richard pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build
Commits: e36799bf by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40851: Integrate android apk signing in do-all-signing
- - - - - f3e593e4 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40875: Update Windows signing config
- - - - - f0ab4b7d by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40875: Re-enable Windows code signing in do-all-signing
- - - - - 8a7319b1 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40877: Update osslsigncode to more recent version
- - - - - bb16c7d2 by Nicolas Vigier at 2023-06-12T20:19:16+00:00 Bug 40878: Fix default permission on gpg signature files
- - - - -
20 changed files:
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md - .gitlab/issue_templates/Release Prep - Tor Browser Stable.md - projects/android-toolchain/config - − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch - projects/osslsigncode/build - projects/osslsigncode/config - − projects/osslsigncode/timestamping.patch - − tools/signing/android-signing.mullvadbrowser - − tools/signing/android-signing.torbrowser - tools/signing/authenticode-timestamping.sh - tools/signing/do-all-signing - tools/signing/linux-signer-gpg-sign - + tools/signing/linux-signer-sign-android-apks - + tools/signing/linux-signer-sign-android-apks.torbrowser - tools/signing/machines-setup/setup-signing-machine - + tools/signing/machines-setup/sudoers.d/sign-apk - tools/signing/machines-setup/upload-tbb-to-signing-machine - − tools/signing/set-config.android-signing - tools/signing/android-signing → tools/signing/wrappers/sign-apk - tools/signing/wrappers/sign-exe
Changes:
===================================== .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md ===================================== @@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.torbrowser`
===================================== .gitlab/issue_templates/Release Prep - Tor Browser Stable.md ===================================== @@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE - `cd tor-browser-build/tools/signing/` - `./macos-signer-proxy` - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory - [ ] run do-all-signing script: - `cd tor-browser-build/tools/signing/` - `./do-all-signing.sh`
===================================== projects/android-toolchain/config ===================================== @@ -95,9 +95,8 @@ steps: #!/bin/bash set -e mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %] - var: - container: - use_container: 0 + container: + use_container: 0 input_files: - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]' name: build_tools
===================================== projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted ===================================== @@ -1,324 +0,0 @@ -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Reimar.Doeffinger@gmx.de -Date: Sun, 12 Mar 2017 23:00:12 +0100 -Subject: [PATCH] Make code work with OpenSSL 1.1. - -Changes in consist of: -- Use EVP_MD_CTX_new/free API instead of on-stack allocation -- Remove some M_ prefixes like for ASN1_IA5STRING_new -- Remove pagehash functionality because it is useless to me and - fixing it would be a pain. Would require declaring a few - ASN_SEQUENCES and use that to get the required i2d functions - from what I could find out. -- Remove OBJ_create calls that seem to serve no purpose, - now crash because NULL pointers are no longer handled - (who changes API that way?!) and even if that was fixed - lead to errors when these objects are later created - again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, - did not investigate further). - -diff --git a/osslsigncode.c b/osslsigncode.c -index 2978c02..3797458 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) - if (desc) { - info->programName = SpcString_new(); - info->programName->type = 1; -- info->programName->value.ascii = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, -+ info->programName->value.ascii = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->programName->value.ascii, - (const unsigned char*)desc, strlen(desc)); - } - - if (url) { - info->moreInfo = SpcLink_new(); - info->moreInfo->type = 0; -- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, -+ info->moreInfo->value.url = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->moreInfo->value.url, - (const unsigned char*)url, strlen(url)); - } - -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const - - if (rfc3161) { - unsigned char mdbuf[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - - TimeStampReq *req = TimeStampReq_new(); - ASN1_INTEGER_set(req->version, 1); - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; -- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); -+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); - req->certReq = (void*)0x1; - - len = i2d_TimeStampReq(req, NULL); -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { - 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 - }; - --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, -- unsigned int sigpos, int phtype, unsigned int *phlen); -- --DECLARE_STACK_OF(ASN1_OCTET_STRING) --#ifndef sk_ASN1_OCTET_STRING_new_null --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) --{ -- unsigned int phlen; -- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); -- if (!ph) { -- fprintf(stderr, "Failed to calculate page hash\n"); -- exit(-1); -- } -- -- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); -- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); -- free(ph); -- -- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); -- sk_ASN1_OCTET_STRING_push(oset, ostr); -- unsigned char *p, *tmp; -- unsigned int