richard pushed to branch main at The Tor Project / Applications / tor-browser-spec

Commits:

1 changed file:

Changes:

  • processes/ReleaseProcess
    1 1
     #          Magical Tor Browser Release Process Incantations
    
    2 2
     #
    
    3
    -#  "May this part of our job one day be replaced by a small shell script"
    
    3
    +#  The Tor Browser Release Process is now documented as gitlab issue templates:
    
    4
    +#  - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/main/.gitlab/issue_templates/Release%20Prep%20-%20Tor%20Browser%20Stable.md
    
    5
    +#  - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/main/.gitlab/issue_templates/Release%20Prep%20-%20Tor%20Browser%20Alpha.md
    
    4 6
     #
    
    5
    -
    
    6
    -#####################
    
    7
    -### Prepare build ###
    
    8
    -#####################
    
    9
    -
    
    10
    -#. Tag any relevant component versions.
    
    11
    -#  In particular: before tagging the tor-browser tag, the final code from
    
    12
    -#  Torbutton needs to get included and in order to avoid unnecessary commit
    
    13
    -#  inflation the commit for bumping the git submodule should be a fixup commit
    
    14
    -#  to the one with "Bug 25013: Add torbutton as a tor-browser submodule" in
    
    15
    -#  its commit message.
    
    16
    -
    
    17
    -#. Update changelog and relevant config files in tor-browser-build.
    
    18
    -   cd tor-browser-build
    
    19
    -   vim projects/firefox/config
    
    20
    -   vim ChangeLog.txt
    
    21
    -   vim rbm.conf
    
    22
    -
    
    23
    -#. Tag a build tag in tor-browser-build.
    
    24
    -   make signtag-release # or `make signtag-alpha` for an alpha build
    
    25
    -
    
    26
    -#. Push tag and version to tor-browser-build.git. In case of doing a stable
    
    27
    -#  release with a maintenance branch use that one instead of `master`.
    
    28
    -   torsocks git push origin master:master
    
    29
    -   torsocks git push origin --tags
    
    30
    -
    
    31
    -
    
    32
    -#####################
    
    33
    -### Build         ###
    
    34
    -#####################
    
    35
    -
    
    36
    -#. Build and generate incremental MAR files.
    
    37
    -   git tag -v tbb-$TORBROWSER_VERSION-buildN
    
    38
    -   git checkout tbb-$TORBROWSER_VERSION-buildN
    
    39
    -   make && make incrementals-release # `make alpha && make incrementals-alpha`
    
    40
    -
    
    41
    -#. Compare the SHA256 sums of the bundles and MAR files with an independent
    
    42
    -#  builder.
    
    43
    -   sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.txt
    
    44
    -   sha256sum tor-browser-build/release/unsigned/$TORBROWSER_BUILDDIR/sha256sums-unsigned-build.incrementals.txt
    
    45
    -
    
    46
    -#. If the sums match (download and) upload the bundles to your build dir on
    
    47
    -#  people.torproject.org. Fix permissions.
    
    48
    -   chmod 755 $TORBROWSER_BUILDDIR
    
    49
    -   chmod 644 $TORBROWSER_BUILDDIR/*
    
    50
    -   chmod 644 $TORBROWSER_BUILDDIR/.htaccess
    
    51
    -   torsocks ssh people.torproject.org "mkdir ~/public_html/builds/${TORBROWSER_BUILDDIR}"
    
    52
    -   torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
    
    53
    -
    
    54
    -#. (Optional): Upload your binaries to people using partial rsync over old version
    
    55
    -   torsocks ssh people.torproject.org "mv ~/public_html/builds/${TORBROWSER_VERSION}-build1 ~/public_html/builds/$TORBROWSER_BUILDDIR"
    
    56
    -   torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
    
    57
    -
    
    58
    -#. Distribute build to tor-qa@lists.torproject.org
    
    59
    -   # XXX: Currently manual email with link to candidate build, important changes,
    
    60
    -   # and changelog.
    
    61
    -   # For stable releases put tails-dev@boum.org into Cc.
    
    62
    -
    
    63
    -
    
    64
    -#######################
    
    65
    -### Android signing ###
    
    66
    -#######################
    
    67
    -
    
    68
    -#. The Android signing is done separately from the desktop signing. To
    
    69
    -#  do the Android signing you'll need to boot from a Tails usb stick,
    
    70
    -#  with persistent storage enabled.
    
