GitLab

at 2023-11-30T13:58:17+00:00

Bug 41031: Add make targets to unsign and compare mar files

 torbrowser-compare-windows-signed-unsigned-alpha: submodule-update

 	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser

+torbrowser-compare-mar-signed-unsigned-release: submodule-update

+	$(rbm) build release --step compare_mar_signed_unsigned --target release --target signed --target torbrowser

+

+torbrowser-compare-mar-signed-unsigned-alpha: submodule-update

+	$(rbm) build release --step compare_mar_signed_unsigned --target alpha --target signed --target torbrowser

+

 ########################

 # Base Browser Targets #

 mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update

 	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser

+mullvadbrowser-compare-mar-signed-unsigned-release: submodule-update

+	$(rbm) build release --step compare_mar_signed_unsigned --target release --target signed --target mullvadbrowser

+

+mullvadbrowser-compare-mar-signed-unsigned-alpha: submodule-update

+	$(rbm) build release --step compare_mar_signed_unsigned --target alpha --target signed --target mullvadbrowser

+

 ############################

 # Toolchain Update Targets #

 Unsign exe files from directory torbrowser/{release,alpha}/signed/$version

 and compare them with the checksum from sha256sums-unsigned-build.txt.

+torbrowser-compare-mar-signed-unsigned-{release,alpha}

+----------------------------------------------------------

+Unsign mar files from directory torbrowser/{release,alpha}/signed/$version

+and compare them with the checksum from sha256sums-unsigned-build.txt.

+
+#!/bin/bash

+[% c("var/set_default_env") -%]

+[% IF c("var/nightly") -%]

+  build_dir=[% shell_quote(path(dest_dir)) %]/[%  c("version") %]

+[% ELSE -%]

+  build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]

+[% END -%]

+

+if ! test -d "$build_dir"

+then

+  echo "Error: Directory $build_dir does not exist" 1>&2

+  echo "You can download it with this command:" 1>&2

+  echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2

+  exit 1

+fi

+

+sha256sums_files=sha256sums-unsigned-build.txt

+cd "$build_dir"

+test -f sha256sums-unsigned-build.incrementals.txt \

+  && sha256sums_files="$sha256sums_files sha256sums-unsigned-build.incrementals.txt"

+cp -a -- $(ls -1 *.mar | grep -v -- -macos-) $sha256sums_files "$rootdir/"

+cd "$rootdir"

+

+unzip -q "$rootdir/[% c('input_files_by_name/mar-tools') %]"

+export PATH="$rootdir/mar-tools:$PATH"

+export LD_LIBRARY_PATH="$rootdir/mar-tools"

+

+for file in *.mar

+do

+  signmar -r "$file" "unsigned-$file"

+  mv -f "unsigned-$file" "$file"

+  echo "Unsigned $file"

+done

+

+grep -h -- '\.mar$' $sha256sums_files | grep -v -- -macos- | sha256sum -c

+

+cat << 'EOF'

+macOS mar files have been skipped as we don't yet have a good solution

+to remove code signing from those files.

+See https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40988

+

+Windows and Linux unsigned mar files are matching with

+sha256sums-unsigned-build.txt.

+EOF
         name: osslsigncode

         pkg_type: build

     compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'

+  compare_mar_signed_unsigned:

+    build_log: '-'

+    debug: 0

+    input_files:

+      - project: mar-tools

+        name: mar-tools

+        pkg_type: fetch_martools

+    compare_mar_signed_unsigned: '[% INCLUDE compare_mar_signed_unsigned %]'

richard pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build

Commits:

4 changed files:

Changes: