boklm pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 580855da by Nicolas Vigier at 2025-05-15T12:58:41+02:00 Bug 40994: Add support in signing scripts to sign release for some archs only - - - - - 98308c32 by Nicolas Vigier at 2025-05-15T13:14:03+02:00 Bug 41280: Update download-android-*.json files for android-only releases - - - - - 6 changed files: - projects/release/update_responses_config.yml - rbm.conf - tools/signing/do-all-signing - tools/signing/functions - tools/signing/upload-update_responses-to-staticiforme - tools/update-responses/update_responses Changes: ===================================== projects/release/update_responses_config.yml ===================================== @@ -1,6 +1,9 @@ --- tmp_dir: '[% c("tmp_dir") %]' create_downloads_json: 1 +[% IF !c("var/browser_platforms/signing_desktop") -%] +create_downloads_json_only: 1 +[% END -%] appname_marfile: '[% c("var/project-name") %]' appname_bundle: '[% c("var/project-name") %]' releases_dir: [% path(c('output_dir')) %][% IF ! c("var/nightly") %]/[% IF c("var/unsigned_releases_dir") -%]un[% END %]signed[% END %] ===================================== rbm.conf ===================================== @@ -81,8 +81,6 @@ var: browser_release_date_timestamp: '[% USE date; date.format(c("var/browser_release_date"), "%s") %]' browser_default_channel: alpha browser_platforms: - is_android_release: '[% c("var/tor-browser") %]' - is_desktop_release: '1' android-armv7: '[% c("var/browser_platforms/is_android_release") %]' android-x86: '[% c("var/browser_platforms/is_android_release") %]' android-x86_64: '[% c("var/browser_platforms/is_android_release") %]' @@ -93,6 +91,39 @@ var: windows-i686: '[% c("var/browser_platforms/is_desktop_release") && c("var/tor-browser") %]' windows-x86_64: '[% c("var/browser_platforms/is_desktop_release") %]' macos: '[% c("var/browser_platforms/is_desktop_release") %]' + + # is_android_release and is_desktop_release are used to quickly + # enable/disable all android or desktop platforms. If you want to + # check whether a release includes some android or desktop platforms + # see signing_android and signing_desktop below. + is_android_release: '[% c("var/tor-browser") %]' + is_desktop_release: '1' + + # signing_android is used in signing scripts to check if at least + # one android platform is being signed/published + signing_android: | + [%- + c("var/browser_platforms/android-armv7") || + c("var/browser_platforms/android-x86") || + c("var/browser_platforms/android-x86_64") || + c("var/browser_platforms/android-aarch64") + -%] + # signing_desktop is used in signing scripts to check if at least + # one desktop platform is being signed/published + signing_desktop: | + [%- + c("var/browser_platforms/linux-x86_64") || + c("var/browser_platforms/linux-i686") || + c("var/browser_platforms/linux-aarch64") || + c("var/browser_platforms/windows-i686") || + c("var/browser_platforms/windows-x86_64") || + c("var/browser_platforms/macos") + -%] + signing_windows: | + [%- + c("var/browser_platforms/windows-i686") || + c("var/browser_platforms/windows-x86_64") + -%] updater_enabled: 1 build_mar: 1 torbrowser_incremental_from: ===================================== tools/signing/do-all-signing ===================================== @@ -19,38 +19,66 @@ if [[ $1 = "-p" ]]; then shift fi +function is_legacy { + [[ "$tbb_version" = 13.* ]] +} + +if is_legacy; then + platform_android= + platform_desktop=1 + platform_macos=1 + platform_windows=1 +else + platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) + platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop) + platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos) + platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows) +fi + is_project torbrowser && nssdb=torbrowser-nssdb7 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1 if [ -f "$passwords_gpg_file" ]; then echo "Reading passwords from $passwords_gpg_file" SEKRITS=$(gpg --decrypt "$passwords_gpg_file") - RCODESIGN_PW=$(get_sekrit 'rcodesign') - NSSPASS=$(get_sekrit "$nssdb (mar signing)") - KSPASS=$(get_sekrit "android apk ($tbb_version_type)") - YUBIPASS=$(get_sekrit "windows authenticode") + [ -n "$platform_macos" ] && \ + RCODESIGN_PW=$(get_sekrit 'rcodesign') + [ -n "$platform_desktop" ] && \ + NSSPASS=$(get_sekrit "$nssdb (mar signing)") + [ -n "$platform_android" ] && \ + KSPASS=$(get_sekrit "android apk ($tbb_version_type)") + [ -n "$platform_windows" ] && \ + YUBIPASS=$(get_sekrit "windows authenticode") GPG_PASS=$(get_sekrit "gpg") else echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords." fi -test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] || +[ -z "$platform_macos" ] || \ + [ -f "$steps_dir/linux-signer-rcodesign-sign.done" ] || \ + [ -n "$RCODESIGN_PW" ] || \ read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW echo -test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] || +[ -z "$platform_desktop" ] || \ + [ -f "$steps_dir/linux-signer-signmars.done" ] || \ + [ -n "$NSSPASS" ] || \ read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS echo -if is_project torbrowser; then - test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] || - read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS - echo -fi -test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] || +[ -z "$platform_android" ] || \ + [ -f "$steps_dir/linux-signer-sign-android-apks.done" ] || \ + [ -n "$KSPASS" ] || \ + read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS +echo + +[ -z "$platform_windows" ] || \ + [ -f "$steps_dir/linux-signer-authenticode-signing.done" ] || \ + [ -n "$YUBIPASS" ] || \ read -sp "Enter windows authenticode passphrase: " YUBIPASS echo -test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] || + +[ -f "$steps_dir/linux-signer-gpg-sign.done" ] || [ -n "$GPG_PASS" ] || \ read -sp "Enter gpg passphrase: " GPG_PASS echo @@ -203,10 +231,6 @@ function do_step { echo "$(date -Iseconds) - Finished step: $1" } -function is_legacy { - [[ "$tbb_version" = 13.