boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits: 7c9183b0 by Nicolas Vigier at 2024-02-28T16:17:42+01:00 Bug 41093: Unsign APKs before signing them
Use the bspatch file we create during the build to unsign the apk (which was signed by the QA key) before signing it with the release key.
- - - - -
2 changed files:
- tools/signing/linux-signer-sign-android-apks - tools/signing/machines-setup/setup-signing-machine
Changes:
===================================== tools/signing/linux-signer-sign-android-apks ===================================== @@ -68,14 +68,19 @@ setup_build_tools mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" -cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk \ + ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.bspatch \ + ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
# Sign all packages for arch in ${ARCHS}; do qa_apk=${projname}-qa-android-${arch}-${tbb_version}.apk + unsigned_apk=${projname}-qa-unsigned-android-${arch}-${tbb_version}.apk + unsigned_apk_bspatch=${projname}-qa-unsign-android-${arch}-${tbb_version}.bspatch signed_apk=${projname}-android-${arch}-${tbb_version}.apk - sign_apk "$qa_apk" "$signed_apk" + bspatch "$qa_apk" "$unsigned_apk" "$unsigned_apk_bspatch" + sign_apk "$unsigned_apk" "$signed_apk" verify_apk "$signed_apk" cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version" done
===================================== tools/signing/machines-setup/setup-signing-machine ===================================== @@ -116,7 +116,7 @@ install_packages opensc libengine-pkcs11-openssl install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
# Install deps for android/apk signing -install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless bsdiff
# Install deps for macos-rcodesign signing install_packages p7zip-full zstd
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/7c...
tor-commits@lists.torproject.org