    71
    -
    
    72
    -#. Install the openjdk-11-jdk-headless package
    
    73
    -   apt install openjdk-11-jdk-headless
    
    74
    -
    
    75
    -#. Make sure you have the android keys, for example in the
    
    76
    -#  ~/Persistent/android-keys directory. This directory should include
    
    77
    -#  the tba_alpha.p12 and tba_release.p12 files.
    
    78
    -
    
    79
    -#. Clone tor-browser-build, and checkout the tag for the release
    
    80
    -   git tag -v tbb-$TORBROWSER_VERSION-buildN
    
    81
    -   git checkout tbb-$TORBROWSER_VERSION-buildN
    
    82
    -
    
    83
    -#. Update set-config.tbb-version and set-config.android-signing
    
    84
    -   cd tools/signing
    
    85
    -   vim set-config.tbb-version
    
    86
    -   vim set-config.android-signing
    
    87
    -
    
    88
    -#. Run the android-signing script. This script will download the
    
    89
    -#  unsigned apks from the `pkgstage` machine (where `do-all-signing`
    
    90
    -#  is run), signed them, and upload back the signed apks to the
    
    91
    -#  `pkgstage` machine. It should be done before the hash_signed_bundles.sh
    
    92
    -#  step.
    
    93
    -   ./android-signing
    
    94
    -
    
    95
    -
    
    96
    -##########################
    
    97
    -### Signing and upload ###
    
    98
    -##########################
    
    99
    -
    
    100
    -#. You need a `pkgstage` machine to store the bundles during the signing
    
    101
    -#  process. This machine should be:
    
    102
    -#   - secure (you will ssh to the signing machines and staticiforme
    
    103
    -#     from there)
    
    104
    -#   - with good bandwidth (you will download/upload bundles from there)
    
    105
    -#
    
    106
    -#  All steps from the `Signing and upload` are run from the `pkgstage`
    
    107
    -#  machine unless mentioned otherwise.
    
    108
    -#
    
    109
    -#  The signing scripts are located in the tor-browser-build/tools/signing
    
    110
    -#  directory.
    
    111
    -#
    
    112
    -#  Alternatively, you can run the script `./do-all-signing`, which will
    
    113
    -#  do all the signing steps automatically, until the static-update-component
    
    114
    -#  commands on staticiforme. Also the script does not currently handle
    
    115
    -#  removing the old versions on staticiforme, so you have to do that
    
    116
    -#  manually. The script is also not running `./macos-signer-proxy` which
    
    117
    -#  needs to be started and stopped manually.
    
    118
    -
    
    119
    -#. Checkout the tor-browser-build.git commit corresponding to the
    
    120
    -#  tor browser version you need to sign/publish.
    
    121
    -   cd tor-browser-build
    
    122
    -   git tag -v tbb-$TORBROWSER_VERSION-buildN
    
    123
    -   git checkout tbb-$TORBROWSER_VERSION-buildN
    
    124
    -
    
    125
    -#. Change to the tor-browser-build/tools/signing directory. All following
    
    126
    -#  commands are run from this directory.
    
    127
    -   cd tor-browser-build/tools/signing
    
    128
    -
    
    129
    -#. Set hosts information.
    
    130
    -   vim set-config.hosts
    
    131
    -
    
    132
    -#. Set tor browser version information. You should set tbb_version,
    
    133
    -#  tbb_version_build, tbb_version_type. This should match the information
    
    134
    -#  in rbm.conf.
    
    135
    -   vim set-config.tbb-version
    
    136
    -
    
    137
    -#. Download the tor browser build to the `pkgstage` machine from your
    
    138
    -#  build machine (configured in set-config.hosts).
    
    139
    -   ./sync-builder-unsigned-to-local-signed
    
    140
    -
    
    141
    -#. Codesign the macOS dmg files.
    
    142
    -#
    
    143
    -#  Updload the tor browser dmg files to `macos-signer`
    
    144
    -   ./sync-macos-local-to-macos-signer
    
    145
    -
    
    146
    -#  Upload updated signing scripts to `macos-signer`. The scripts are
    
    147
    -#  located in the `signing-release` or `signing-alpha` directory on
    
    148
    -#  `macos-signer`.
    