l; -- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- ASN1_OCTET_STRING_free(ostr); -- sk_ASN1_OCTET_STRING_free(oset); -- -- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); -- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); -- aval->value = ASN1_TYPE_new(); -- aval->value->type = V_ASN1_SET; -- aval->value->value.set = ASN1_STRING_new(); -- ASN1_STRING_set(aval->value->value.set, p, l); -- OPENSSL_free(p); -- -- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); -- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- sk_SpcAttributeTypeAndOptionalValue_free(aset); -- SpcAttributeTypeAndOptionalValue_free(aval); -- -- SpcSerializedObject *so = SpcSerializedObject_new(); -- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); -- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); -- OPENSSL_free(p); -- -- SpcLink *link = SpcLink_new(); -- link->type = 1; -- link->value.moniker = so; -- return link; --} -- - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, -- int pagehash, char *indata, unsigned int peheader, int pe32plus, -+ char *indata, unsigned int peheader, int pe32plus, - unsigned int sigpos) - { - static const unsigned char msistr[] = { -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - } else if (type == FILE_TYPE_PE) { - SpcPeImageData *pid = SpcPeImageData_new(); - ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); -- if (pagehash) { -- int phtype = NID_sha1; -- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) -- phtype = NID_sha256; -- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); -- } else { -- pid->file = get_obsolete_link(); -- } -+ pid->file = get_obsolete_link(); - l = i2d_SpcPeImageData(pid, NULL); - p = OPENSSL_malloc(l); - i2d_SpcPeImageData(pid, &p); -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - ASN1_INTEGER_set(si->d, 0); - ASN1_INTEGER_set(si->e, 0); - ASN1_INTEGER_set(si->f, 0); -- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); -+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); - l = i2d_SpcSipInfo(si, NULL); - p = OPENSSL_malloc(l); - i2d_SpcSipInfo(si, &p); -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - hashlen = EVP_MD_size(md); - hash = OPENSSL_malloc(hashlen); - memset(hash, 0, hashlen); -- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); -+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); - OPENSSL_free(hash); - - *len = i2d_SpcIndirectDataContent(idc, NULL); -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - unsigned int peheader, int pe32plus, unsigned int fileend) - { - static unsigned char bfb[16*1024*1024]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - - memset(mdbuf, 0, EVP_MAX_MD_SIZE); - - (void)BIO_seek(bio, 0); - BIO_read(bio, bfb, peheader + 88); -- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); -+ EVP_DigestUpdate(mdctx, bfb, peheader + 88); - BIO_read(bio, bfb, 4); - BIO_read(bio, bfb, 60+pe32plus*16); -- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); -+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); - BIO_read(bio, bfb, 8); - - unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - int l = BIO_read(bio, bfb, want); - if (l <= 0) - break; -- EVP_DigestUpdate(&mdctx, bfb, l); -+ EVP_DigestUpdate(mdctx, bfb, l); - n += l; - } - -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); - } - - -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - int phlen = pphlen * (3 + nsections + sigpos / pagesize); - unsigned char *res = malloc(phlen); - unsigned char *zeroes = calloc(pagesize, 1); -- EVP_MD_CTX mdctx; -- -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, indata, peheader + 88); -- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); -- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); -+ -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, indata, peheader + 88); -+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); -+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); - memset(res, 0, 4); -- EVP_DigestFinal(&mdctx, res + 4, NULL); -+ EVP_DigestFinal(mdctx, res + 4, NULL); - - unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); - char *sections = indata + peheader + 24 + sizeofopthdr; -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - unsigned int l; - for (l=0; l < rs; l+=pagesize, pi++) { - PUT_UINT32_LE(ro + l, res + pi*pphlen); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - if (rs - l < pagesize) { -- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); -+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); - } else { -- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); -+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); - } -- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); -+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); - } - lastpos = ro + rs; - sections += 40; - } -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - PUT_UINT32_LE(lastpos, res + pi*pphlen); - memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); - pi++; -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) - int nturl = 0, ntsurl = 0; - int addBlob = 0; - u_char *p = NULL; -- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; -+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; - unsigned int tmp, peheader = 0, padlen = 0; - off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; - file_type_t type; -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - -- /* create some MS Authenticode OIDS we need later on */ -- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || -- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || -- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || -- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) -- DO_EXIT_0("Failed to add objects\n"); -- - md = EVP_sha1(); - - if (argc > 1) { -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) - readpass = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { - comm = 1; -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { -- pagehash = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) - p7x = NULL; - } - -- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); -+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); - len -= EVP_MD_size(md); - memcpy(buf, p, len); - OPENSSL_free(p); --- -2.34.1 -
