[builders/tor-browser-build] branch master updated (e485133 -> da516e6)
This is an automated email from the git hooks/post-receive script. boklm pushed a change to branch master in repository builders/tor-browser-build. from e485133 Bug 40473: Update projects/tor-browser/allowed_addons.json new b5e5e4b Bug 40137: Add publication script new 318bafd Bug 40157: Add sanity check scripts new 1e2b74d Bug 40414: Remove tools/update/format_changelog.pl new 4c07cbe Bug 40414: Add common config and functions files new 74584a9 Bug 40414: Improve the gatekeeper-bundling.sh script new ef9b7e7 Bug 40414: Add osslsigncode project new 3401ffc Bug 40414: Improve the authenticode-timestamping.sh script new 517f4e6 Bug 40414: Add sync-* signing scripts new dcd8ff5 Bug 40414: add macos-signer-proxy new 8a74ee7 Bug 40414: Move hash_signed_bundles.sh to the signing directory new b7549fe Bug 40414: Improve hash_signed_bundles.sh new a6783cf Bug 40414: Add download-unsigned-sha256sums-gpg-signatures-from-people-tpo script new 0447c30 Bug 40414: Add linux-signer-signmars new da9a132 Bug 40414: Improve linux-signer-signmars new d7e5a16 Bug 40414: Add tools/signing/create-blog-post new b3f7612 Bug 40414: Add tools/signing/upload-update_responses-to-staticiforme new 9adebc4 Bug 40414: Add tools/signing/dmg2mar new a8805ed Bug 40414: Rename gatekeeper-signing.sh to macos-signer-gatekeeper-signing new 1d17b75 Bug 40414: Update stable.entitlements.xml new fff6a80 Bug 40414: Update macos-signer-gatekeeper-signing new a20376c Bug 40414: Improve macos-signer-gatekeeper-signing new 2b8d923 Bug 40414: Rename notarization.sh to macos-signer-notarization new 8d120f9 Bug 40414: Update macos-signer-notarization new 80cb859 Bug 40414: Improve macos-signer-notarization new cbc1000 Bug 40414: Rename stapler.sh to macos-signer-stapler new bfdcad1 Bug 40414: Update macos-signer-stapler new 0f9db0e Bug 40414: Improve macos-signer-stapler new 3daf04d Bug 40414: Rename tbb-signing.sh to linux-signer-gpg-sign new d59c22b Bug 40414: Update linux-signer-gpg-sign new 220006d Bug 40414: Improve linux-signer-gpg-sign new c955e9f Bug 40414: Update nssdb7 path in linux-signer-signmars new da516e6 Bug 40414: Add finished-signing-clean-* The 32 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../0001-Make-code-work-with-OpenSSL-1.1.patch | 324 +++++++++++++++++++++ projects/{libdmg-hfsplus => osslsigncode}/build | 13 +- projects/osslsigncode/config | 17 ++ projects/osslsigncode/timestamping.patch | 56 ++++ ...e_check.sh => authenticode_verify_timestamp.sh} | 76 +++-- tools/marsigning_check.sh | 12 + tools/signing/authenticode-timestamping.sh | 24 +- tools/signing/check_file_counts | 168 +++++++++++ tools/signing/create-blog-post | 61 ++++ tools/signing/ddmg.sh | 41 +++ tools/signing/dmg2mar | 29 ++ ...igned-sha256sums-gpg-signatures-from-people-tpo | 16 + tools/signing/finished-signing-clean-linux-signer | 14 + tools/signing/finished-signing-clean-macos-signer | 14 + tools/signing/functions | 22 ++ tools/signing/gatekeeper-bundling.sh | 46 ++- tools/signing/gatekeeper-signing.sh | 51 ---- tools/{ => signing}/hash_signed_bundles.sh | 14 +- tools/signing/linux-signer-gpg-sign | 19 ++ tools/signing/linux-signer-signmars | 75 +++++ tools/signing/macos-signer-gatekeeper-signing | 98 +++++++ tools/signing/macos-signer-notarization | 44 +++ tools/signing/macos-signer-proxy | 6 + tools/signing/macos-signer-stapler | 18 ++ tools/signing/notarization.sh | 50 ---- ...a.entitlements.xml => release.entitlements.xml} | 0 tools/signing/set-config | 17 ++ tools/signing/set-config.blog | 4 + tools/signing/set-config.hosts | 6 + tools/signing/set-config.macos-notarization | 5 + tools/signing/set-config.tbb-version | 7 + tools/signing/stable.entitlements.xml | 53 ---- tools/signing/stapler.sh | 47 --- tools/signing/sync-builder-to-local | 8 + tools/signing/sync-builder-to-local.dry-run | 1 + .../signing/sync-builder-unsigned-to-local-signed | 8 + .../sync-builder-unsigned-to-local-signed.dry-run | 1 + tools/signing/sync-linux-signer-to-local | 8 + tools/signing/sync-linux-signer-to-local.dry-run | 1 + tools/signing/sync-local-to-builder | 8 + tools/signing/sync-local-to-builder.dry-run | 1 + tools/signing/sync-local-to-linux-signer | 8 + tools/signing/sync-local-to-linux-signer.dry-run | 1 + tools/signing/sync-local-to-staticiforme | 6 + tools/signing/sync-local-to-staticiforme.dry-run | 1 + tools/signing/sync-macos-local-to-macos-signer | 8 + .../sync-macos-local-to-macos-signer.dry-run | 1 + ...ync-macos-signer-stapled-to-macos-local-stapled | 8 + ...s-signer-stapled-to-macos-local-stapled.dry-run | 1 + tools/signing/sync-scripts-to-linux-signer | 8 + tools/signing/sync-scripts-to-linux-signer.dry-run | 1 + tools/signing/sync-scripts-to-macos-signer | 8 + tools/signing/sync-scripts-to-macos-signer.dry-run | 1 + tools/signing/tbb-signing.sh | 38 --- .../upload-update_responses-to-staticiforme | 49 ++++ tools/update/publish_version.sh | 39 +++ 56 files changed, 1360 insertions(+), 301 deletions(-) create mode 100644 projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch copy projects/{libdmg-hfsplus => osslsigncode}/build (63%) create mode 100644 projects/osslsigncode/config create mode 100644 projects/osslsigncode/timestamping.patch copy tools/{authenticode_check.sh => authenticode_verify_timestamp.sh} (54%) create mode 100755 tools/signing/check_file_counts create mode 100755 tools/signing/create-blog-post create mode 100755 tools/signing/ddmg.sh create mode 100755 tools/signing/dmg2mar create mode 100755 tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo create mode 100755 tools/signing/finished-signing-clean-linux-signer create mode 100755 tools/signing/finished-signing-clean-macos-signer create mode 100644 tools/signing/functions delete mode 100755 tools/signing/gatekeeper-signing.sh rename tools/{ => signing}/hash_signed_bundles.sh (87%) create mode 100755 tools/signing/linux-signer-gpg-sign create mode 100755 tools/signing/linux-signer-signmars create mode 100755 tools/signing/macos-signer-gatekeeper-signing create mode 100755 tools/signing/macos-signer-notarization create mode 100755 tools/signing/macos-signer-proxy create mode 100755 tools/signing/macos-signer-stapler delete mode 100755 tools/signing/notarization.sh copy tools/signing/{alpha.entitlements.xml => release.entitlements.xml} (100%) create mode 100644 tools/signing/set-config create mode 100644 tools/signing/set-config.blog create mode 100644 tools/signing/set-config.hosts create mode 100644 tools/signing/set-config.macos-notarization create mode 100644 tools/signing/set-config.tbb-version delete mode 100644 tools/signing/stable.entitlements.xml delete mode 100755 tools/signing/stapler.sh create mode 100755 tools/signing/sync-builder-to-local create mode 120000 tools/signing/sync-builder-to-local.dry-run create mode 100755 tools/signing/sync-builder-unsigned-to-local-signed create mode 120000 tools/signing/sync-builder-unsigned-to-local-signed.dry-run create mode 100755 tools/signing/sync-linux-signer-to-local create mode 120000 tools/signing/sync-linux-signer-to-local.dry-run create mode 100755 tools/signing/sync-local-to-builder create mode 120000 tools/signing/sync-local-to-builder.dry-run create mode 100755 tools/signing/sync-local-to-linux-signer create mode 120000 tools/signing/sync-local-to-linux-signer.dry-run create mode 100755 tools/signing/sync-local-to-staticiforme create mode 120000 tools/signing/sync-local-to-staticiforme.dry-run create mode 100755 tools/signing/sync-macos-local-to-macos-signer create mode 120000 tools/signing/sync-macos-local-to-macos-signer.dry-run create mode 100755 tools/signing/sync-macos-signer-stapled-to-macos-local-stapled create mode 120000 tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run create mode 100755 tools/signing/sync-scripts-to-linux-signer create