    
    11
    +test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
    
    12
    +  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
    
    13
    +echo
    
    24 14
     is_project torbrowser && nssdb=torbrowser-nssdb7
    
    25 15
     is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
    
    26 16
     test -f "$steps_dir/linux-signer-signmars.done" ||
    
    ... ... @@ -67,52 +57,6 @@ function rcodesign-notary-submit {
    67 57
       "$script_dir/rcodesign-notary-submit"
    
    68 58
     }
    
    69 59
     
    
    70
    -function macos-signer-directory-not-present {
    
    71
    -  # To avoid doing two signings at the same time, or to avoid unknowingly
    
    72
    -  # using parts from a previous signing attempt, we check that the
    
    73
    -  # directory does not exist yet (see tor-browser-build#40497)
    
    74
    -  if ssh "$ssh_host_macos_signer" "test -d $tbb_version"
    
    75
    -  then
    
    76
    -    echo "The directory $tbb_version already exists on $ssh_host_macos_signer"
    
    77
    -    return 1
    
    78
    -  fi
    
    79
    -  return 0
    
    80
    -}
    
    81
    -
    
    82
    -function sync-scripts-to-macos-signer {
    
    83
    -  "$script_dir/sync-scripts-to-macos-signer"
    
    84
    -}
    
    85
    -
    
    86
    -function macos-signer-enable-network-proxy-settings {
    
    87
    -  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet on'
    
    88
    -}
    
    89
    -
    
    90
    -function macos-signer-gatekeeper-signing {
    
    91
    -  "$script_dir/sync-macos-local-to-macos-signer"
    
    92
    -  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
    
    93
    -  export KEYCHAIN_PW=$KEYCHAIN_PW
    
    94
    -  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME
    
    95
    -EOF
    
    96
    -  unset KEYCHAIN_PW
    
    97
    -}
    
    98
    -
    
    99
    -function macos-signer-notarization {
    
    100
    -  ssh "$ssh_host_macos_signer" 'bash -s' << EOF
    
    101
    -  export PW=$NOTARIZATION_PW
    
    102
    -  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME
    
    103
    -EOF
    
    104
    -  unset NOTARIZATION_PW
    
    105
    -}
    
    106
    -
    
    107
    -function macos-signer-stapler {
    
    108
    -  ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME"
    
    109
    -  "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled"
    
    110
    -}
    
    111
    -
    
    112
    -function macos-signer-disable-network-proxy-settings {
    
    113
    -  ssh "$ssh_host_macos_signer" 'networksetup -setsecurewebproxystate Ethernet off'
    
    114
    -}
    
    115
    -
    
    116 60
     function gatekeeper-bundling {
    
    117 61
       "$script_dir/gatekeeper-bundling.sh"
    
    118 62
     }
    
    ... ... @@ -212,10 +156,6 @@ function upload-update_responses-to-staticiforme {
    212 156
       "$script_dir/upload-update_responses-to-staticiforme"
    
    213 157
     }
    
    214 158
     
    
    215
    -function finished-signing-clean-macos-signer {
    
    216
    -  "$script_dir/finished-signing-clean-macos-signer"
    
    217
    -}
    
    218
    -
    
    219 159
     function finished-signing-clean-linux-signer {
    
    220 160
       "$script_dir/finished-signing-clean-linux-signer"
    
    221 161
     }
    
    ... ... @@ -233,22 +173,11 @@ export SIGNING_PROJECTNAME
    233 173
     
    
    234 174
     do_step wait-for-finished-build
    
    235 175
     do_step sync-builder-unsigned-to-local-signed
    
    236
    -if test -n "$use_rcodesign";
    