    149
    -   ./sync-scripts-to-macos-signer
    
    150
    -
    
    151
    -#  Run proxy for `macos-signer`. You may need to kill an old proxy
    
    152
    -#  process on `macos-signer` if it was still running.
    
    153
    -   ./macos-signer-proxy
    
    154
    -
    
    155
    -#  Enable networking on the `macos-signer`.
    
    156
    -   macos-signer$ networksetup -setsecurewebproxystate Ethernet on
    
    157
    -
    
    158
    -#  Sign the bundles. On `macos-signer`.
    
    159
    -#  (replace signing-release with signing-alpha for an alpha release)
    
    160
    -   macos-signer$ ~/signing-release/macos-signer-gatekeeper-signing
    
    161
    -
    
    162
    -#  Notarize the bundles. On `macos-signer`.
    
    163
    -#  (replace signing-release with signing-alpha for an alpha release)
    
    164
    -   macos-signer$ ~/signing-release/macos-signer-notarization
    
    165
    -
    
    166
    -#  Staple the bundles. On `macos-signer`.
    
    167
    -#  (replace signing-release with signing-alpha for an alpha release)
    
    168
    -   macos-signer$ ~/signing-release/macos-signer-stapler
    
    169
    -
    
    170
    -#  Disable networking on the `macos-signer`.
    
    171
    -   macos-signer$ networksetup -setsocksfirewallproxystate Ethernet off
    
    172
    -
    
    173
    -#  Download the stapled bundles to `pkgstage`.
    
    174
    -   ./sync-macos-signer-stapled-to-macos-local-stapled
    
    175
    -
    
    176
    -#. Regenerate macOS DMG files from stapled zip files.
    
    177
    -   ./gatekeeper-bundling.sh
    
    178
    -
    
    179
    -#. Regenerate macOS MAR files from code signed dmg files.
    
    180
    -   ./dmg2mar
    
    181
    -
    
    182
    -#. Sync bundles to `linux-signer`.
    
    183
    -   ./sync-local-to-linux-signer
    
    184
    -
    
    185
    -#. Upload updated signing scripts to `linux-signer`. The scripts are
    
    186
    -#  located in the `signing-release` or `signing-alpha` directory on
    
    187
    -#  `linux-signer`.
    
    188
    -   ./sync-scripts-to-linux-signer
    
    189
    -
    
    190
    -#. Sign the MAR files. On `linux-signer`.
    
    191
    -#  (replace signing-release with signing-alpha for an alpha release)
    
    192
    -   linux-signer$ ~/signing-release/linux-signer-signmars
    
    193
    -
    
    194
    -#. Authenticode signing of exe files. On `linux-signer`.
    
    195
    -   linux-signer$ ~/signing-release/linux-signer-authenticode-signing
    
    196
    -
    
    197
    -#. Authenticode timestamping.
    
    198
    -   ./sync-linux-signer-to-local
    
    199
    -   ./authenticode-timestamping.sh
    
    200
    -
    
    201
    -#. Create sha256sums-signed-build files
    
    202
    -   ./hash_signed_bundles.sh
    
    203
    -
    
    204
    -#. Upload sha256sums-signed-build and updated exe files to `linux-signer`.
    
    205
    -   ./sync-local-to-linux-signer
    
    206
    -
    
    207
    -#. Gpg signing.
    
    208
    -   ./linux-signer-gpg-sign
    
    209
    -
    
    210
    -#. Fetch signatures on unsigned sha256sums from other builds
    
    211
    -   ./download-unsigned-sha256sums-gpg-signatures-from-people-tpo
    
    212
    -
    
    213
    -#. Remove old builds on `staticiforme`
    
    214
    -   # IMPORTANT: Remove the oldest version in a series in case there is more
    
    215
    -   # than 1 available on dist.torproject.org before proceeding
    
    216
    -   # XXX: TORBROWSER_VERSION_OLDEST needs to be set
    
    217
    -   staticiforme$ rm -rf /srv/dist-master.torproject.org/htdocs/torbrowser/$TORBROWSER_VERSION_OLDEST
    
    218
    -   staticiforme$ static-update-component dist.torproject.org
    
    219
    -
    
    220
    -#. Upload new build to `staticiforme`
    
    221
    -   ./sync-local-to-staticiforme
    
    222
    -
    
    223
    -#. Check diskspace available on cdn.tpo
    
    224
    -#  We currently have enough disk space to host two alpha and stable
    
    225
    -#  releases. However with the size of each Tor Browser release increasing,
    
