Richard Pospesel pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build

Commits:

25 changed files:

Changes:

  • projects/mar-tools/config
    1
    +# vim: filetype=yaml sw=2
    
    2
    +#
    
    3
    +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine
    
    4
    +# to fetch mar-tools for signing machine setup
    
    5
    +#
    
    6
    +version: 12.0.4
    
    7
    +filename: 'mar-tools-linux64.zip'
    
    8
    +container:
    
    9
    +  use_container: 0
    
    10
    +gpg_keyring: torbrowser.gpg
    
    11
    +tag_gpg_id: 1
    
    12
    +input_files:
    
    13
    +  - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'
    
    14
    +    sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584
    
    15
    +
    
    16
    +steps:
    
    17
    +  fetch_martools:
    
    18
    +    fetch_martools: |
    
    19
    +      #!/bin/bash
    
    20
    +      echo ok

  • projects/osslsigncode/config
    1 1
     # vim: filetype=yaml sw=2
    
    2
    -version: '[% c("abbrev") %]'
    
    2
    +version: '[% c("git_hash").substr(0, 12) %]'
    
    3 3
     git_url: https://github.com/mtrojnar/osslsigncode
    
    4 4
     git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
    
    5 5
     filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
    
    ... ... @@ -15,3 +15,12 @@ var:
    15 15
     input_files:
    
    16 16
       - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
    
    17 17
       - filename: timestamping.patch
    
    18
    +  - filename: '[% c("var/srcfile") %]'
    
    19
    +    enable: '[% c("var/no-git") %]'
    
    20
    +
    
    21
    +targets:
    
    22
    +  no-git:
    
    23
    +    git_url: ''
    
    24
    +    var:
    
    25
    +      no-git: 1
    
    26
    +      srcfile: '[% project %]-[% c("version") %].tar.gz'

  • projects/yubihsm-shell/build
    1
    +#!/bin/bash
    
    2
    +[% c("var/set_default_env") -%]
    
    3
    +distdir=$(pwd)/dist
    
    4
    +tar xf [% project %]-[% c('version') %].tar.gz
    
    5
    +cd [% project %]-[% c('version') %]
    
    6
    +dpkg-buildpackage -us -uc
    
    7
    +mkdir -p "$distdir"
    
    8
    +mv ../*.deb "$distdir"
    
    9
    +dest=[% dest_dir _ '/' _ c('filename') %]
    
    10
    +rm -Rf "$dest"
    
    11
    +mv "$distdir" "$dest"

  • projects/yubihsm-shell/config
    1
    +# vim: filetype=yaml sw=2
    
    2
    +version: 2.4.0
    
    3
    +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'
    
    4
    +container:
    
    5
    +  use_container: 0
    
    6
    +var:
    
    7
    +  src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'
    
    8
    +input_files:
    
    9
    +  - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'
    
    10
    +    sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0
    
    11
    +
    
    12
    +steps:
    
    13
    +  fetch_src:
    
    14
    +    fetch_src: |
    
    15
    +      #!/bin/bash
    
    16
    +      echo ok

  • rbm.conf
    ... ... @@ -84,7 +84,7 @@ var:
    84 84
       build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]'
    
    85 85
       build_id_txt: |
    
    86 86
         [% c("version") %]
    
    87
    -    [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
    
    87
    +    [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]
    
    88 88
         [% IF c("container/use_container") && ! c("container/global_disable") -%]
    
    89 89
         [% c("var/container/suite") %]
    
    90 90
         [% c("var/container/arch") %]
    

  • tools/signing/do-all-signing
    ... ... @@ -17,9 +17,9 @@ echo
    17 17
     test -f "$steps_dir/linux-signer-signmars.done" ||
    
    18 18
       read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
    
    19 19
     echo
    
    20
    -test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
    
    21
    -  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
    
    22
    -echo
    
    20
    +#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
    
    21
    +#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
    
    22
    +#echo
    
    23 23
     test -f "$steps_dir/linux-signer-gpg-sign.done" ||
    
    24 24
       read -sp "Enter gpg passphrase: " GPG_PASS
    
    25 25
     echo
    
    ... ... @@ -193,10 +193,10 @@ do_step dmg2mar
    193 193
     do_step sync-scripts-to-linux-signer
    
