GitLab

at 2025-01-20T18:16:36+01:00

Bug 41324: Improve build signing ergonomics

     ```

   - **Subject**

     ```

-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)

+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)

     ```

   - **Body**

     ```

     - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}

     - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}

 

+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-responses

+

     changelog:

     # paste changelog as quote here

     ...

     ```

   - **Subject**

     ```

-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)

+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)

     ```

   - **Body**

     ```

     Branch+Tags have been pushed to Mullvad's GitHub repo.

 

     - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}

-    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}

+    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}*

+

+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-responses

 

     changelog:

     # paste changelog as quote here

 

 ```bash

 # Point OSSLSIGNCODE to your osslsigncode binary

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 OSSLSIGNCODE=/path/to/osslsigncode

-../../../tools/authenticode_check.sh

+../../../../tools/authenticode_check.sh

 popd

 ```

 

     <summary>Check whether the MAR files got properly signed</summary>

 

 ```bash

-# Point NSSDB to your nssdb containing the mar signing certificate

+# Point NSS_DB_DIR to your nssdb dir containing the mar signing certificate

+# (check tools/marsigning_check.sh source code for details)

 # Point SIGNMAR to your signmar binary

 # Point LD_LIBRARY_PATH to your mar-tools directory

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 NSSDB=/path/to/nssdb

 SIGNMAR=/path/to/mar-tools/signmar

 LD_LIBRARY_PATH=/path/to/mar-tools/

-../../../tools/marsigning_check.sh

+../../../../tools/marsigning_check.sh

 popd

 ```

 

 

 ```bash

 # Point OSSLSIGNCODE to your osslsigncode binary

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 OSSLSIGNCODE=/path/to/osslsigncode

-../../../tools/authenticode_check.sh

+../../../../tools/authenticode_check.sh

 popd

 ```

 

 # Point NSSDB to your nssdb containing the mar signing certificate

 # Point SIGNMAR to your signmar binary

 # Point LD_LIBRARY_PATH to your mar-tools directory

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 NSSDB=/path/to/nssdb

 SIGNMAR=/path/to/mar-tools/signmar

 LD_LIBRARY_PATH=/path/to/mar-tools/

-../../../tools/marsigning_check.sh

+../../../../tools/marsigning_check.sh

 popd

 ```

 

 

 ```bash

 # Point OSSLSIGNCODE to your osslsigncode binary

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 OSSLSIGNCODE=/path/to/osslsigncode

-../../../tools/authenticode_check.sh

+../../../../tools/authenticode_check.sh

 popd

 ```

 

 # Point NSSDB to your nssdb containing the mar signing certificate

 # Point SIGNMAR to your signmar binary

 # Point LD_LIBRARY_PATH to your mar-tools directory

-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION

+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION

 NSSDB=/path/to/nssdb

 SIGNMAR=/path/to/mar-tools/signmar

 LD_LIBRARY_PATH=/path/to/mar-tools/

-../../../tools/marsigning_check.sh

+../../../../tools/marsigning_check.sh

 popd

 ```

 

 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

 source "$script_dir/functions"

 source "$script_dir/set-config.update-responses"

-

 NON_INTERACTIVE=1

 steps_dir="$signed_version_dir.steps"

 test -d "$steps_dir" || mkdir -p "$steps_dir"

 

-test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||

+function get_sekrit {

+  echo "$SEKRITS" | grep -A1 "$1:" | tail -n1

+}

+

+[ -f "$script_dir/set-config.passwords" ] && . "$script_dir/set-config.passwords" 2>/dev/null

+

+if [[ $1 = "-p" ]]; then

+  shift

+  passwords_gpg_file="$1"

+  shift

+fi

+

+is_project torbrowser && nssdb=torbrowser-nssdb7

+is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1

+

+if [ -f "$passwords_gpg_file" ]; then

+  echo "Reading passwords from $passwords_gpg_file"

+  SEKRITS=$(gpg --decrypt "$passwords_gpg_file")

+  RCODESIGN_PW=$(get_sekrit 'rcodesign')

+  NSSPASS=$(get_sekrit "$nssdb (mar signing)")

+  KSPASS=$(get_sekrit "android apk ($tbb_version_type)")

+  YUBIPASS=$(get_sekrit "windows authenticode")

+  GPG_PASS=$(get_sekrit "gpg")

+else

+  echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords."

+fi

+

+test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] ||

   read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW

 echo

-is_project torbrowser && nssdb=torbrowser-nssdb7

-is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1

-test -f "$steps_dir/linux-signer-signmars.done" ||

+

+test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] ||

   read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS

 echo

 

 if is_project torbrowser; then

-  test -f "$steps_dir/linux-signer-sign-android-apks.done" ||

+  test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] ||

     read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS

   echo

 fi

-test -f "$steps_dir/linux-signer-authenticode-signing.done" ||

+test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] ||

   read -sp "Enter windows authenticode passphrase: " YUBIPASS

 echo

-test -f "$steps_dir/linux-signer-gpg-sign.done" ||

+test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] ||

   read -sp "Enter gpg passphrase: " GPG_PASS

 echo

 

 function set-time-on-signing-machine {

-  local current_time=$(date -u)

+  local current_time=$(date -u -Iseconds)

   ssh "$ssh_host_linux_signer" sudo /usr/bin/date -s "'$current_time'"

 }

 

   echo "$(date -Iseconds) - Finished step: $1"

 }

 

+function is_legacy {

+  [[ "$tbb_version" = 13.* ]]

+}

+

 export SIGNING_PROJECTNAME

 

 do_step set-time-on-signing-machine

 do_step sync-before-linux-signer-signmars

 do_step linux-signer-signmars

 do_step sync-after-signmars

-is_project torbrowser && \

+is_project torbrowser && ! is_legacy && \

   do_step linux-signer-sign-android-apks

-is_project torbrowser && \

+is_project torbrowser && ! is_legacy && \

   do_step sync-after-sign-android-apks

 do_step linux-signer-authenticode-signing

 do_step sync-after-authenticode-signing

 do_step sync-local-to-staticiforme

 do_step sync-scripts-to-staticiforme

 do_step staticiforme-prepare-cdn-dist-upload

-do_step upload-update_responses-to-staticiforme

+! is_legacy &&

+  do_step upload-update_responses-to-staticiforme

 do_step finished-signing-clean-linux-signer
+# Path to a gpg-encrypted cache of passwords not to be asked on each run

+passwords_gpg_file=~/.tor-browser-signing/tor-browser-passwords.txt.gpg

ma1 pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

7 changed files:

Changes:

	1	+# Path to a gpg-encrypted cache of passwords not to be asked on each run
	2	+passwords_gpg_file=~/.tor-browser-signing/tor-browser-passwords.txt.gpg