    226
    -#  it may become necessary to increase disk space. The server hosting
    
    227
    -#  the files for cdn.tpo is savii.tpo and its disk usage can be monitored
    
    228
    -#  by going to https://grafana.torproject.org/d/Z7T7Cfemz/node-exporter-full
    
    229
    -#  and selecting the hosts: web-fsn-02.torproject.org, web-cymru-01.torproject.org,
    
    230
    -#  web-fsn-01.torproject.org, and cdn-backend-sunet-01.torproject.org
    
    231
    -
    
    232
    -#. Remove the oldest *.mar files from cdn.tpo to save space
    
    233
    -   staticiforme$ rm -rf /srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/$TORBROWSER_VERSION_OLDEST
    
    234
    -   staticiforme$ static-update-component cdn.torproject.org
    
    235
    -
    
    236
    -#. Sync files to dist.tpo and cdn.tpo mirrored web servers
    
    237
    -#  (replace signing-release with signing-alpha for an alpha release)
    
    238
    -#  It is a good idea to run the static-update-component inside screen
    
    239
    -#  or tmux so that the upload continues if your connection to
    
    240
    -#  staticiforme is closed.
    
    241
    -   $ ./sync-scripts-to-staticiforme
    
    242
    -   staticiforme$ ~/signing-release/staticiforme-prepare-cdn-dist-upload
    
    243
    -   staticiforme$ static-update-component cdn.torproject.org && \
    
    244
    -                 static-update-component dist.torproject.org
    
    245
    -
    
    246
    -#. Make sure we really built from the proper Mozilla build tag by consulting
    
    247
    -   # the respective ESR release branch (for a good overview for ESR78 see
    
    248
    -   # https://hg.mozilla.org/releases/mozilla-esr78/graph/). For the platforms following
    
    249
    -   # rapid release (only Android, currently), consult the beta repo
    
    250
    -   # (https://hg.mozilla.org/releases/mozilla-beta/graph/) or the release repo
    
    251
    -   # (https://hg.mozilla.org/releases/mozilla-release/graph/)
    
    252
    -
    
    253
    -#. Update website's torbrowser versions file in the website git
    
    254
    -   cd tpo
    
    255
    -   torsocks git pull origin
    
    256
    -   # Update `win32` in the `torbrowser-stable` section as well if we
    
    257
    -   # include a new stable tor version (called the Windows Expert Bundle
    
    258
    -   # on the website). See: #14152.
    
    259
    -   vim databags/versions.ini
    
    260
    -   git commit databags/versions.ini -m "Add new Tor Browser version"
    
    261
    -   torsocks git push origin master:master
    
    262
    -   cd ..
    
    263
    -   # Check build success/failure:
    
    264
    -   # https://jenkins.torproject.org/job/lektor-website-tpo-translation/
    
    265
    -   # https://jenkins.torproject.org/job/lektor-website-tpo-translation-install/
    
    266
    -
    
    267
    -#. Add new locales to the download page
    
    268
    -   # If this release is introducing new locales, add them to the
    
    269
    -   # databags/download-alternatives.ini file (for a stable release) or
    
    270
    -   # the databags/download-alternatives-alpha.ini file (for an alpha
    
    271
    -   # release).
    
    272
    -   cd tpo
    
    273
    -   torsocks git pull origin
    
    274
    -   vim databags/download-alternatives.ini # or databags/download-alternatives-alpha.ini
    
    275
    -   git commit databags/download-alternatives.ini -m "Add new Tor Browser locales"
    
    276
    -   torsocks git push origin master:master
    
    277
    -   cd ..
    
    278
    -
    
    279
    -#. Create blog post from changelog
    
    280
    -#  Edit set-config.blog to set you local blog directory.
    
    281
    -#  Don't forget to link to Mozilla's security advisories if this is a security
    
    282
    -#  update.
    