mode 120000 tools/signing/sync-scripts-to-linux-signer.dry-run create mode 100755 tools/signing/sync-scripts-to-macos-signer create mode 120000 tools/signing/sync-scripts-to-macos-signer.dry-run delete mode 100755 tools/signing/tbb-signing.sh create mode 100755 tools/signing/upload-update_responses-to-staticiforme create mode 100755 tools/update/publish_version.sh -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit b5e5e4b3c14d7116b505a2ce494479fe2b081a84 Author: Matthew Finkel <sysrqb@torproject.org> AuthorDate: Tue Nov 17 01:44:21 2020 +0000 Bug 40137: Add publication script --- tools/update/format_changelog.pl | 64 ++++++++++++++++++++++++++++++++++++++++ tools/update/publish_version.sh | 51 ++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+) diff --git a/tools/update/format_changelog.pl b/tools/update/format_changelog.pl new file mode 100755 index 0000000..c469b37 --- /dev/null +++ b/tools/update/format_changelog.pl @@ -0,0 +1,64 @@ +#!/usr/bin/perl -w + +# Read ChangeLog.txt from stdin +# $ ./format_changelog.pl < ChangeLog.txt + +my $once = 0; +my $last_indent=0; + +sub finish { + while ($last_indent > 2) { + print "</ul>\n"; + # Every entry in the ChangeLog is indented by 2 characters + # except for the first Platform line + $last_indent -= 2 + } + exit; +} + +while (<>) { + #print "$_"; + my $line = ""; + if ($_ =~ /^Tor Browser /) { + finish() unless $once == 0; + $once = 1; + next; + } + # Skip empty lines + if ($_ =~ /^\s*$/) { + next; + } + #print ">>> $_"; + if ($_ =~ /(\s+)\* Bug (\d+):(.*)$/) { + my $indentation = $1; + my $bug = $2; + my $description = $3; + my $current_indent = length($indentation); + if ($current_indent > $last_indent) { + $line = "<ul>"; + } elsif ($current_indent < $last_indent) { + $line = "</ul>"; + } + $last_indent = $current_indent; + if ($bug < 40000) { + $line.="<li><a href=\"https://bugs.torproject.org/$bug\">Bug $bug</a>:$3</li>"; + } else { + $description =~ /(.*)\[([a-z-]*)\]$/; + my $project = "tpo/applications/$2/$bug" // "$bug"; + $line.="<li><a href=\"https://bugs.torproject.org/$project\">Bug $bug</a>:$1</li>"; + } + } elsif ($_ =~ /(\s+)\* (.*)$/) { + my $indentation = $1; + my $current_indent = length($indentation); + if ($current_indent > $last_indent) { + $line = "<ul>"; + } elsif ($current_indent < $last_indent) { + $line = "</ul>"; + } + $last_indent = $current_indent; + $line .= "<li>$2"; + } else { + $line = $_; + } + print "$line\n"; +} diff --git a/tools/update/publish_version.sh b/tools/update/publish_version.sh new file mode 100755 index 0000000..25083e3 --- /dev/null +++ b/tools/update/publish_version.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +set -e + +TORBROWSER_VERSION=$1 +if [ -z "${TORBROWSER_VERSION}" ]; then + echo "please specify version number (excluding -buildN)" + exit 1 +fi + +PREV_TORBROWSER_VERSION=$2 +if [ -z "${PREV_TORBROWSER_VERSION}" ]; then + echo "please specify a previous version number (needed for copying .htaccess file)" + exit 1 +fi + +TORBROWSER_UPDATE_CHANNEL=$3 +if [ -z "${TORBROWSER_UPDATE_CHANNEL}" ]; then + echo "please specify the release channel (release|alpha)" + exit 1 +fi + +wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~sysrqb/builds/${TORBROWSER_VERSION}" +#wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~gk/builds/${TORBROWSER_VERSION}" +rm "${TORBROWSER_VERSION}/index.html*" + +# Rename the update responses directory to .old to make it easier to +# revert in case of problem (see the file RollingBackUpdate for more +# details about this) +rm -rf "/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old" +mv /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/"${TORBROWSER_UPDATE_CHANNEL}"{,.old} + +date +mv "${TORBROWSER_VERSION}" /srv/dist-master.torproject.org/htdocs/torbrowser/ +cp "/srv/dist-master.torproject.org/htdocs/torbrowser/${PREV_TORBROWSER_VERSION}/.htaccess" "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}/" +chmod 