Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits: ede46581 by Pier Angelo Vendrame at 2024-02-27T12:27:17+01:00 Bug 41093: Add a patch to unsign APKs.
Currently, we sign the APKs that were already signed with the QA key. However, this makes it impossible to copy our signature on top of APKs built independently, which would be the last step to reproduce our builds.
With this commit, we provide a patch to go back to the unsigned (but already aligned) APK, so that we can keep shipping QA-signed APKs for testers, but we can go back to the unsigned APK for the final signing.
The changes to apply this patch in the signing scripts will be part of another commit.
- - - - -
4 changed files:
- README - projects/browser/build.android - projects/browser/config - projects/release/build
Changes:
===================================== README ===================================== @@ -54,7 +54,7 @@ If you are running Fedora, CentOS or RHEL, you can install them with: "perl(Template)" "perl(IO::Handle)" "perl(Capture::Tiny)" \ "perl(JSON)" "perl(File::Temp)" "perl(Path::Tiny)" \ "perl(File::Path)" "perl(File::Slurp)" \ - "perl(File::Copy::Recursive)" "perl(String::ShellQuote)" + "perl(File::Copy::Recursive)" "perl(String::ShellQuote)" \ "perl(Sort::Versions)" "perl(Digest::SHA)" "perl(Data::UUID)" \ "perl(Data::Dump)" "perl(DateTime)" "perl(XML::Writer)" \ "perl(Parallel::ForkManager)" perl-ph mercurial git zstd @@ -237,11 +237,12 @@ builds, and will require that you run Debian Bullseye or Bookworm and install build dependencies for all the components that are built. This can be done with the following command:
- # apt-get install build-essential python3 automake libtool zip unzip \ - autoconf2.13 openjdk-11-jdk gettext-base autotools-dev \ - automake autoconf libtool autopoint libssl-dev pkg-config \ - zlib1g-dev libparallel-forkmanager-perl libfile-slurp-perl bzip2 \ - xz-utils apksigner yasm wget bison gyp tcl python3-venv 7zip jq + # apt-get install 7zip apksigner autoconf autoconf2.13 automake autopoint \ + autotools-dev bison bsdiff build-essential bzip2 \ + gettext-base gyp jq libfile-slurp-perl \ + libparallel-forkmanager-perl libssl-dev libtool libtool \ + openjdk-11-jdk pkg-config python3 python3-venv tcl unzip \ + wget xz-utils yasm zip zlib1g-dev
Note that Debian Bullseye requires the bullseye-backports repository to get the 7zip package.
===================================== projects/browser/build.android ===================================== @@ -66,6 +66,9 @@ zipalign -vp 4 repacked.apk $aligned_apk # flag in the manifest. apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore --out $qa_apk --in $aligned_apk --ks-key-alias androidqakey --key-pass pass:android --ks-pass pass:android
+unsign_patch="[% dest_dir %]/[% c('filename') %]/[% c('var/project-name') %]-qa-unsign-[% c('var/osname') %]-[% c('version') %].bspatch" +bsdiff $qa_apk $aligned_apk $unsign_patch + [%IF c("var/tor-browser") -%] tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]" # strip off trailing "$buildid.tar.gz"
===================================== projects/browser/config ===================================== @@ -48,6 +48,7 @@ targets: arch_deps: - 7zip - openjdk-17-jdk-headless + - bsdiff container: # 7zip is in backports in bullseye, and we can already use Java 17 for # apksigner.
===================================== projects/release/build ===================================== @@ -59,7 +59,7 @@ EOF # empty any existing sh256sums file echo -n > sha256sums-unsigned-build.txt # concat sha256sum entry for each file in set -for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.json | grep -v '.incremental.mar$' | sort) +for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.bspatch *.json | grep -v '.incremental.mar$' | sort) do sha256sum $i >> sha256sums-unsigned-build.txt done
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/ed...
tor-commits@lists.torproject.org