* ]] -} - export SIGNING_PROJECTNAME do_step set-time-on-signing-machine @@ -215,23 +239,34 @@ do_step sync-builder-unsigned-to-local-signed do_step clean-build-artifacts do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-rcodesign-sign -do_step linux-signer-rcodesign-sign -do_step sync-linux-signer-macos-signed-tar-to-local -do_step rcodesign-notary-submit -do_step gatekeeper-bundling -do_step dmg2mar +[ -n "$platform_macos" ] && \ + do_step linux-signer-rcodesign-sign +[ -n "$platform_macos" ] && \ + do_step sync-linux-signer-macos-signed-tar-to-local +[ -n "$platform_macos" ] && \ + do_step rcodesign-notary-submit +[ -n "$platform_macos" ] && \ + do_step gatekeeper-bundling +[ -n "$platform_macos" ] && \ + do_step dmg2mar do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars -do_step linux-signer-signmars -do_step sync-after-signmars -is_project torbrowser && ! is_legacy && \ +[ -n "$platform_desktop" ] && \ + do_step linux-signer-signmars +[ -n "$platform_desktop" ] && \ + do_step sync-after-signmars +[ -n "$platform_android" ] && \ do_step linux-signer-sign-android-apks -is_project torbrowser && ! is_legacy && \ +[ -n "$platform_android" ] && \ do_step sync-after-sign-android-apks -do_step linux-signer-authenticode-signing -do_step sync-after-authenticode-signing -do_step authenticode-timestamping -do_step sync-after-authenticode-timestamping +[ -n "$platform_windows" ] && \ + do_step linux-signer-authenticode-signing +[ -n "$platform_windows" ] && \ + do_step sync-after-authenticode-signing +[ -n "$platform_windows" ] && \ + do_step authenticode-timestamping +[ -n "$platform_windows" ] && \ + do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash do_step linux-signer-gpg-sign @@ -240,6 +275,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo do_step sync-local-to-staticiforme do_step sync-scripts-to-staticiforme do_step staticiforme-prepare-cdn-dist-upload -! is_legacy && +! is_legacy && \ do_step upload-update_responses-to-staticiforme do_step finished-signing-clean-linux-signer ===================================== tools/signing/functions ===================================== @@ -69,5 +69,17 @@ function display_name { echo "${SIGNING_PROJECTNAMES[3]}" } +function rbm_showconf { + "$rbm" showconf release "$1" --target "$SIGNING_PROJECTNAME" \ + --target "$tbb_version_type" +} + +function rbm_showconf_boolean { + local res=$(rbm_showconf "$1") + if [ -z "$res" ] || [ "a$res" = "a0" ]; then + return + fi + echo '1' +} . "$script_dir/set-config" ===================================== tools/signing/upload-update_responses-to-staticiforme ===================================== @@ -56,7 +56,8 @@ do git commit -m "$tbb_version_type: new version, $tbb_version ($file)" done -if is_project torbrowser; then +platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) +if [ -n "$platform_android" ]; then git add "$tbb_version_type"/download-android-*.json git diff --quiet --cached --exit-code || \ git commit -m "$tbb_version_type: new version, $tbb_version (android)" ===================================== tools/update-responses/update_responses ===================================== @@ -464,14 +464,16 @@ sub write_downloads_json { my $versions = as_array($config->{channels}{$channel}); my ($version) = @$versions; my $tag = get_config($config, $version, 'any', 'tag'); - my $data = { - version => "$version", - tag => "$tag", - downloads => get_version_downloads($config, $version), - comment => 'This file is deprecated and should not be used. Please use the files download-$platform.json instead.', - }; - write_htdocs($channel, '.', 'downloads.json', - JSON->new->utf8->canonical->pretty->encode($data)); + if (!$config->{create_downloads_json_only}) { + my $data = { + version => "$version", + tag => "$tag", + downloads => get_version_downloads($config, $version), + comment => 'This file is deprecated and should not be used. Please use the files download-$platform.json instead.', + }; + write_htdocs($channel, '.', 'downloads.json', + JSON->new->utf8->canonical->pretty->encode($data)); + } my $pp_downloads = get_perplatform_downloads($config, $version, $tag); foreach my $os (keys %{$pp_downloads}) { write_htdocs($channel, '.', "download-$os.json", @@ -634,8 +636,10 @@ my %actions = ( exit_error "Wrong arguments" unless @ARGV == 1; my $channel = $ARGV[0]; exit_error "Unknown channel $channel" unless $config->{channels}{$channel}; - write_responses($config, $channel); - write_htaccess($config, $channel); + if (!$config->{create_downloads_json_only}) { + write_responses($config, $channel); + write_htaccess($config, $channel); + } write_downloads_json($config, $channel); }, gen_incrementals => sub { View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/a... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/a... You're receiving this email because of your account on gitlab.torproject.org.