775 "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +chmod 664 "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}"/* +chown -R :torwww "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +cd "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}" +for i in *.asc; do echo "$i"; gpg -q "$i" || exit; done +date +static-update-component dist.torproject.org + +mkdir "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +chmod 775 "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +cd "/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/${TORBROWSER_VERSION}" +for marfile in /srv/dist-master.torproject.org/htdocs/torbrowser/"${TORBROWSER_VERSION}"/*.mar; do ln -f "${marfile}" .; done +date +static-update-component cdn.torproject.org + +echo "Now sync and publish update responses" -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 318bafd5bdd608871f6006808ee4dee5d7ada080 Author: Matthew Finkel <sysrqb@torproject.org> AuthorDate: Tue Nov 17 03:01:22 2020 +0000 Bug 40157: Add sanity check scripts --- tools/authenticode_verify_timestamp.sh | 95 +++++++++++++++++++ tools/marsigning_check.sh | 12 +++ tools/signing/check_file_counts | 168 +++++++++++++++++++++++++++++++++ 3 files changed, 275 insertions(+) diff --git a/tools/authenticode_verify_timestamp.sh b/tools/authenticode_verify_timestamp.sh new file mode 100755 index 0000000..efa8986 --- /dev/null +++ b/tools/authenticode_verify_timestamp.sh @@ -0,0 +1,95 @@ +#!/bin/sh + +# Copyright (c) 2021, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Usage: +# 1) Let OSSLSIGNCODE point to your osslsigncode binary +# 2) Change into the directory containing the .exe files and the sha256sums-unsigned-build.txt +# 3) Run /path/to/authenticode_verify_timestamp.sh + +if [ -z "$OSSLSIGNCODE" ] +then + echo "The path to your osslsigncode binary is missing!" + exit 1 +fi + +#set -x + +VERIFIED_PACKAGES=0 +MISSING_TIMESTAMP=0 + +for f in `ls *.exe`; do + echo -n "$f timestamped: " + + ${OSSLSIGNCODE} extract-signature -pem -in $f -out $f.sigs 1>/dev/null + ts=`openssl pkcs7 -print -in $f.sigs | grep -A 227 unauth_attr` + ts_len=`openssl pkcs7 -print -in $f.sigs | grep -A 227 unauth_attr | wc -l` + rm $f.sigs + + if [ $ts_len -ne 228 ]; then + echo "timestamp format changed. Expected 228 lines, but received $ts_len" + fi + + missing_attrs=0 + # Random selection. We can choose better ones later. + for exp in "d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData" \ + "d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo" \ + "d=9 hl=2 l= 40 prim: PRINTABLESTRING :DigiCert SHA2 Assured ID Timestamping CA" \ + "d=9 hl=2 l= 23 prim: PRINTABLESTRING :DigiCert Timestamp 2021" \ + "d=7 hl=2 l= 9 prim: OBJECT :signingTime"; do + #echo "Checking '$exp'" + if ! `echo $ts | grep -q "$exp"`; then + missing_attrs=`expr $missing_attrs + 1` + echo "no: missing attribute: $exp" + fi + done + if [ $missing_attrs -ne 0 ]; then + MISSING_TIMESTAMP=`expr $MISSING_TIMESTAMP + 1` + else + echo yes + fi + + CHECKED_PACKAGES=`expr ${CHECKED_PACKAGES} + 1` +done + +if [ "${MISSING_TIMESTAMP}" -ne 0 ]; then + echo "${MISSING_TIMESTAMP} packages not timestamped." + exit 1 +fi + +if [ "${CHECKED_PACKAGES}" -ne `ls *.exe | wc -l` ]; then + echo "Some packages were not verified!." + exit 1 +fi + +echo "Successfully verified are ${CHECKED_PACKAGES} timestamped" + +exit 0 diff --git a/tools/marsigning_check.sh b/tools/marsigning_check.sh index fb5e4f6..28f149a 100755 --- a/tools/marsigning_check.sh +++ b/tools/marsigning_check.sh @@ -35,6 +35,7 @@ # 2) Let LD_LIBRARY_PATH point to the mar-tools directory # 3) Let NSS_DB_DIR point to the directory containing the database with the # signing certificate to check against. +# 4) Let CHANNEL be the expected update channel # # To create the database to use for signature checking import the # release*.der certificate of your choice found in @@ -66,6 +67,12 @@ then exit 