+basebrowser

+torbrowser

+mullvadbrowser

+# Tools

+

+### sign-tag

+

+This script gpg signs a git tag associated with a particular browser commit in the user's tor-browser.git or mullvad-browser.git repo.

+

+#### Prerequisites

+

+- The user must create the following soft-links:

+    - `/tools/browser/basebrowser` -> `/path/to/local/tor-browser.git`

+    - `/tools/browser/mullvadbrowser` -> `/path/to/local/mullvad-browser.git`

+    - `/tools/browser/torbrowser` -> `/path/to/local/tor-browser.git`

+- The user must first checkout the relevant branch of the commit we are tagging

+    - This is needed to extract the ESR version, branch-number, and browser name

+

+#### Usage

+

+```

+usage: ./tools/browser/sign-tag.<browser> <channel> <build-number> [commit]

+

+browser         one of basebrowser, torbrowser, or mullvadbrowser

+channel         the release channel of the commit to sign (e.g. alpha, stable,

+                or legacy)

+build-number    the build number portion of a browser build tag (e.g. build2)

+commit          optional git commit, HEAD is used if argument not present

+```

+

+#### Examples

+Invoke the relevant soft-link'd version of this script to sign a particular browser. The trailing commit argument is optional and if not present, the browser branch's `HEAD` will be tagged+signed.

+

+  - ##### `base-browser-128.4.0esr-14.5-1-build1`

+    After checking out `base-browser-128.4.0esr-14.5-1` branch in linked tor-browser.git

+    ```bash

+    ./sign-tag.basebrowser alpha build1 24e628c1fd3f0593e23334acf55dc81909c30099

+    ```

+    **output**:

+    ```

+    Tag commit 24e628c1fd3f in base-browser-128.4.0esr-14.5-1

+     tag:     base-browser-128.4.0esr-14.5-1-build1

+     message: Tagging build1 for 128.4.0esr-based alpha

+    ```

+

+  - ##### `tor-browser-115.17.0esr-13.5-1-build2`

+    After checking out `tor-browser-115.17.0esr-13.5-1` branch in linked tor-browser.git

+    ```bash

+    ./sign-tag.torbrowser legacy build2 8e9e58fe400291f20be5712d057ad0b5fc4d70c1

+    ```

+    **output**:

+    ```

+    Tag commit 8e9e58fe4002 in tor-browser-115.17.0esr-13.5-1

+     tag:     tor-browser-115.17.0esr-13.5-1-build2

+     message: Tagging build2 for 115.17.0esr-based legacy

+    ```

+

+  - ##### `mullvad-browser-128.4.0esr-14.0-1-build2`

+    After checking out `mullvad-browser-128.4.0esr-14.0-1` branch in linked mullvad-browser.git

+    ```bash

+    ./sign-tag.mullvadbrowser stable build2 385aa0559a90a258ed6613527ff3e117dfa5ae5b

+    ```

+    **output**:

+    ```

+    Tag commit 385aa0559a90 in mullvad-browser-128.4.0esr-14.0-1

+     tag:     mullvad-browser-128.4.0esr-14.0-1-build2

+     message: Tagging build2 for 128.4.0esr-based stable

+    ```

+#!/usr/bin/env bash

+

+# See README.md for usage instructions.

+

+# terminate on error

+set -e

+

+# Check if at least two arguments are provided

+if [ "$#" -lt 2 ]; then

+    echo "Usage: $0 channel build-number [commit]"

+    exit 1

+fi

+

+script_name=$(basename "${BASH_ARGV0:-$0}")

+script_dir=$(dirname "${BASH_ARGV0:-$0}")

+browser=$(echo "$script_name" | perl -pe 's/^[^\.]+\.//')

+

+case "${browser}" in

+    basebrowser | torbrowser | mullvadbrowser)

+        # go down to browser directory

+        pushd ${script_dir}/${browser} > /dev/null

+        # and exit on script termination

+        trap "popd > /dev/null" EXIT

+        ;;

+    *)

+        echo -n "unrecognized browser: '${browser}'"

+        exit 1

+        ;;

+esac

+

+#

+# Branch name validation and extract components from branch name needed for tag

+# and message

+#

+

+branch_name=$(git rev-parse --abbrev-ref HEAD)

+if [[ $branch_name =~ ^([a-z]+-browser)-([1-9][0-9]+\.[0-9]+\.[0-9]+esr)-([1-9][0-9]*\.[05])-([1-9]).*$ ]]; then

+    project="${BASH_REMATCH[1]}"

+    esr="${BASH_REMATCH[2]}"

+    version="${BASH_REMATCH[3]}"

+    branch_number="${BASH_REMATCH[4]}"

+else

+    echo "This script must be run from an official browser branch. For example 'base-browser-128.4.0esr-14.0-1'"

+    exit 1

+fi

+

+#

+# Verify the detected browser matches the name of the current branch

+#

+case "${browser}" in

+    basebrowser)

+        valid_project="base-browser"

+        ;;

+    torbrowser)

+        valid_project="tor-browser"

+        ;;

+    mullvadbrowser)

+        valid_project="mullvad-browser"

+        ;;

+esac

+

+if ! [[ "${project}" == "${valid_project}" ]]; then

+    echo "Invalid branch \"${branch_name}\". Must be a \"${valid_project}\" branch"

+    exit 1

+fi

+

+#

+# Assign arguments to variables

+#

+channel=$1

+build_number=$2

+commit=$(git rev-parse --short ${3:-HEAD})

+

+#

+# Validate arguments

+#

+

+# channel validation

+if [[ "${project}" == "mullvad-browser" ]]; then

+    valid_channels=("alpha" "stable")

+else

+    valid_channels=("alpha" "stable" "legacy")

+fi

+channel_valid=false

+for value in "${valid_channels[@]}"; do

+    if [[ "${channel}" == "${value}" ]]; then

+        channel_valid=true

+        break

+    fi

+done

+

+if ! $channel_valid; then

+    echo "Invalid channel name \"${channel}\". Must be one of: ${valid_channels[*]}"

+    exit 1

+fi

+

+# build number validation

+if ! [[ "${build_number}" =~ ^build[1-9][0-9]*$ ]]; then

+    echo "Invalid build number \"${build_number}\". Must be in the format \"build[1-9][0-9]*\""

+    exit 1

+fi

+

+#

+# Sign and tag the specified git commit

+#

+

+tag="${project}-${esr}-${version}-${branch_number}-${build_number}"

+message="Tagging ${build_number} for ${esr}-based ${channel}"

+

+

+echo "Tag commit ${commit} in ${branch_name}"

+echo " tag:     ${tag}"

+echo " message: ${message}"

+

+git tag -s "${tag}" "${commit}" -m "${message}"

+sign-tag

+sign-tag

+sign-tag