    237
    -then
    
    238
    -  do_step sync-scripts-to-linux-signer
    
    239
    -  do_step sync-before-linux-signer-rcodesign-sign
    
    240
    -  do_step linux-signer-rcodesign-sign
    
    241
    -  do_step sync-linux-signer-macos-signed-tar-to-local
    
    242
    -  do_step rcodesign-notary-submit
    
    243
    -else
    
    244
    -  do_step macos-signer-directory-not-present
    
    245
    -  do_step sync-scripts-to-macos-signer
    
    246
    -  do_step macos-signer-enable-network-proxy-settings
    
    247
    -  do_step macos-signer-gatekeeper-signing
    
    248
    -  do_step macos-signer-notarization
    
    249
    -  do_step macos-signer-stapler
    
    250
    -  do_step macos-signer-disable-network-proxy-settings
    
    251
    -fi
    
    176
    +do_step sync-scripts-to-linux-signer
    
    177
    +do_step sync-before-linux-signer-rcodesign-sign
    
    178
    +do_step linux-signer-rcodesign-sign
    
    179
    +do_step sync-linux-signer-macos-signed-tar-to-local
    
    180
    +do_step rcodesign-notary-submit
    
    252 181
     do_step gatekeeper-bundling
    
    253 182
     do_step dmg2mar
    
    254 183
     do_step sync-scripts-to-linux-signer
    
    ... ... @@ -272,5 +201,4 @@ do_step sync-local-to-staticiforme
    272 201
     do_step sync-scripts-to-staticiforme
    
    273 202
     do_step staticiforme-prepare-cdn-dist-upload
    
    274 203
     do_step upload-update_responses-to-staticiforme
    
    275
    -do_step finished-signing-clean-macos-signer
    
    276 204
     do_step finished-signing-clean-linux-signer

  • tools/signing/finished-signing-clean-macos-signer deleted
    1
    -#!/bin/bash
    
    2
    -
    
    3
    -# Remove current tbb version from macos-signer. You should run this
    
    4
    -# when all signing has been done.
    
    5
    -
    
    6
    -set -e
    
    7
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    8
    -source "$script_dir/functions"
    
    9
    -
    
    10
    -var_is_defined ssh_host_macos_signer tbb_version
    
    11
    -
    
    12
    -ssh "$ssh_host_macos_signer" 'bash -s' << EOF
    
    13
    -  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"
    
    14
    -EOF

  • tools/signing/gatekeeper-bundling.sh
    ... ... @@ -68,11 +68,7 @@ export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"
    68 68
     
    
    69 69
     cd $tmpdir/dmg
    
    70 70
     
    
    71
    -if test -n "$use_rcodesign"; then
    
    72
    -  tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"
    
    73
    -else
    
    74
    -  unzip -q $macos_stapled_dir/tb-${tbb_version}_ALL-stapled.zip
    
    75
    -fi
    
    71
    +tar -xf $macos_stapled_dir/"${proj_name}-${tbb_version}-notarized+stapled.tar.zst"
    
    76 72
     
    
    77 73
     cd ..
    
    78 74
     $script_dir/ddmg.sh $macos_signed_dir/${proj_name}-macos-${tbb_version}.dmg $tmpdir/dmg/ "$Proj_Name"
    

  • tools/signing/macos-signer-gatekeeper-signing deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -
    
    4
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    5
    -source "$script_dir/functions"
    
    6
    -source "$script_dir/set-config.generated-config"
    
    7
    -
    
    8
    -ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"
    
    9
    -app_name=$(Project_Name)
    
    10
    -
    
    11
    -function check_signature() {
    
    12
    -  LANG=$1
    
    13
    -  UNZIP=$2
    
    14
    -  local failed_open=0
    
    15
    -  local failed_exec=0
    
    16
    -  if [ ${UNZIP} -eq 1 ]
    
    17
    -  then
    
    18
    -    test -d test_${LANG} && rm -r test_${LANG}
    
    19
    -    unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip
    
    20
    -    pushd test_${LANG}
    
    21
    -  fi
    
    22
    -  echo "Checking $LANG..."
    
    23
    -  spctl -vvvv --assess --type open --context context:primary-signature "$app_name.app/"
    
    24
    -  if [ $? -ne 3 ]; then
    
    25
    -    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open.
    