    194 194
     do_step linux-signer-signmars
    
    195 195
     do_step sync-after-signmars
    
    196
    -do_step linux-signer-authenticode-signing
    
    197
    -do_step sync-after-authenticode-signing
    
    198
    -do_step authenticode-timestamping
    
    199
    -do_step sync-after-authenticode-timestamping
    
    196
    +#do_step linux-signer-authenticode-signing
    
    197
    +#do_step sync-after-authenticode-signing
    
    198
    +#do_step authenticode-timestamping
    
    199
    +#do_step sync-after-authenticode-timestamping
    
    200 200
     do_step hash_signed_bundles
    
    201 201
     do_step sync-after-hash
    
    202 202
     do_step linux-signer-gpg-sign
    

  • tools/signing/linux-signer-authenticode-signing
    ... ... @@ -9,26 +9,14 @@ cd ~/"$tbb_version"
    9 9
     test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
    
    10 10
     echo
    
    11 11
     
    
    12
    -tmpdir=$(mktemp -d)
    
    13
    -chgrp yubihsm "$tmpdir"
    
    14
    -chmod g+rwx "$tmpdir"
    
    15
    -
    
    16 12
     cwd=$(pwd)
    
    17 13
     for i in `find . -name "*.exe" -print`
    
    18 14
     do
    
    19 15
       echo "Signing $i"
    
    20
    -  echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
    
    21
    -       /home/yubihsm/osslsigncode/osslsigncode \
    
    22
    -                 -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
    
    23
    -                 -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
    
    24
    -                 -pass "'$YUBIPASS'" \
    
    25
    -                 -h sha256 \
    
    26
    -                 -certs /home/yubihsm/tpo-cert.crt \
    
    27
    -                 -key 1c40 \
    
    28
    -                 "$cwd/$i" "$tmpdir/$i" \
    
    29
    -                 | sudo su - yubihsm
    
    30
    -  mv -vf "$tmpdir/$i" "$cwd/$i"
    
    16
    +  sudo -u signing-win -- "$wrappers_dir/sign-exe" \
    
    17
    +                 "$YUBIPASS" \
    
    18
    +                 "$cwd/$i"
    
    19
    +  cp /home/signing-win/last-signed-file.exe "$cwd/$i"
    
    31 20
     done
    
    32 21
     
    
    33 22
     unset YUBIPASS
    34
    -rmdir "$tmpdir"

  • tools/signing/linux-signer-gpg-sign
    ... ... @@ -7,6 +7,7 @@ source "$script_dir/functions"
    7 7
     cd ~/"$tbb_version"
    
    8 8
     
    
    9 9
     test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
    
    10
    +currentdir=$(pwd)
    
    10 11
     for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`
    
    11 12
     do
    
    12 13
       if test -f "$i.asc"
    
    ... ... @@ -15,5 +16,8 @@ do
    15 16
         rm -f "$i.asc"
    
    16 17
       fi
    
    17 18
       echo "Signing $i"
    
    18
    -  echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i
    
    19
    +  i="$currentdir/$i"
    
    20
    +  tmpsig=$(mktemp)
    
    21
    +  echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
    
    22
    +  mv -f "$tmpsig" "${i}.asc"
    
    19 23
     done

  • tools/signing/linux-signer-signmars
    1 1
     #!/bin/bash
    
    2
    -#
    
    3
    -#
    
    4
    -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
    
    5
    -# (if you don't want to use the default values).
    
    6 2
     
    
    7 3
     set -e
    
    8 4
     set -u
    
    ... ... @@ -10,33 +6,15 @@ set -u
    10 6
     script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    11 7
     source "$script_dir/functions"
    
    12 8
     
    
    13
    -if [ -z "${NSS_DB_DIR+x}" ]; then
    
    14
    -  NSS_DB_DIR=/home/boklm/marsigning/nssdb7
    
    15
    -fi
    
    16
    -
    
    17
    -if [ -z "${NSS_CERTNAME+x}" ]; then
    
    18
    -  NSS_CERTNAME=marsigner
    
    19
    -fi
    
    20
    -
    
    21 9
     export LC_ALL=C
    
    22 10
     
    
    23
    -# Check some prerequisites.
    
    24
    -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
    
    25
    -  >&2 echo "Please create and populate the $NSS_DB_DIR directory"
    
    26
    -  exit 2
    
    27
    -fi
    
    28
    -
    
    29
    -# Extract the MAR tools so we can use the signmar program.
    