===================================== projects/osslsigncode/build ===================================== @@ -4,11 +4,10 @@ distdir=$(pwd)/dist mkdir -p $distdir/[% project %] tar xf [% project %]-[% c('version') %].tar.gz cd [% project %]-[% c('version') %] -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch -patch -p1 < ../timestamping.patch
-./autogen.sh -./configure --prefix=/[% project %] +mkdir build +cd build +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S .. make make DESTDIR=$distdir install
===================================== projects/osslsigncode/config ===================================== @@ -1,20 +1,16 @@ # vim: filetype=yaml sw=2 version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 0 var: deps: - - autoconf - - libtool - - pkg-config + - cmake - libssl-dev - libcurl4-openssl-dev input_files: - - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - - filename: timestamping.patch - filename: '[% c("var/srcfile") %]' enable: '[% c("var/no-git") %]'
===================================== projects/osslsigncode/timestamping.patch deleted ===================================== @@ -1,56 +0,0 @@ -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 -From: Georg Koppen gk@torproject.org -Date: Fri, 5 Feb 2016 09:23:10 +0000 -Subject: [PATCH] Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 32e37c8..2978c02 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) - if (--argc < 1) usage(argv0); - url = *(++argv); - #ifdef ENABLE_CURL -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { - if (--argc < 1) usage(argv0); - turl[nturl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { - if (--argc < 1) usage(argv0); - tsurl[ntsurl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { - if (--argc < 1) usage(argv0); - proxy = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { - noverifypeer = 1; - #endif - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { --- -2.7.0 - - -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 -From: Georg Koppen gk@torproject.org -Date: Sat, 11 Apr 2020 05:50:36 +0000 -Subject: [PATCH] fixup! Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 3797458..4f4b897 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { - if (--argc < 1) usage(argv0); - ++argv; - if (!strcmp(*argv, "md5")) { --- -2.26.0
===================================== tools/signing/android-signing.mullvadbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file
===================================== tools/signing/android-signing.torbrowser deleted ===================================== @@ -1 +0,0 @@ -android-signing \ No newline at end of file
===================================== tools/signing/authenticode-timestamping.sh ===================================== @@ -35,7 +35,7 @@ set -e script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions"
-osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"
test -f "$osslsigncode_file" || exit_error "$osslsigncode_file is missing." \
===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,12 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -#test -f "$steps_dir/linux-signer-authenticode-signing.done" || -# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -#echo +test -f "$steps_dir/linux-signer-sign-android-apks.done" || + read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS +echo +test -f "$steps_dir/linux-signer-authenticode-signing.done" || + read -sp "Enter windows authenticode passphrase: " YUBIPASS +echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -106,6 +109,18 @@ function sync-after-signmars { "$script_dir/sync-linux-signer-to-local" }
+function linux-signer-sign-android-apks { + ssh "$ssh_host_linux_signer" 'bash -s' << EOF + export KSPASS=$KSPASS + ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME +EOF + unset KSPASS +} + +function sync-after-sign-android-apks { + "$script_dir/sync-linux-signer-to-local" +} + function download-unsigned-sha256sums-gpg-signatures-from-people-tpo { "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo" } @@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars do_step linux-signer-signmars do_step sync-after-signmars -#do_step linux-signer-authenticode-signing -#do_step sync-after-authenticode-signing -#do_step authenticode-timestamping -#do_step sync-after-authenticode-timestamping +is_project torbrowser && \ + do_step linux-signer-sign-android-apks +is_project torbrowser && \ + do_step sync-after-sign-android-apks +do_step linux-signer-authenticode-signing +do_step sync-after-authenticode-signing +do_step authenticode-timestamping +do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign
===================================== tools/signing/linux-signer-gpg-sign ===================================== @@ -20,4 +20,5 @@ do tmpsig=$(mktemp) echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig" mv -f "$tmpsig" "${i}.asc" + chmod 644 "${i}.asc" done
