This is an automated email from the git hooks/post-receive script.
boklm pushed a commit to branch master in repository builders/tor-browser-build.
commit da9a132a75356b76954debbda095369e8490f027 Author: Nicolas Vigier boklm@torproject.org AuthorDate: Mon Feb 14 20:01:38 2022 +0100
Bug 40414: Improve linux-signer-signmars
- automatically change to bundle directory - allow setting password with an environment variable (useful for tor-browser-build#40476) - some cleaning --- tools/signing/linux-signer-signmars | 90 +++++++------------------------------ 1 file changed, 16 insertions(+), 74 deletions(-)
diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars index 269610f..23b400d 100755 --- a/tools/signing/linux-signer-signmars +++ b/tools/signing/linux-signer-signmars @@ -1,37 +1,23 @@ #!/bin/bash # # -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script +# (if you don't want to use the default values).
set -e set -u
-WRAPPER_DIR=$(dirname "$0") -WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions"
if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=$WRAPPER_DIR/nssdb + NSS_DB_DIR=/home/gk/marsigning/nssdb7 fi
if [ -z "${NSS_CERTNAME+x}" ]; then NSS_CERTNAME=marsigner fi
-# Incorporate definitions from the versions file. -if [ -z "$1" ]; then - VERSIONS_FILE=$WRAPPER_DIR/versions -else - VERSIONS_FILE=$1 -fi - -if ! [ -e $VERSIONS_FILE ]; then - echo >&2 "Error: $VERSIONS_FILE file does not exist" - exit 1 -fi - -. $VERSIONS_FILE -#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) - export LC_ALL=C
# Check some prerequisites. @@ -40,27 +26,11 @@ if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then exit 2 fi
-OSNAME="" -ARCH="$(uname -s)-$(uname -m)" -case $ARCH in - Linux-x86_64) - OSNAME="linux64" - ;; - Linux-i*86) - OSNAME="linux32" - ;; - *) - >&2 echo "Unsupported architecture $ARCH" - exit 2 -esac - # Extract the MAR tools so we can use the signmar program. MARTOOLS_TMP_DIR=$(mktemp -d) trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip" -cd $MARTOOLS_TMP_DIR -unzip -q "$MARTOOLS_ZIP" -cd $WRAPPER_DIR +MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip +unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" if [ -z "${LD_LIBRARY_PATH+x}" ]; then export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" @@ -72,25 +42,11 @@ fi # TODO: Test that the entered NSS password is correct. But how? Unfortunately, # both certutil and signmar keep trying to read a new password when they are # given an incorrect one. -read -s -p "NSS password:" NSSPASS +test -n "${NSSPASS:-}" || read -s -p "NSS password:" NSSPASS echo ""
-# Sign each MAR file. -# -# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION -# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: -# If a file has not been signed, we move it to the -unsigned/ directory. -# If a file has already been signed and a file with the same name exists in -# the -unsigned/ directory, we just delete the signed file. -# If a file has already been signed but no corresponding file exists in -# the -unsigned/ directory, we report an error and exit. -# -# Once the above is done, the -unsigned/ directory contains a set of .mar -# files that need to be signed, so we go ahead and sign them one-by-one. -SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" -UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" -mkdir -p "$UNSIGNED_DIR" -cd "$SIGNED_DIR" +COUNT=0 +cd ~/"$tbb_version" for marfile in *.mar; do if [ ! -f "$marfile" ]; then continue; @@ -104,30 +60,16 @@ for marfile in *.mar; do if [ ! -z "$SIGINFO" ]; then SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/([0-9]*).*$/\1/') fi - if [ $SIGCOUNT -eq 0 ]; then - # No signature; move this .mar file to the -unsigned/ directory. - mv "$marfile" "$UNSIGNED_DIR/" - else + if [ $SIGCOUNT -ne 0 ]; then echo "Skipping $marfile (already signed)" - fi -done - -# Use signmar to sign each .mar file that is now in the -unsigned directory. -TMPMAR="$SIGNED_DIR/tmp.mar" -trap "rm -f $TMPMAR" EXIT -cd "$UNSIGNED_DIR" -echo "Starting the signing..." -COUNT=0 -for marfile in *.mar; do - if [ ! -f "$marfile" ]; then continue; fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" "$TMPMAR" - mv "$TMPMAR" "$SIGNED_DIR/$marfile" + "$marfile" tmp.mar + mv -f tmp.mar "$marfile" COUNT=$((COUNT + 1)) - echo "Signed MAR file $COUNT" - rm "$marfile" + echo "Signed MAR file $COUNT ($marfile)" done
-echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed." +echo "$COUNT MAR files have been signed."