boklm pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build

Commits: 5966b10a by Nicolas Vigier at 2023-06-08T12:45:18+02:00 Bug 40875: Re-enable Windows code signing in do-all-signing

- - - - - 2cdecd5b by Nicolas Vigier at 2023-06-08T12:45:33+02:00 Bug 40877: Update osslsigncode to more recent version

- - - - -

6 changed files:

- − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch - projects/osslsigncode/build - projects/osslsigncode/config - − projects/osslsigncode/timestamping.patch - tools/signing/authenticode-timestamping.sh - tools/signing/do-all-signing

Changes:

===================================== projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted ===================================== @@ -1,324 +0,0 @@ -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Reimar.Doeffinger@gmx.de -Date: Sun, 12 Mar 2017 23:00:12 +0100 -Subject: [PATCH] Make code work with OpenSSL 1.1. - -Changes in consist of: -- Use EVP_MD_CTX_new/free API instead of on-stack allocation -- Remove some M_ prefixes like for ASN1_IA5STRING_new -- Remove pagehash functionality because it is useless to me and - fixing it would be a pain. Would require declaring a few - ASN_SEQUENCES and use that to get the required i2d functions - from what I could find out. -- Remove OBJ_create calls that seem to serve no purpose, - now crash because NULL pointers are no longer handled - (who changes API that way?!) and even if that was fixed - lead to errors when these objects are later created - again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, - did not investigate further). - -diff --git a/osslsigncode.c b/osslsigncode.c -index 2978c02..3797458 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) - if (desc) { - info->programName = SpcString_new(); - info->programName->type = 1; -- info->programName->value.ascii = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, -+ info->programName->value.ascii = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->programName->value.ascii, - (const unsigned char*)desc, strlen(desc)); - } - - if (url) { - info->moreInfo = SpcLink_new(); - info->moreInfo->type = 0; -- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); -- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, -+ info->moreInfo->value.url = ASN1_IA5STRING_new(); -+ ASN1_STRING_set(info->moreInfo->value.url, - (const unsigned char*)url, strlen(url)); - } - -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const - - if (rfc3161) { - unsigned char mdbuf[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - - TimeStampReq *req = TimeStampReq_new(); - ASN1_INTEGER_set(req->version, 1); - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; -- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); -+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); - req->certReq = (void*)0x1; - - len = i2d_TimeStampReq(req, NULL); -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { - 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 - }; - --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, -- unsigned int sigpos, int phtype, unsigned int *phlen); -- --DECLARE_STACK_OF(ASN1_OCTET_STRING) --#ifndef sk_ASN1_OCTET_STRING_new_null --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ -- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) --#endif -- --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) --{ -- unsigned int phlen; -- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); -- if (!ph) { -- fprintf(stderr, "Failed to calculate page hash\n"); -- exit(-1); -- } -- -- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); -- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); -- free(ph); -- -- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); -- sk_ASN1_OCTET_STRING_push(oset, ostr); -- unsigned char *p, *tmp; -- unsigned int l; -- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- ASN1_OCTET_STRING_free(ostr); -- sk_ASN1_OCTET_STRING_free(oset); -- -- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); -- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); -- aval->value = ASN1_TYPE_new(); -- aval->value->type = V_ASN1_SET; -- aval->value->value.set = ASN1_STRING_new(); -- ASN1_STRING_set(aval->value->value.set, p, l); -- OPENSSL_free(p); -- -- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); -- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- tmp = p = OPENSSL_malloc(l); -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); -- sk_SpcAttributeTypeAndOptionalValue_free(aset); -- SpcAttributeTypeAndOptionalValue_free(aval); -- -- SpcSerializedObject *so = SpcSerializedObject_new(); -- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); -- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); -- OPENSSL_free(p); -- -- SpcLink *link = SpcLink_new(); -- link->type = 1; -- link->value.moniker = so; -- return link; --} -- - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, -- int pagehash, char *indata, unsigned int peheader, int pe32plus, -+ char *indata, unsigned int peheader, int pe32plus, - unsigned int sigpos) - { - static const unsigned char msistr[] = { -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - } else if (type == FILE_TYPE_PE) { - SpcPeImageData *pid = SpcPeImageData_new(); - ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); -- if (pagehash) { -- int phtype = NID_sha1; -- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) -- phtype = NID_sha256; -- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); -- } else { -- pid->file = get_obsolete_link(); -- } -+ pid->file = get_obsolete_link(); - l = i2d_SpcPeImageData(pid, NULL); - p = OPENSSL_malloc(l); - i2d_SpcPeImageData(pid, &p); -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - ASN1_INTEGER_set(si->d, 0); - ASN1_INTEGER_set(si->e, 0); - ASN1_INTEGER_set(si->f, 0); -- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); -+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); - l = i2d_SpcSipInfo(si, NULL); - p = OPENSSL_malloc(l); - i2d_SpcSipInfo(si, &p); -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi - hashlen = EVP_MD_size(md); - hash = OPENSSL_malloc(hashlen); - memset(hash, 0, hashlen); -- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); -+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); - OPENSSL_free(hash); - - *len = i2d_SpcIndirectDataContent(idc, NULL); -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - unsigned int peheader, int pe32plus, unsigned int fileend) - { - static unsigned char bfb[16*1024*1024]; -- EVP_MD_CTX mdctx; -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); - -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - - memset(mdbuf, 0, EVP_MAX_MD_SIZE); - - (void)BIO_seek(bio, 0); - BIO_read(bio, bfb, peheader + 88); -- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); -+ EVP_DigestUpdate(mdctx, bfb, peheader + 88); - BIO_read(bio, bfb, 4); - BIO_read(bio, bfb, 60+pe32plus*16); -- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); -+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); - BIO_read(bio, bfb, 8); - - unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, - int l = BIO_read(bio, bfb, want); - if (l <= 0) - break; -- EVP_DigestUpdate(&mdctx, bfb, l); -+ EVP_DigestUpdate(mdctx, bfb, l); - n += l; - } - -- EVP_DigestFinal(&mdctx, mdbuf, NULL); -+ EVP_DigestFinal(mdctx, mdbuf, NULL); -+ EVP_MD_CTX_free(mdctx); - } - - -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - int phlen = pphlen * (3 + nsections + sigpos / pagesize); - unsigned char *res = malloc(phlen); - unsigned char *zeroes = calloc(pagesize, 1); -- EVP_MD_CTX mdctx; -- -- EVP_MD_CTX_init(&mdctx); -- EVP_DigestInit(&mdctx, md); -- EVP_DigestUpdate(&mdctx, indata, peheader + 88); -- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); -- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); -+ -+ EVP_DigestInit(mdctx, md); -+ EVP_DigestUpdate(mdctx, indata, peheader + 88); -+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); -+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); - memset(res, 0, 4); -- EVP_DigestFinal(&mdctx, res + 4, NULL); -+ EVP_DigestFinal(mdctx, res + 4, NULL); - - unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); - char *sections = indata + peheader + 24 + sizeofopthdr; -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe - unsigned int l; - for (l=0; l < rs; l+=pagesize, pi++) { - PUT_UINT32_LE(ro + l, res + pi*pphlen); -- EVP_DigestInit(&mdctx, md); -+ EVP_DigestInit(mdctx, md); - if (rs - l < pagesize) { -- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); -+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); - } else { -- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); -+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); - } -- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); -+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); - } - lastpos = ro + rs; - sections += 40; - } -+ EVP_MD_CTX_free(mdctx); -+ mdctx = NULL; - PUT_UINT32_LE(lastpos, res + pi*pphlen); - memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); - pi++; -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) - int nturl = 0, ntsurl = 0; - int addBlob = 0; - u_char *p = NULL; -- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; -+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; - unsigned int tmp, peheader = 0, padlen = 0; - off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; - file_type_t type; -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - -- /* create some MS Authenticode OIDS we need later on */ -- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || -- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || -- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || -- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) -- DO_EXIT_0("Failed to add objects\n"); -- - md = EVP_sha1(); - - if (argc > 1) { -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) - readpass = *(++argv); - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { - comm = 1; -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { -- pagehash = 1; - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) - p7x = NULL; - } - -- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); -+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); - len -= EVP_MD_size(md); - memcpy(buf, p, len); - OPENSSL_free(p); --- -2.34.1 -

