[Git][tpo/applications/tor-browser-build][main] Bug 41324: Improve build signing ergonomics - tor-commits

20 Jan 2025


      ma1 pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
3af0e5b3 by hackademix at 2025-01-20T18:16:36+01:00
Bug 41324: Improve build signing ergonomics
- - - - -
7 changed files:
- .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Legacy.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
- tools/signing/do-all-signing
- + tools/signing/set-config.passwords
Changes:
=====================================
.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
=====================================
@@ -208,7 +208,7 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
     ```
   - **Subject**
     ```
-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)
     ```
   - **Body**
     ```
@@ -219,6 +219,8 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
     - signed builds: https://dist.torproject.org/mullvadbrowser/$%7BMULLVAD_BROWSER_VERSION%7D
     - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}
+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-respon...
+
     changelog:
     # paste changelog as quote here
     ...
=====================================
.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
=====================================
@@ -208,7 +208,7 @@ Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWS
     ```
   - **Subject**
     ```
-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)
     ```
   - **Body**
     ```
@@ -217,7 +217,9 @@ Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWS
     Branch+Tags have been pushed to Mullvad's GitHub repo.
- signed builds: https://dist.torproject.org/mullvadbrowser/$%7BMULLVAD_BROWSER_VERSION%7D
-    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}
+    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}*
+
+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-respon...
changelog:
     # paste changelog as quote here
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
=====================================
@@ -223,9 +223,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```
@@ -234,14 +234,15 @@ popd
     <summary>Check whether the MAR files got properly signed</summary>
```bash
-# Point NSSDB to your nssdb containing the mar signing certificate
+# Point NSS_DB_DIR to your nssdb dir containing the mar signing certificate
+# (check tools/marsigning_check.sh source code for details)
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Legacy.md
=====================================
@@ -203,9 +203,9 @@ Tor Browser Legacy is on the `maint-13.5` branch
```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```
@@ -217,11 +217,11 @@ popd
 # Point NSSDB to your nssdb containing the mar signing certificate
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
=====================================
@@ -228,9 +228,9 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b
```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```
@@ -242,11 +242,11 @@ popd
 # Point NSSDB to your nssdb containing the mar signing certificate
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```
=====================================
tools/signing/do-all-signing
=====================================
@@ -3,34 +3,59 @@ set -e
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
 source "$script_dir/set-config.update-responses"
-
 NON_INTERACTIVE=1
 steps_dir="$signed_version_dir.steps"
 test -d "$steps_dir" || mkdir -p "$steps_dir"
-test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
+function get_sekrit {
+  echo "$SEKRITS" | grep -A1 "$1:" | tail -n1
+}
+
+[ -f "$script_dir/set-config.passwords" ] && . "$script_dir/set-config.passwords" 2>/dev/null
+
+if [[ $1 = "-p" ]]; then
+  shift
+  passwords_gpg_file="$1"
+  shift
+fi
+
+is_project torbrowser && nssdb=torbrowser-nssdb7
+is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1
+
+if [ -f "$passwords_gpg_file" ]; then
+  echo "Reading passwords from $passwords_gpg_file"
+  SEKRITS=$(gpg --decrypt "$passwords_gpg_file")
+  RCODESIGN_PW=$(get_sekrit 'rcodesign')
+  NSSPASS=$(get_sekrit "$nssdb (mar signing)")
+  KSPASS=$(get_sekrit "android apk ($tbb_version_type)")
+  YUBIPASS=$(get_sekrit "windows authenticode")
+  GPG_PASS=$(get_sekrit "gpg")
+else
+  echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords."
+fi
+
+test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] ||
   read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
 echo
-is_project torbrowser && nssdb=torbrowser-nssdb7
-is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
-test -f "$steps_dir/linux-signer-signmars.done" ||
+
+test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] ||
   read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS
 echo
if is_project torbrowser; then
-  test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
+  test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] ||
     read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
   echo
 fi
-test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] ||
   read -sp "Enter windows authenticode passphrase: " YUBIPASS
 echo
-test -f "$steps_dir/linux-signer-gpg-sign.done" ||
+test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] ||
   read -sp "Enter gpg passphrase: " GPG_PASS
 echo
function set-time-on-signing-machine {
-  local current_time=$(date -u)
+  local current_time=$(date -u -Iseconds)
   ssh "$ssh_host_linux_signer" sudo /usr/bin/date -s "'$current_time'"
 }
@@ -178,6 +203,10 @@ function do_step {
   echo "$(date -Iseconds) - Finished step: $1"
 }
+function is_legacy {
+  [[ "$tbb_version" = 13.* ]]
+}
+
 export SIGNING_PROJECTNAME
do_step set-time-on-signing-machine
@@ -195,9 +224,9 @@ do_step sync-scripts-to-linux-signer
 do_step sync-before-linux-signer-signmars
 do_step linux-signer-signmars
 do_step sync-after-signmars
-is_project torbrowser && \
+is_project torbrowser && ! is_legacy && \
   do_step linux-signer-sign-android-apks
-is_project torbrowser && \
+is_project torbrowser && ! is_legacy && \
   do_step sync-after-sign-android-apks
 do_step linux-signer-authenticode-signing
 do_step sync-after-authenticode-signing
@@ -211,5 +240,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
 do_step sync-local-to-staticiforme
 do_step sync-scripts-to-staticiforme
 do_step staticiforme-prepare-cdn-dist-upload
-do_step upload-update_responses-to-staticiforme
+! is_legacy &&
+  do_step upload-update_responses-to-staticiforme
 do_step finished-signing-clean-linux-signer
=====================================
tools/signing/set-config.passwords
=====================================
@@ -0,0 +1,2 @@
+# Path to a gpg-encrypted cache of passwords not to be asked on each run
+passwords_gpg_file=~/.tor-browser-signing/tor-browser-passwords.txt.gpg
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/3a...
-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/3a...
You're receiving this email because of your account on gitlab.torproject.org.





    