    30
    -MARTOOLS_TMP_DIR=$(mktemp -d)
    
    31
    -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
    
    32
    -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
    
    33
    -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
    
    34
    -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
    
    35
    -if [ -z "${LD_LIBRARY_PATH+x}" ]; then
    
    36
    -  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
    
    37
    -else
    
    38
    -  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
    
    11
    +martools_dir=/home/signing-mar/mar-tools
    
    12
    +if ! test -d "$martools_dir"; then
    
    13
    +  >&2 echo "Please create $martools_dir"
    
    14
    +  exit 3
    
    39 15
     fi
    
    16
    +export LD_LIBRARY_PATH="$martools_dir"
    
    17
    +export PATH="$martools_dir:$PATH"
    
    40 18
     
    
    41 19
     # Prompt for the NSS password.
    
    42 20
     # TODO: Test that the entered NSS password is correct.  But how?  Unfortunately,
    
    ... ... @@ -65,9 +43,8 @@ for marfile in *.mar; do
    65 43
         continue;
    
    66 44
       fi
    
    67 45
     
    
    68
    -  echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
    
    69
    -    "$marfile" tmp.mar
    
    70
    -  mv -f tmp.mar "$marfile"
    
    46
    +  echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"
    
    47
    +  cp /home/signing-mar/last-signed-mar.mar "$marfile"
    
    71 48
       COUNT=$((COUNT + 1))
    
    72 49
       echo "Signed MAR file $COUNT ($marfile)"
    
    73 50
     done
    

  • tools/signing/machines-setup/build-yubihsm-shell-pkg
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +if test $(whoami) != 'build-pkgs'; then
    
    5
    +  echo 'This script should be run as the build-pkgs user' >&2
    
    6
    +  exit 1
    
    7
    +fi
    
    8
    +
    
    9
    +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs
    
    10
    +if test -d "$destdir"; then
    
    11
    +  echo "$destdir already exists. Doing nothing."
    
    12
    +  exit 0
    
    13
    +fi
    
    14
    +
    
    15
    +cd /home/build-pkgs
    
    16
    +tar xf /signing/tor-browser-build.tar
    
    17
    +cd tor-browser-build
    
    18
    +tar xf /signing/rbm.tar
    
    19
    +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
    
    20
    +mkdir -p out/yubihsm-shell
    
    21
    +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell
    
    22
    +./rbm/rbm build yubihsm-shell
    
    23
    +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)
    
    24
    +rm -Rf "$destdir"
    
    25
    +mkdir -p $(dirname $destdir)
    
    26
    +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"

  • tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
    1
    +ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
    
    2
    +ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"

  • tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
    1
    +connector = yhusb://
    
    2
    +#debug
    
    3
    +#dinout
    
    4
    +#libdebug
    
    5
    +#debug-file = /tmp/yubihsm_pkcs11_debug

  • tools/signing/machines-setup/setup-osslsigncode
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +if test $(whoami) != 'signing-win'; then
    
    5
    +  echo 'This script should be run as the signing-win user' >&2
    
    6
    +  exit 1
    
    7
    +fi
    
    8
    +
    
    9
    +destdir=/home/signing-win/osslsigncode
    
    10
    +if test -d "$destdir"; then
    
    11
    +  echo "$destdir already exists. Doing nothing."
    
    12
    +  exit 0
    
    13
    +fi
    
    14
    +
    
    15
    +cd /home/signing-win
    
    16
    +tar xf /signing/tor-browser-build.tar
    
    17
    +cd tor-browser-build
    
    18
    +tar xf /signing/rbm.tar
    
    19
    +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
    
    20
    +mkdir -p out/osslsigncode
    
    21
    +cp "/signing/$osslsigncodefile" out/osslsigncode
    
    22
    +./rbm/rbm build osslsigncode --target no-git
    
    23
    +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)
    
    24
    +cd /home/signing-win
    
    25
    +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"
    
    26
    +chmod -R 755 /home/signing-win/osslsigncode
    
    27
    +echo "Extracted osslsigncode to /home/signing-win/osslsigncode"

  • tools/signing/machines-setup/setup-signing-machine
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    5
    +
    
    6
    +function create_user {
    
    7
    +  user="$1"
    
    8
    +  groups="$2"
    
    9
    +  id "$user" > /dev/null 2>&1 && return 0
    
    10
    +  test -n "$groups" && groups="--groups $groups"
    