    26
    -    failed_open=1
    
    27
    -  fi
    
    28
    -  spctl -vvvv --assess --type exec --context context:primary-signature "$app_name.app/"
    
    29
    -  if [ $? -ne 0 ]; then
    
    30
    -    echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec.
    
    31
    -    failed_exec=1
    
    32
    -  fi
    
    33
    -  if [ ${UNZIP} -eq 1 ]
    
    34
    -  then
    
    35
    -    popd
    
    36
    -    rm -r test_${LANG}
    
    37
    -  fi
    
    38
    -  if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ]
    
    39
    -  then
    
    40
    -    return 1
    
    41
    -  fi
    
    42
    -}
    
    43
    -
    
    44
    -cd ~/$SIGNING_PROJECTNAME-${tbb_version}
    
    45
    -
    
    46
    -if test -n "$KEYCHAIN_PW"
    
    47
    -then
    
    48
    -  KPW="-p $KEYCHAIN_PW"
    
    49
    -fi
    
    50
    -
    
    51
    -security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain
    
    52
    -security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain
    
    53
    -
    
    54
    -unset KPW KEYCHAIN_PW
    
    55
    -
    
    56
    -for LANG in ALL
    
    57
    -do
    
    58
    -  if [ -f tb-${tbb_version}_${LANG}.zip ]
    
    59
    -  then
    
    60
    -    echo "Deleting tb-${tbb_version}_${LANG}.zip"
    
    61
    -    rm tb-${tbb_version}_${LANG}.zip
    
    62
    -  fi
    
    63
    -  if [ -d "$app_name.app" ]
    
    64
    -  then
    
    65
    -    echo "Deleting $app_name.app"
    
    66
    -    rm -r "$app_name.app"
    
    67
    -  fi
    
    68
    -  if [ -d "/Volumes/$app_name" ]; then
    
    69
    -    echo "DMG already mounted. Please correct."
    
    70
    -    exit 1
    
    71
    -  fi
    
    72
    -  hdiutil attach $(project-name)-macos-${tbb_version}.dmg
    
    73
    -  cp -rf "/Volumes/$app_name/$app_name.app" "$app_name.app"
    
    74
    -  echo "Signing ${app_name}_${LANG}.app"
    
    75
    -  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "$app_name.app/"
    
    76
    -  echo "codesign exit code: $?"
    
    77
    -  set +e
    
    78
    -  check_signature $LANG 0
    
    79
    -  if [ $? -eq 1 ]
    
    80
    -  then
    
    81
    -    echo Signature verification failed.
    
    82
    -    rm -r "$app_name.app"
    
    83
    -    hdiutil detach "/Volumes/$app_name"
    
    84
    -    exit 1
    
    85
    -  fi
    
    86
    -  set -e
    
    87
    -  echo "Zipping up tb-${tbb_version}_${LANG}.zip"
    
    88
    -  zip -qr tb-${tbb_version}_${LANG}.zip "$app_name.app"
    
    89
    -  rm -rf "$app_name.app"
    
    90
    -  hdiutil detach "/Volumes/$app_name"
    
    91
    -  set +e
    
    92
    -  check_signature $LANG 1
    
    93
    -  if [ $? -eq 1 ]
    
    94
    -  then
    
    95
    -    echo "Signature verification failed (${LANG})".
    