    283
    -  ./create-blog-post
    
    284
    -
    
    285
    -#. Check whether the .exe files got properly signed and timestamped
    
    286
    -   # Point OSSLSIGNCODE to your osslsigncode binary
    
    287
    -   pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    288
    -   OSSLSIGNCODE=/path/to/osslsigncode
    
    289
    -   ../../../tools/authenticode_check.sh
    
    290
    -   popd
    
    291
    -
    
    292
    -#. Check whether the MAR files got properly signed
    
    293
    -   # Point NSSDB to your nssdb containing the mar signing certificate
    
    294
    -   # Point SIGNMAR to your signmar binary
    
    295
    -   # Point LD_LIBRARY_PATH to your mar-tools directory
    
    296
    -   pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
    
    297
    -   NSSDB=/path/to/nssdb
    
    298
    -   SIGNMAR=/path/to/mar-tools/signmar
    
    299
    -   LD_LIBRARY_PATH=/path/to/mar-tools/
    
    300
    -   ../../../tools/marsigning_check.sh
    
    301
    -   popd
    
    302
    -
    
    303
    -#. Generate and upload update_responses to staticiforme
    
    304
    -   ./upload-update_responses-to-staticiforme
    
    305
    -
    
    306
    -#. Enable update. On `staticiforme`.
    
    307
    -#  (for alpha release, use deploy_update_responses-alpha.sh instead)
    
    308
    -   staticiforme$ ~/deploy_update_responses-release.sh
    
    309
    -
    
    310
    -#. Clean linux-signer and macos-signer
    
    311
    -   ./finished-signing-clean-linux-signer
    
    312
    -   ./finished-signing-clean-macos-signer
    
    313
    -
    
    314
    -#  Upload APKs to Google Play
    
    315
    -   Log into https://play.google.com/apps/publish
    
    316
    -   Select correct app (Tor Browser or Tor Browser Alpha)
    
    317
    -   Under left-side navigation bar, select "Production" under "Release"
    
    318
    -   Select "Create new release" button at upper right-side
    
    319
    -   Under "App bundles and APKs" section, "Upload" each signed APK
    
    320
    -   After uploading APKs:
    
    321
    -     - The "Release Name" should be automatically filled with the Firefox version
    
    322
    -     - Next to "Release notes" click "Copy from a previous release"
    
    323
    -     - Select the previous release and adjust the blog post url for this release
    
    324
    -     - Save, review, and configure rollout percentage at the bottom
    
    325
    -       - Use 25% rollout when publishing a scheduled update (without a security driver)
    
    326
    -       - Use 100% rollout when publishing an unscheduled update or security-driven release
    
    327
    -   Roll out.
    
    328
    -
    
    329
    -   Note, you may receive three warning messages about:
    
    330
    -     1) app is larger than it is necessary (android app bundle),
    
    331
    -     2) missing deobfuscation file for better crash analysis
    
    332
    -     3) missing debug symbol file
    
    333
    -
    
    334
    -   These warnings are expected and should be accepted.
    
    335
    -
    
    336
    -   See below for updating the rollout percentage.
    
    337
    -
    
    338
    -# Release on F-Droid
    
    339
    -  Publication on F-Droid via the Guardian Project's repository should be
    
    340
    -  automatic. Hans is responsible for maintaining this automation.
    
    341
    -
    
    342
    -# Update rollout percentage
    
    343
    -   After 24 hours, check the Release Daskboard:
    
    344
    -     - "Release"->"Production" and select the "Release Dashboard" tab
    
    345
    -   If the Release Dashboard does not show any concerning trends (significant
    
    346
    -   increase in crashes or ANRs (Application Not Responding)), then continue on
    
    347
    -   to the next paragraph and increase rollout from 25% to 100%. Otherwise
    
    348
    -   consider halting rollout as described in the `RollingBackUpdate` process.
    
    349
    -
    
    350
    -   Select the "Releases" tab on the "Production" page. The current released
    
    351
    -   version should indicate 25% rollout: "Available to 25% of users on Google Play"
    
    352
    -   On the right-side of the "View release details" button of the release there
    
    353
    -   should be a button labeled "Manage rollout" with a down-arrow. Clicking on
    
    354
    -   that button should show two options:
    
    355
    -     - Update rollout
    
    356
    -     - Halt rollout
    
    357
    -
    
    358
    -   Select "Update rollout" and increase to 100% and click "Update". The change
    
    359
    -   should be immediately implemented and the "Manage rollout" button disappears.
    
    360
    -
    
    361
    -#. Write an email to tor-announce in case this release is concerned with getting
    
    362
    -#  a stable version out. Using the contents of the blog entry should do it.
    7
    +#  See also the open release prep issues:
    
    8
    +#  https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20