    11
    +  useradd -s /bin/bash -m "$user" $groups
    
    12
    +}
    
    13
    +
    
    14
    +function create_group {
    
    15
    +  group="$1"
    
    16
    +  getent group "$group" > /dev/null 2>&1 && return 0
    
    17
    +  groupadd "$group"
    
    18
    +}
    
    19
    +
    
    20
    +function authorized_keys {
    
    21
    +  user="$1"
    
    22
    +  shift
    
    23
    +  tmpfile=$(mktemp)
    
    24
    +  for file in "$@"; do
    
    25
    +    cat "$script_dir/ssh-keys/$file" >> "$tmpfile"
    
    26
    +  done
    
    27
    +  sshdir="/home/$user/.ssh"
    
    28
    +  authkeysfile="$sshdir/authorized_keys"
    
    29
    +  if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then
    
    30
    +    rm "$tmpfile"
    
    31
    +    return 0
    
    32
    +  fi
    
    33
    +  echo "Update authorized_keys for user $user"
    
    34
    +  if ! test -d "$sshdir"; then
    
    35
    +    mkdir "$sshdir"
    
    36
    +    chmod 700 "$sshdir"
    
    37
    +    chown $user:$user "$sshdir"
    
    38
    +  fi
    
    39
    +  mv "$tmpfile" "$authkeysfile"
    
    40
    +  chown $user:$user "$authkeysfile"
    
    41
    +  chmod 600 "$authkeysfile"
    
    42
    +}
    
    43
    +
    
    44
    +function sudoers_file {
    
    45
    +  sfile="$1"
    
    46
    +  cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
    
    47
    +  chown root:root "/etc/sudoers.d/$sfile"
    
    48
    +  chmod 0440 "/etc/sudoers.d/$sfile"
    
    49
    +}
    
    50
    +
    
    51
    +function udev_rule {
    
    52
    +  udevrule="$1"
    
    53
    +  rulepath="/etc/udev/rules.d/$udevrule"
    
    54
    +  if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then
    
    55
    +    cp "$script_dir$rulepath" "$rulepath"
    
    56
    +    udevadm control --reload-rules
    
    57
    +  fi
    
    58
    +}
    
    59
    +
    
    60
    +function install_packages {
    
    61
    +  for pkg in "$@"
    
    62
    +  do
    
    63
    +    dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue
    
    64
    +    apt-get install -y "$pkg"
    
    65
    +  done
    
    66
    +}
    
    67
    +
    
    68
    +install_packages build-essential rsync unzip
    
    69
    +install_packages sudo vim tmux gnupg
    
    70
    +
    
    71
    +create_user setup
    
    72
    +authorized_keys setup boklm-yk1.pub
    
    73
    +mkdir -p /signing
    
    74
    +chmod 0755 /signing
    
    75
    +chown setup /signing
    
    76
    +
    
    77
    +create_user yubihsm
    
    78
    +create_group yubihsm
    
    79
    +udev_rule 70-yubikey.rules
    
    80
    +
    
    81
    +create_user signing
    
    82
    +create_group signing
    
    83
    +create_user signing-gpg
    
    84
    +create_user signing-mar
    
    85
    +create_user signing-win yubihsm
    
    86
    +
    
    87
    +
    
    88
    +sudoers_file sign-gpg
    
    89
    +sudoers_file sign-mar
    
    90
    +sudoers_file sign-exe
    
    91
    +
    
    92
    +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
    
    93
    +create_user richard signing
    
    94
    +authorized_keys richard richard.pub
    
    95
    +
    
    96
    +# Install rbm deps
    
    97
    +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
    
    98
    +                 libio-handle-util-perl libio-all-perl \
    
    99
    +                 libio-captureoutput-perl libjson-perl libpath-tiny-perl \
    
    100
    +                 libstring-shellquote-perl libsort-versions-perl \
    
    101
    +                 libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
    