    96
    -    rm -r "$app_name.app"
    
    97
    -    exit 1
    
    98
    -  fi
    
    99
    -  set -e
    
    100
    -done

  • tools/signing/macos-signer-gatekeeper-signing.mullvadbrowser deleted
    1
    -macos-signer-gatekeeper-signing
    \ No newline at end of file

  • tools/signing/macos-signer-gatekeeper-signing.torbrowser deleted
    1
    -macos-signer-gatekeeper-signing
    \ No newline at end of file

  • tools/signing/macos-signer-notarization deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -
    
    4
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    5
    -source "$script_dir/functions"
    
    6
    -source "$script_dir/set-config.macos-notarization"
    
    7
    -
    
    8
    -ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool
    
    9
    -
    
    10
    -cd ~/$SIGNING_PROJECTNAME-${tbb_version}
    
    11
    -
    
    12
    -if [ -z "${PW}" ]; then
    
    13
    -  echo "Please enter notarization password:"
    
    14
    -  stty -echo; read PW; stty echo; export PW
    
    15
    -fi
    
    16
    -
    
    17
    -for LANG in ALL
    
    18
    -do
    
    19
    -  if test -f ${LANG}/tb-${tbb_version}_$LANG.zip.uuid
    
    20
    -  then
    
    21
    -    echo "Skipping ${LANG}/tb-${tbb_version}_$LANG.zip"
    
    22
    -    continue;
    
    23
    -  fi
    
    24
    -  if test -d ${LANG}; then
    
    25
    -    mv ${LANG}/tb-${tbb_version}_$LANG.zip ./
    
    26
    -    rm -r ${LANG}/
    
    27
    -  fi
    
    28
    -  mkdir $LANG
    
    29
    -  cd $LANG
    
    30
    -  mv ../tb-${tbb_version}_$LANG.zip .
    
    31
    -  unzip -q tb-${tbb_version}_$LANG.zip
    
    32
    -  echo "Notarizing $LANG..."
    
    33
    -  $ALTOOL --notarize-app --verbose -t osx -f tb-${tbb_version}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u "$macos_notarization_user" -p @env:PW --output-format xml | tee tb-${tbb_version}_$LANG.zip.log 2>&1
    
    34
    -
    
    35
    -  request_uuid=`grep -A1 RequestUUID tb-${tbb_version}_$LANG.zip.log | grep -o '[0-9a-f]\+[0-9a-f-]\+'`
    
    36
    -  if [ -z "${request_uuid}" ]; then
    
    37
    -    echo "Request UUID not present. Notarization failed"
    
    38
    -    exit 1
    
    39
    -  fi
    
    40
    -  echo ${request_uuid} > tb-${tbb_version}_$LANG.zip.uuid
    
    41
    -  echo "Notarization done for $LANG."
    
    42
    -
    
    43
    -  cd ..
    
    44
    -done

  • tools/signing/macos-signer-notarization.mullvadbrowser deleted
    1
    -macos-signer-notarization
    \ No newline at end of file

  • tools/signing/macos-signer-notarization.torbrowser deleted
    1
    -macos-signer-notarization
    \ No newline at end of file

  • tools/signing/macos-signer-proxy deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    4
    -source "$script_dir/functions"
    
    5
    -
    
    6
    -ssh -R :1080 "$ssh_host_macos_signer" 'python ~/proxy.py --port 8443'

  • tools/signing/macos-signer-proxy.mullvadbrowser deleted
    1
    -macos-signer-proxy
    \ No newline at end of file

  • tools/signing/macos-signer-proxy.torbrowser deleted
    1
    -macos-signer-proxy
    \ No newline at end of file

  • tools/signing/macos-signer-stapler deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -
    
    4
    -read -n 1 -p "Press enter once notarization is complete..."
    
    5
    -
    
    6
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    7
    -source "$script_dir/functions"
    
    8
    -source "$script_dir/set-config.generated-config"
    
    9
    -
    
    10
    -STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler
    
    11
    -app_name=$(Project_Name)
    
    12
    -
    
    13
    -cd ~/$SIGNING_PROJECTNAME-${tbb_version}
    
    14
    -
    
    15
    -for LANG in ALL
    
    16
    -do
    
    17
    -  echo "Stapling $LANG..."
    
    18
    -  cd $LANG
    
    19
    -  $STAPLER staple "$app_name.app"
    
    20
    -  zip -qr ../tb-${tbb_version}_$LANG-stapled.zip "$app_name.app"
    
    21
    -  cd ..
    
