[Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40763: Add support for signing multiple browsers in tools/signing/nightly

20 Mar 2023


      boklm pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
38099794 by Nicolas Vigier at 2023-03-20T17:29:45+01:00
Bug 40763: Add support for signing multiple browsers in tools/signing/nightly

- - - - -
3f0b4c83 by Nicolas Vigier at 2023-03-20T17:29:46+01:00
Bug 40807: Add config for basebrowser nightly signing

- - - - -


3 changed files:

- tools/signing/nightly/config.yml
- tools/signing/nightly/create-nightly-mar-signing-key
- tools/signing/nightly/sign-nightly


Changes:

=====================================
tools/signing/nightly/config.yml
=====================================
@@ -3,15 +3,22 @@ martools_version: 9.0.2
 martools_url: https://archive.torproject.org/tor-package-archive/torbrowser/
 martools_gpg_keyring: keyring/torbrowser.gpg
 builds_url: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-builds/tor-browser-builds
-builds_url_auth_basic_username: tor-guest
-builds_url_auth_basic_password: tor-guest
-publish_dirs:
+torbrowser:
+  publish_dirs:
     - nightly-linux-x86_64
     - nightly-linux-i686
     - nightly-windows-x86_64
     - nightly-windows-i686
     - nightly-macos
-nss_db_dir: nssdb
+  nss_db_dir: nssdb
+basebrowser:
+  publish_dirs:
+    - basebrowser-nightly-linux-x86_64
+    - basebrowser-nightly-linux-i686
+    - basebrowser-nightly-windows-x86_64
+    - basebrowser-nightly-windows-i686
+    - basebrowser-nightly-macos
+  nss_db_dir: nssdb-basebrowser-1
 nss_certname: nightly-marsigner
 gpg_keyring: keyring/torbrowser-nightly.gpg
 rsync_dest: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-updates/


=====================================
tools/signing/nightly/create-nightly-mar-signing-key
=====================================
@@ -1,6 +1,13 @@
 #!/bin/bash
 set -e
-nssdb="$(dirname "$0")/nssdb"
+if test "$#" -ne 2; then
+  echo "Usage: $0 <nssdb-dir> <Browser Name>" >&2
+  echo >&2
+  echo "Example: $0 nssdb-basebrowser 'Base Browser'" >&2
+  exit 1
+fi
+nssdb="$(dirname "$0")/$1"
+BrowserName="$2"
 if test -d $nssdb
 then
     echo "Error: $nssdb already exists" >&2
@@ -9,5 +16,5 @@ fi
 mkdir -p $nssdb
 chmod 700 $nssdb
 certutil -d $nssdb -N --empty-password
-certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=Tor Browser Nightly MAR signing key" -t,,
+certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=$BrowserName Nightly MAR signing key" -t,,
 certutil -d $nssdb -L -r -n nightly-marsigner -o $nssdb/nightly-marsigner.der


=====================================
tools/signing/nightly/sign-nightly
=====================================
@@ -33,13 +33,22 @@ exit_error "Missing config file: $FindBin::Bin/config.yml"
 my $config = LoadFile("$FindBin::Bin/config.yml");
 my $topdir = "$FindBin::Bin/../../..";
 
+exit_error "Usage: sign-nightly <project>" unless @ARGV == 1;
+my $project = $ARGV[0];
+
+sub get_config {
+  my ($name) = @_;
+  return $config->{$project}{$name} if defined $config->{$project}{$name};
+  return $config->{$name};
+}
+
 {
     no warnings 'redefine';
     sub LWP::UserAgent::get_basic_credentials {
-        if ($config->{builds_url_auth_basic_username}
-            && $config->{builds_url_auth_basic_password}) {
-            return ( $config->{builds_url_auth_basic_username},
-                     $config->{builds_url_auth_basic_password} );
+        if (get_config('builds_url_auth_basic_username')
+            && get_config('builds_url_auth_basic_password')) {
+            return ( get_config('builds_url_auth_basic_username'),
+                     get_config('builds_url_auth_basic_password') );
         }
         return ();
     }
@@ -51,7 +60,7 @@ sub print_time {
 }
 
 END {
-    print_time "Exiting sign-nightly (pid: $$)\n";
+    print_time "Exiting sign-nightly (pid: $$, project: $project)\n" if $project;
 }
 
 sub run_alone {
@@ -71,10 +80,8 @@ END {
 }
 
 sub get_tmpdir {
-    my ($config) = @_;
-    return File::Temp->newdir($config->{tmp_dir} ?
-                                (DIR => $config->{tmp_dir})
-                                : ());
+    my $tmp_dir = get_config('tmp_dir');
+    return File::Temp->newdir($tmp_dir ? (DIR => $tmp_dir) : ());
 }
 
 sub basedir_path {
@@ -83,15 +90,16 @@ sub basedir_path {
 }
 
 sub get_last_build_version {
-    my ($config, $publish_dir) = @_;
+    my ($publish_dir) = @_;
     my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
     my @last_days;
     for my $i (1..5) {
       my $dt = DateTime->now - DateTime::Duration->new(days => $i);
       push @last_days, 'tbb-nightly.' . $dt->ymd('.');
     }
+    my $builds_url = get_config('builds_url');
     for my $version ($today, @last_days) {
-        my $url = "$config->{builds_url}/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
+        my $url = "$builds_url/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
         if ($url =~ m|^/|) {
             return $version if -f $url;
         } else {
@@ -115,10 +123,10 @@ sub set_current_version {
 }
 
 sub get_new_version {
-    my ($config, $publish_dir) = @_;
+    my ($publish_dir) = @_;
     my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
     my $current_ver = get_current_version($publish_dir);
-    my $last_ver = get_last_build_version($config, $publish_dir);
+    my $last_ver = get_last_build_version($publish_dir);
     return $last_ver unless defined($current_ver);
     return undef if $current_ver eq $today;
     return undef unless defined($last_ver);
@@ -147,13 +155,13 @@ sub get_file_sha256sum {
 }
 
 sub fetch_version {
-    my ($config, $publish_dir, $version) = @_;
-    my $tmpdir = get_tmpdir($config);
-    my $urldir = "$config->{builds_url}/$version/$publish_dir";
+    my ($publish_dir, $version) = @_;
+    my $tmpdir = get_tmpdir();
+    my $urldir = get_config('builds_url') . "/$version/$publish_dir";
     my $destdir = "$topdir/nightly/$publish_dir/$version";
 
     return if -d $destdir;
-    my $gpg_keyring = basedir_path($config->{gpg_keyring}, $topdir);
+    my $gpg_keyring = basedir_path(get_config('gpg_keyring'), $topdir);
     for my $file (qw/sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt/) {
         my $url = "$urldir/$file";
         exit_error "Error getting $url"
@@ -184,17 +192,17 @@ sub fetch_version {
 }
 
 sub setup_martools {
-    my ($config) = @_;
-    my $martools_dir = "$FindBin::Bin/mar-tools-$config->{martools_version}";
+    my $martools_dir = "$FindBin::Bin/mar-tools-" . get_config('martools_version');
     if (! -d $martools_dir) {
         my $file = "mar-tools-linux64.zip";
-        my $url = "$config->{martools_url}/$config->{martools_version}/$file";
-        my $tmpdir = get_tmpdir($config);
+        my $url = join('/', get_config('martools_url'),
+                            get_config('martools_version'), $file);
+        my $tmpdir = get_tmpdir();
         exit_error "Error downloading $url"
                 unless getstore($url, "$tmpdir/$file") == 200;
         exit_error "Error downloading $url.asc"
                 unless getstore("$url.asc", "$tmpdir/$file.asc") == 200;
-        my $gpg_keyring = basedir_path($config->{martools_gpg_keyring}, $topdir);
+        my $gpg_keyring = basedir_path(get_config('martools_gpg_keyring'), $topdir);
         exit_error "Error checking gpg signature for $url"
                 if system('gpg', '--no-default-keyring', '--keyring', $gpg_keyring,
                           '--verify', "$tmpdir/$file.asc",
@@ -212,14 +220,14 @@ sub setup_martools {
 }
 