===================================== tools/signing/linux-signer-sign-android-apks ===================================== @@ -0,0 +1,83 @@ +#!/bin/bash + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.generated-config" + +topdir="$script_dir/../.." +ARCHS="armv7 aarch64 x86 x86_64" +projname=$(project-name) +# tbb_version_type is used in wrappers/sign-apk, so we export it +export tbb_version_type + +check_installed_packages() { + local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' + for package in $packages + do + dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ + exit_error "package $package is missing" + done +} + +setup_build_tools() { + build_tools_dir=/signing/android-build-tools + test -f "$build_tools_dir"/android-12/apksigner || \ + exit_error "$build_tools_dir/android-12/apksigner is missing" + export PATH="$build_tools_dir/android-12:${PATH}" +} + +sign_apk() { + sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2" +} + +verify_apk() { + verified=$(apksigner verify --print-certs --verbose "$1") + scheme_v1="Verified using v1 scheme (JAR signing): true" + scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" + + # Verify the expected signing key was used, Alpha verses Release based on the filename. + if test "$tbb_version_type" = "alpha"; then + cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" + pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" + else + cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" + pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" + fi + for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do + if ! echo "${verified}" | grep -q "${digest}"; then + echo "Expected digest not found:" + echo ${digest} + echo "in:" + echo ${verified} + exit 1 + fi + done +} + +check_installed_packages + +if [ -z "$KSPASS" ]; then + echo "Enter keystore passphrase" + stty -echo; read KSPASS; stty echo + export KSPASS +fi + +setup_build_tools + +mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" + +# Sign all packages +for arch in ${ARCHS}; do + qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk + signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk + sign_apk "$qa_apk" "$signed_apk" + verify_apk "$signed_apk" + cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version" +done + +rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
===================================== tools/signing/linux-signer-sign-android-apks.torbrowser ===================================== @@ -0,0 +1 @@ +linux-signer-sign-android-apks \ No newline at end of file
===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -83,11 +83,12 @@ create_group signing create_user signing-gpg create_user signing-mar create_user signing-win yubihsm - +create_user signing-apk signing
sudoers_file sign-gpg sudoers_file sign-mar sudoers_file sign-exe +sudoers_file sign-apk
authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub create_user richard signing @@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl # Install deps for building yubihsm-shell install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
+# Install deps for android/apk signing +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless + # Build and install yubihsm-pkcs11 package create_user build-pkgs if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then @@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then chmod go+rX "$tmpdir/mar-tools"/* mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools fi + +for rel in release alpha; do + keypath=/home/signing-apk/keys/tba_$rel.p12 + if ! test -f "$keypath"; then + echo "$rel key for android should be put in $keypath" + else + chown signing-apk "$keypath" + chmod 700 "$keypath" + fi +done
===================================== tools/signing/machines-setup/sudoers.d/sign-apk ===================================== @@ -0,0 +1,2 @@ +Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS" +%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk
===================================== tools/signing/machines-setup/upload-tbb-to-signing-machine ===================================== @@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then echo "Fetched $yubihsm_filename" fi
+android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename) +if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then + ./rbm/rbm build --step get_build_tools android-toolchain + echo "Fetched $android_build_tools_filename" +fi + signing_machine='linux-signer' setup_user='setup' signing_dir='/signing' @@ -43,14 +49,26 @@ signing_dir='/signing' echo "Uploading $osslsigncodefile to $signing_machine" chmod go+r "./out/osslsigncode/$osslsigncodefile" rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile" + echo "Uploading rbm.tar to $signing_machine" rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar" + echo "Uploading $martools_filename" chmod go+r "./out/mar-tools/$martools_filename" rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename" + echo "Uploading $yubihsm_filename" chmod go+r "./out/yubihsm-shell/$yubihsm_filename" rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename" + +echo "Uploading $android_build_tools_filename" +chmod go+r "./out/android-toolchain/$android_build_tools_filename" +rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename" +echo "Extracting $android_build_tools_filename" +ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools +ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename" +ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename" + echo "Uploading tor-browser-build.tar to $signing_machine" scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/" echo "Extracting tor-browser-build.tar on $signing_machine"
===================================== tools/signing/set-config.android-signing deleted ===================================== @@ -1,7 +0,0 @@ -# The following line should be uncommented and updated: - -#ssh_host_pkgstage=tbbuild -#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build -#android_signing_key_dir=/path/to/signing/key/dir - -var_is_defined ssh_host_pkgstage android_signing_key_dir