    22
    -done

  • tools/signing/macos-signer-stapler.mullvadbrowser deleted
    1
    -macos-signer-stapler
    \ No newline at end of file

  • tools/signing/macos-signer-stapler.torbrowser deleted
    1
    -macos-signer-stapler
    \ No newline at end of file

  • tools/signing/set-config
    ... ... @@ -38,5 +38,3 @@ rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
    38 38
     
    
    39 39
     tb_builders='boklm dan henry ma1 pierov richard'
    
    40 40
     wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers
    41
    -
    
    42
    -use_rcodesign=1

  • tools/signing/set-config.hosts
    1 1
     ssh_host_builder=tbbuild
    
    2 2
     ssh_host_linux_signer=linux-signer-notor
    
    3
    -ssh_host_macos_signer=mac-signer-notor
    
    4 3
     ssh_host_staticiforme=staticiforme.torproject.org
    
    5 4
     
    
    6 5
     builder_tor_browser_build_dir=/home/user/tor-browser-build

  • tools/signing/set-config.macos-notarization deleted
    1
    -# The following line should be uncommented and updated:
    
    2
    -
    
    3
    -#macos_notarization_user='user@email'
    
    4
    -
    
    5
    -var_is_defined macos_notarization_user

  • tools/signing/sync-macos-local-to-macos-signer deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    4
    -source "$script_dir/functions"
    
    5
    -
    
    6
    -var_is_defined ssh_host_macos_signer
    
    7
    -
    
    8
    -rsync $rsync_options "$signed_version_dir"/*.dmg "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/"

  • tools/signing/sync-macos-local-to-macos-signer.mullvadbrowser deleted
    1
    -sync-macos-local-to-macos-signer
    \ No newline at end of file

  • tools/signing/sync-macos-local-to-macos-signer.torbrowser deleted
    1
    -sync-macos-local-to-macos-signer
    \ No newline at end of file

  • tools/signing/sync-macos-local-to-macos-signer.torbrowser.dry-run deleted
    1
    -sync-macos-local-to-macos-signer
    \ No newline at end of file

  • tools/signing/sync-macos-signer-stapled-to-macos-local-stapled deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    4
    -source "$script_dir/functions"
    
    5
    -
    
    6
    -var_is_defined ssh_host_macos_signer
    
    7
    -
    
    8
    -rsync $rsync_options "$ssh_host_macos_signer:$SIGNING_PROJECTNAME-$tbb_version/*-stapled.zip" "$macos_stapled_dir/"

  • tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.mullvadbrowser deleted
    1
    -sync-macos-signer-stapled-to-macos-local-stapled
    \ No newline at end of file

  • tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser deleted
    1
    -sync-macos-signer-stapled-to-macos-local-stapled
    \ No newline at end of file

  • tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.torbrowser.dry-run deleted
    1
    -sync-macos-signer-stapled-to-macos-local-stapled
    \ No newline at end of file

  • tools/signing/sync-scripts-to-macos-signer deleted
    1
    -#!/bin/bash
    
    2
    -set -e
    
    3
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    4
    -source "$script_dir/functions"
    
    5
    -
    
    6
    -var_is_defined ssh_host_macos_signer
    
    7
    -
    
    8
    -generate_config
    
    9
    -
    
    10
    -rsync $rsync_options "$script_dir/" "$ssh_host_macos_signer:signing-$SIGNING_PROJECTNAME-$tbb_version_type/"

  • tools/signing/sync-scripts-to-macos-signer.mullvadbrowser deleted
    1
    -sync-scripts-to-macos-signer
    \ No newline at end of file

  • tools/signing/sync-scripts-to-macos-signer.torbrowser deleted
    1
    -sync-scripts-to-macos-signer
    \ No newline at end of file

  • tools/signing/sync-scripts-to-macos-signer.torbrowser.dry-run deleted
    1
    -sync-scripts-to-macos-signer
    \ No newline at end of file