===================================== projects/osslsigncode/build ===================================== @@ -4,11 +4,10 @@ distdir=$(pwd)/dist mkdir -p $distdir/[% project %] tar xf [% project %]-[% c('version') %].tar.gz cd [% project %]-[% c('version') %] -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch -patch -p1 < ../timestamping.patch

-./autogen.sh -./configure --prefix=/[% project %] +mkdir build +cd build +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S .. make make DESTDIR=$distdir install

===================================== projects/osslsigncode/config ===================================== @@ -1,20 +1,16 @@ # vim: filetype=yaml sw=2 version: '[% c("git_hash").substr(0, 12) %]' git_url: https://github.com/mtrojnar/osslsigncode -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' container: use_container: 0 var: deps: - - autoconf - - libtool - - pkg-config + - cmake - libssl-dev - libcurl4-openssl-dev input_files: - - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch - - filename: timestamping.patch - filename: '[% c("var/srcfile") %]' enable: '[% c("var/no-git") %]'

===================================== projects/osslsigncode/timestamping.patch deleted ===================================== @@ -1,56 +0,0 @@ -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 -From: Georg Koppen gk@torproject.org -Date: Fri, 5 Feb 2016 09:23:10 +0000 -Subject: [PATCH] Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 32e37c8..2978c02 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) - if (--argc < 1) usage(argv0); - url = *(++argv); - #ifdef ENABLE_CURL -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { - if (--argc < 1) usage(argv0); - turl[nturl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { - if (--argc < 1) usage(argv0); - tsurl[ntsurl++] = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { - if (--argc < 1) usage(argv0); - proxy = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { - noverifypeer = 1; - #endif - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { --- -2.7.0 - - -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 -From: Georg Koppen gk@torproject.org -Date: Sat, 11 Apr 2020 05:50:36 +0000 -Subject: [PATCH] fixup! Allow timestamping with the 'add' command - - -diff --git a/osslsigncode.c b/osslsigncode.c -index 3797458..4f4b897 100644 ---- a/osslsigncode.c -+++ b/osslsigncode.c -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { - if (--argc < 1) usage(argv0); - desc = *(++argv); -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { - if (--argc < 1) usage(argv0); - ++argv; - if (!strcmp(*argv, "md5")) { --- -2.26.0

===================================== tools/signing/authenticode-timestamping.sh ===================================== @@ -35,7 +35,7 @@ set -e script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions"

-osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"

test -f "$osslsigncode_file" || exit_error "$osslsigncode_file is missing." \

===================================== tools/signing/do-all-signing ===================================== @@ -17,9 +17,9 @@ echo test -f "$steps_dir/linux-signer-signmars.done" || read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS echo -#test -f "$steps_dir/linux-signer-authenticode-signing.done" || -# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS -#echo +test -f "$steps_dir/linux-signer-authenticode-signing.done" || + read -sp "Enter windows authenticode passphrase: " YUBIPASS +echo test -f "$steps_dir/linux-signer-gpg-sign.done" || read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -193,10 +193,10 @@ do_step dmg2mar do_step sync-scripts-to-linux-signer do_step linux-signer-signmars do_step sync-after-signmars -#do_step linux-signer-authenticode-signing -#do_step sync-after-authenticode-signing -#do_step authenticode-timestamping -#do_step sync-after-authenticode-timestamping +do_step linux-signer-authenticode-signing +do_step sync-after-authenticode-signing +do_step authenticode-timestamping +do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/9...