    102
    +                 libfile-copy-recursive-perl libfile-slurp-perl
    
    103
    +
    
    104
    +# Install deps for building osslsigncode
    
    105
    +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev
    
    106
    +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode
    
    107
    +
    
    108
    +# Packages needed for windows signing
    
    109
    +install_packages opensc libengine-pkcs11-openssl
    
    110
    +
    
    111
    +# Install deps for building yubihsm-shell
    
    112
    +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
    
    113
    +
    
    114
    +# Build and install yubihsm-pkcs11 package
    
    115
    +create_user build-pkgs
    
    116
    +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
    
    117
    +  yubishm_version=2.4.0
    
    118
    +  sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg
    
    119
    +  pushd /home/build-pkgs/packages/yubihsm-shell-pkgs
    
    120
    +  apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \
    
    121
    +    ./libyubihsm1_${yubishm_version}_amd64.deb \
    
    122
    +    ./libyubihsm-http1_${yubishm_version}_amd64.deb \
    
    123
    +    ./libyubihsm-usb1_${yubishm_version}_amd64.deb
    
    124
    +  popd
    
    125
    +fi
    
    126
    +
    
    127
    +# install mar-tools
    
    128
    +if ! test -d /home/signing-mar/mar-tools; then
    
    129
    +  tmpdir=$(mktemp -d)
    
    130
    +  unzip -d "$tmpdir" /signing/mar-tools-linux64.zip
    
    131
    +  chown -R signing-mar:signing-mar "$tmpdir/mar-tools"
    
    132
    +  chmod go+rX "$tmpdir/mar-tools"/*
    
    133
    +  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
    
    134
    +fi

  • tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
    1
    +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release

  • tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
    1
    +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1

  • tools/signing/machines-setup/ssh-keys/richard.pub
    1
    +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a

  • tools/signing/machines-setup/sudoers.d/sign-exe
    1
    +Defaults>signing-win env_keep += SIGNING_PROJECTNAME
    
    2
    +%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe

  • tools/signing/machines-setup/sudoers.d/sign-gpg
    1
    +Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME
    
    2
    +%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg

  • tools/signing/machines-setup/sudoers.d/sign-mar
    1
    +Defaults>signing-mar env_keep += SIGNING_PROJECTNAME
    
    2
    +%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar

  • tools/signing/machines-setup/upload-tbb-to-signing-machine
    1
    +#!/bin/bash
    
    2
    +# Upload tor-browser-build directory from current HEAD commit and other
    
    3
    +# dependencies to signing machine
    
    4
    +set -e
    
    5
    +
    
    6
    +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    7
    +
    
    8
    +cd "$script_dir/../../.."
    
    9
    +tmpdir=$(mktemp -d)
    
    10
    +tbbtar=$tmpdir/tor-browser-build.tar
    
    11
    +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .
    
    12
    +
    
    13
    +echo "Created $tbbtar"
    
    14
    +
    
    15
    +make submodule-update
    
    16
    +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
    
    17
    +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then
    
    18
    +  ./rbm/rbm tar osslsigncode
    
    19
    +  echo "Created $osslsigncodefile"
    
    20
    +fi
    
    21
    +
    
    22
    +cd rbm
    
    23
    +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .
    
    24
    +echo "Created rbm.tar"
    
    25
    +cd ..
    
    26
    +
    
    27
    +martools_filename=mar-tools-linux64.zip
    
    28
    +if ! test -f "./out/mar-tools/$martools_filename"; then
    
    29
    +  ./rbm/rbm build --step fetch_martools mar-tools
    
    30
    +  echo "Downloaded $martools_filename"
    
    31
    +fi
    
    32
    +
    
    33
    +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
    
    34
    +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
    
    35
    +  ./rbm/rbm build yubihsm-shell --step fetch_src
    
    36
    +  echo "Fetched $yubihsm_filename"
    
    37
    +fi
    
    38
    +
    
    39
    +signing_machine='linux-signer'
    
    40
    +setup_user='setup'
    
    41
    +signing_dir='/signing'
    
    42
    +
    
    43
    +echo "Uploading $osslsigncodefile to $signing_machine"
    
    44
    +chmod go+r "./out/osslsigncode/$osslsigncodefile"
    
    45
    +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
    
    46
    +echo "Uploading rbm.tar to $signing_machine"
    
    47
    +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
    
    48
    +echo "Uploading $martools_filename"
    
    49
    +chmod go+r "./out/mar-tools/$martools_filename"
    
    50
    +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
    
    51
    +echo "Uploading $yubihsm_filename"
    
    52
    +chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
    
    53
    +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
    
    54
    +echo "Uploading tor-browser-build.tar to $signing_machine"
    
    55
    +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
    
    56
    +echo "Extracting tor-browser-build.tar on $signing_machine"
    
    57
    +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar
    
    58
    +echo "You can now run this command on $signing_machine to update signing machine setup:"
    
    59
    +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"