 sub sign_version {
-    my ($config, $publish_dir, $version) = @_;
-    setup_martools($config);
-    my $nss_db_dir = basedir_path($config->{nss_db_dir}, $FindBin::Bin);
+    my ($publish_dir, $version) = @_;
+    setup_martools();
+    my $nss_db_dir = basedir_path(get_config('nss_db_dir'), $FindBin::Bin);
     for my $marfile (path("$topdir/nightly/$publish_dir/$version")->children(qr/\.mar$/)) {
         print "Signing $marfile\n";
         exit_error "Error signing $marfile"
           unless system('signmar', '-d', $nss_db_dir, '-n',
-                        $config->{nss_certname}, '-s', $marfile,
+                        get_config('nss_certname'), '-s', $marfile,
                         "$marfile-signed") == 0;
         move("$marfile-signed", $marfile);
     }
@@ -232,7 +240,7 @@ sub get_buildinfos {
 }
 
 sub update_responses {
-    my ($config, $publish_dir, $version) = @_;
+    my ($publish_dir, $version) = @_;
     my $ur_config = LoadFile("$FindBin::Bin/update-responses-base-config.yml");
     $ur_config->{download}{mars_url} .= "/$publish_dir";
     $ur_config->{releases_dir} = "$topdir/nightly/$publish_dir";
@@ -253,7 +261,7 @@ sub update_responses {
 }
 
 sub remove_oldversions {
-    my ($config, $publish_dir, $version) = @_;
+    my ($publish_dir, $version) = @_;
     for my $dir (path("$topdir/nightly/$publish_dir")->children) {
         my ($filename) = fileparse($dir);
         next if $filename eq $version;
@@ -262,27 +270,27 @@ sub remove_oldversions {
 }
 
 sub sync_dest {
-    my ($config) = @_;
     exit_error "Error running rsync"
         if system('rsync', '-aH', '--delete-after',
-                  "$topdir/nightly/", "$config->{rsync_dest}/");
-    if ($config->{post_rsync_cmd}) {
-        exit_error "Error running $config->{post_rsync_cmd}"
-                if system($config->{post_rsync_cmd});
+                  "$topdir/nightly/", get_config('rsync_dest') . '/');
+    my $post_rsync_cmd = get_config('post_rsync_cmd');
+    if ($post_rsync_cmd) {
+        exit_error "Error running $post_rsync_cmd"
+                if system($post_rsync_cmd);
     }
 }
 
-print_time "Starting sign-nightly (pid: $$)\n";
+print_time "Starting sign-nightly (pid: $$, project: $project)\n";
 run_alone;
 my $some_updates = 0;
-foreach my $publish_dir (@{$config->{publish_dirs}}) {
-    my $new_version = get_new_version($config, $publish_dir);
+foreach my $publish_dir (@{get_config('publish_dirs')}) {
+    my $new_version = get_new_version($publish_dir);
     next unless $new_version;
-    fetch_version($config, $publish_dir, $new_version);
-    sign_version($config, $publish_dir, $new_version);
-    update_responses($config, $publish_dir, $new_version);
+    fetch_version($publish_dir, $new_version);
+    sign_version($publish_dir, $new_version);
+    update_responses($publish_dir, $new_version);
     set_current_version($publish_dir, $new_version);
-    remove_oldversions($config, $publish_dir, $new_version);
+    remove_oldversions($publish_dir, $new_version);
     $some_updates = 1;
 }
-sync_dest($config) if $some_updates;
+sync_dest() if $some_updates;



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/e...

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/e...
You're receiving this email because of your account on gitlab.torproject.org.

    

boklm (＠boklm)

tags

participants (1)