===================================== tools/signing/android-signing → tools/signing/wrappers/sign-apk ===================================== @@ -1,69 +1,34 @@ #!/bin/bash - -# Sign apk for each target architecture. -# This script does not require command line argument, but it needs -# some configuration options to be set in set-config.android-signing: -# - ssh_host_pkgstage is the host which you use for staging packages -# during signing. The script will download the unsigned .apk files -# from this host, and upload the signed .apk there -# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build -# on pkgstage -# - android_signing_key_dir: the local path where the android signing -# keys are located. That directory should contains files tba_alpha.p12 -# and tba_release.p12 for alpha and release signing keys. -# The Tor Browser version is taken from set-config.tbb-version - set -e -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "$script_dir/functions" -source "$script_dir/set-config.android-signing"
-topdir="$script_dir/../.." -ARCHS="armv7 aarch64 x86 x86_64" -projname=$(project-name) - -android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" -test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" - -check_installed_packages() { - local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless' - for package in $packages +function exit_error { + for msg in "$@" do - dpkg -s "$package" | grep -q '^Status: install ok installed$' || \ - exit_error "package $package is missing" + echo "$msg" >&2 done + exit 1 }
+if test "$tbb_version_type" != 'release' \ + && test "$tbb_version_type" != 'alpha'; then + exit_error "Unexpected value for tbb_version_type: $tbb_version_type" +fi + +android_signing_key_dir=/home/signing-apk/keys +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12" +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing" + setup_build_tools() { - local rbm="$topdir/rbm/rbm" - local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)" - if ! test -f "$build_tools_zipfile"; then - "$rbm" build --step get_build_tools android-toolchain - test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing" - fi - local build_tools_dir=$(mktemp -d) - trap "rm -Rf $build_tools_dir" EXIT - unzip -d "$build_tools_dir" "$build_tools_zipfile" + build_tools_dir=/signing/android-build-tools test -f "$build_tools_dir"/android-12/apksigner || \ exit_error "$build_tools_dir/android-12/apksigner is missing" export PATH="$build_tools_dir/android-12:${PATH}" }
-download_unsigned_apks() { - apks_dir=$(mktemp -d) - trap "rm -Rf $apks_dir" EXIT - rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/" -} - -upload_signed_apks() { - rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \ - --exclude="*-unsigned.apk" "$apks_dir/" \ - "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/" -} - # Sign individual apk sign_apk() { INPUTAPK="$1" + OUTPUTAPK="$2"
# https://developer.android.com/studio/publish/app-signing#sign-manually # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk @@ -75,10 +40,11 @@ sign_apk() { echo Aligning and signing ${INPUTAPK}
# Append the different stages of signing - UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/.apk/-unsigned-unaligned.apk/'` + UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/.apk/-unsigned-unaligned.apk/'` UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'` SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
+ # ${INPUTAPK} is full path. We copy to local tmp directory. cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
# Step 1: Align @@ -117,67 +83,16 @@ sign_apk() { exit 1 fi
+ mv -f "${SIGNED_APK}" "$OUTPUTAPK" echo apksigner verify succeeded }
-# Rename and verify signing certificate -finalize() { - for arch in ${ARCHS}; do - mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk - done - - for arch in ${ARCHS}; do - verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk` - scheme_v1= - scheme_v2= - cert_digest= - pubkey_digest= - - # Verify the expected signing key was used, Alpha verses Release based on the filename. - if test "$tbb_version_type" = "alpha"; then - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1" - pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d" - else - scheme_v1="Verified using v1 scheme (JAR signing): true" - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true" - cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8" - pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6" - fi - for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do - if ! `echo "${verified}" | grep -q "${digest}"`; then - echo "Expected digest not found:" - echo ${digest} - echo "in:" - echo ${verified} - exit 1 - fi - done - done - - echo Done. -} - -check_installed_packages - -if [ -z "$KSPASS" ]; then - echo "Enter keystore passphrase" - stty -echo; read KSPASS; stty echo - export KSPASS -fi - setup_build_tools
-download_unsigned_apks - -cd $apks_dir - -# Sign all packages -for arch in ${ARCHS}; do - sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk -done +tmpdir=$(mktemp -d) +cd "$tmpdir"
-finalize +sign_apk "$1" "$2"
-upload_signed_apks +cd - +rm -Rf "$tmpdir"
===================================== tools/signing/wrappers/sign-exe ===================================== @@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then exit 2 fi
-yubipass="$1" +pass="$1" to_sign_exe="$2"
-tpo_cert=/home/signing-win/tpo-cert.crt +key_dir=/home/signing-win/keys/key-1 +tpo_cert=$key_dir/the_tor_project_inc.crt +tpo_key=$key_dir/private.pem
if ! test -f "$tpo_cert"; then echo "File $tpo_cert is missing" >&2 @@ -26,12 +28,10 @@ rm -f "$output_signed_exe"
export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf' /home/signing-win/osslsigncode/bin/osslsigncode \ - -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \ - -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \ - -pass "$yubipass" \ + -pass "$pass" \ -h sha256 \ -certs "$tpo_cert" \ - -key 1c40 \ + -key "$tpo_key" \ "$to_sign_exe" "$output_signed_exe"
chmod 644 "$output_signed_exe"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/7...