  • tools/signing/set-config
    ... ... @@ -2,6 +2,7 @@
    2 2
     . "$script_dir/set-config.hosts"
    
    3 3
     
    
    4 4
     bundle_locales="ALL"
    
    5
    +export SIGNING_PROJECTNAME=torbrowser
    
    5 6
     
    
    6 7
     signed_dir="$script_dir/../../$tbb_version_type/signed"
    
    7 8
     signed_version_dir="$signed_dir/$tbb_version"
    
    ... ... @@ -15,3 +16,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress"
    15 16
     rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
    
    16 17
     
    
    17 18
     tb_builders='boklm dan henry ma1 pierov richard'
    
    19
    +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers

  • tools/signing/wrappers/sign-exe
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +if test "$#" -ne 2; then
    
    5
    +  echo "Wrong number of arguments" >&2
    
    6
    +  exit 1
    
    7
    +fi
    
    8
    +
    
    9
    +if test $(whoami) != 'signing-win'; then
    
    10
    +  echo 'This script should be run as the signing-win user' >&2
    
    11
    +  exit 2
    
    12
    +fi
    
    13
    +
    
    14
    +yubipass="$1"
    
    15
    +to_sign_exe="$2"
    
    16
    +
    
    17
    +tpo_cert=/home/signing-win/tpo-cert.crt
    
    18
    +
    
    19
    +if ! test -f "$tpo_cert"; then
    
    20
    +  echo "File $tpo_cert is missing" >&2
    
    21
    +  exit 2
    
    22
    +fi
    
    23
    +
    
    24
    +output_signed_exe=/home/signing-win/last-signed-file.exe
    
    25
    +rm -f "$output_signed_exe"
    
    26
    +
    
    27
    +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
    
    28
    +/home/signing-win/osslsigncode/bin/osslsigncode \
    
    29
    +  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
    
    30
    +  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
    
    31
    +  -pass "$yubipass" \
    
    32
    +  -h sha256 \
    
    33
    +  -certs "$tpo_cert" \
    
    34
    +  -key 1c40 \
    
    35
    +  "$to_sign_exe" "$output_signed_exe"
    
    36
    +
    
    37
    +chmod 644 "$output_signed_exe"

  • tools/signing/wrappers/sign-gpg
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +if test "$#" -ne 1; then
    
    5
    +  echo "Wrong number of arguments" >&2
    
    6
    +  exit 2
    
    7
    +fi
    
    8
    +
    
    9
    +if test $(whoami) != 'signing-gpg'; then
    
    10
    +  echo 'This script should be run as the signing-gpg user' >&2
    
    11
    +  exit 1
    
    12
    +fi
    
    13
    +
    
    14
    +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"

  • tools/signing/wrappers/sign-mar
    1
    +#!/bin/bash
    
    2
    +set -e
    
    3
    +
    
    4
    +if test "$#" -ne 1; then
    
    5
    +  echo "Wrong number of arguments" >&2
    
    6
    +  exit 1
    
    7
    +fi
    
    8
    +
    
    9
    +if test $(whoami) != 'signing-mar'; then
    
    10
    +  echo 'This script should be run as the signing-mar user' >&2
    
    11
    +  exit 2
    
    12
    +fi
    
    13
    +
    
    14
    +output_signed_mar=/home/signing-mar/last-signed-mar.mar
    
    15
    +rm -f "$output_signed_mar"
    
    16
    +
    
    17
    +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then
    
    18
    +  NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7
    
    19
    +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then
    
    20
    +  NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1
    
    21
    +else
    
    22
    +  echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
    
    23
    +  exit 3
    
    24
    +fi
    
    25
    +NSS_CERTNAME=marsigner
    
    26
    +
    
    27
    +if ! test -d "$NSS_DB_DIR"; then
    
    28
    +  echo "$NSS_DB_DIR is missing" >&2
    
    29
    +  exit 3
    
    30
    +fi
    
    31
    +
    
    32
    +martools_dir=/home/signing-mar/mar-tools
    
    33
    +if ! test -d "$martools_dir"; then
    
    34
    +  >&2 echo "Please create $martools_dir"
    
    35
    +  exit 4
    
    36
    +fi
    
    37
    +export LD_LIBRARY_PATH="$martools_dir"
    
    38
    +export PATH="$martools_dir:$PATH"
    
    39
    +
    
    40
    +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar"
    
    41
    +chmod 644 "$output_signed_mar"