1 fi +if [ -z "$CHANNEL" ] +then + echo "The update channel is missing! ([nightly|alpha|release])" + exit 1 +fi + unsigned_mars=0 badsigned_mars=0 not_reproduced_mars=0 @@ -98,6 +105,11 @@ for f in *.mar; do fi fi + # Test 1.5: Is the MAR file correctly signed by the correct channel key? + if [ ! "$($SIGNMAR -T "$f" | grep "MAR channel name")" = " - MAR channel name: torbrowser-torproject-${CHANNEL}" ]; then + echo "$f contains wrong update channel!" + fi + # Test 2: Do we get the old SHA-256 sum after stripping the MAR signature? We # want to have a test for that to be sure we've the signed MAR files in front # of us which we actually want to ship to our users. diff --git a/tools/signing/check_file_counts b/tools/signing/check_file_counts new file mode 100755 index 0000000..beaa8e7 --- /dev/null +++ b/tools/signing/check_file_counts @@ -0,0 +1,168 @@ +#!/bin/bash + +#set -x +#set -e + +VERSION=$1 +LANG_COUNT=$2 +INCREMENTAL_VERSIONS="$3" +SIGNERS="$4" + +if [ "$#" -ne 4 ]; then + echo "<version> <lang_count> <incrementals> <signers>" + exit +fi + +INSTALL_PLATFORMS="tor-browser-linux32-${VERSION}_\*.tar.xz tor-browser-linux64-${VERSION}_\*.tar.xz torbrowser-install-${VERSION}_\*.exe torbrowser-install-win64-${VERSION}_\*.exe TorBrowser-${VERSION}-osx64_\*.dmg" + +MAR_PLATFORMS="linux32 linux64 win32 win64 osx64" +MAR_TOOLS_PLATFORMS="linux32 linux64 win32 win64 mac64" + +total_count=0 +remaining_files=$(ls) + +for p in ${INSTALL_PLATFORMS}; do + expand_p=$(echo "${p}" | sed 's/\\\*/*/g') + test "$(ls ${expand_p} 2>/dev/null | wc -l)" = "${LANG_COUNT}" || echo "${p} not ${LANG_COUNT}" + total_count=$(( total_count + LANG_COUNT )) + for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done +done + +for p in ${INSTALL_PLATFORMS}; do + expand_p="$(echo "${p}" | sed 's/\\\*/*/g')" + test "$(ls ${expand_p}.asc 2>/dev/null | wc -l)" = "${LANG_COUNT}" || echo "${p}.asc not ${LANG_COUNT}" + total_count=$(( total_count + LANG_COUNT )) + for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}.asc"' / /') + done +done + +p=tor-browser-"${VERSION}"-android-\*-multi\*.apk +expand_p="$(echo "${p}" | sed 's/\\\\\*/*/g')" +test "$(ls ${expand_p} 2>/dev/null | wc -l)" = 8 || echo "${p} not 8" +total_count=$(( total_count + 8 )) +for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') +done +test "$(ls ${expand_p}.asc 2>/dev/null | wc -l)" = 8 || echo "${p}.asc not 8" +total_count=$(( total_count + 8 )) +for f in ${expand_p}; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}.asc"' / /') +done + +for p in ${MAR_PLATFORMS}; do + count=$(ls tor-browser-"${p}"-"${VERSION}"_*.mar 2>/dev/null | wc -l) + test "${count}" -eq "${LANG_COUNT}" || echo "${p} not ${LANG_COUNT} (found $count)" + total_count=$(( total_count + count )) + for f in tor-browser-"${p}"-"${VERSION}"_*.mar; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done +done + +for p in ${MAR_TOOLS_PLATFORMS}; do + test -f mar-tools-"${p}".zip || echo mar-tools-"${p}".zip does not exit + total_count=$(( total_count + 1 )) + remaining_files=$(echo "${remaining_files}" | sed 's/ 'mar-tools-"${p}".zip' / /') +done + +for p in ${MAR_TOOLS_PLATFORMS}; do + test -f mar-tools-"${p}".zip.asc || echo mar-tools-"${p}".zip.asc does not exit + total_count=$(( total_count + 1 )) + remaining_files=$(echo "${remaining_files}" | sed 's/ 'mar-tools-"${p}".zip.asc' / /') +done + +for p in ${MAR_PLATFORMS}; do + for i in ${INCREMENTAL_VERSIONS}; do + count="$(ls tor-browser-"${p}"-"${i}"-"${VERSION}"_*.mar 2>/dev/null | wc -l)" + test "${count}" -eq "${LANG_COUNT}" || echo "${p} ${i} incrementals not ${LANG_COUNT} (found $count)" + total_count=$(( total_count + count )) + for f in tor-browser-"${p}"-"${i}"-"${VERSION}"_*.mar; do + remaining_files=$(echo "${remaining_files}" | sed 's/ '"${f}"' / /') + done + done +done + +for f in tor-win32-*.zip tor-win64-*.zip; do + test -f "${f}" || echo "${f} does not exist" + test -f "${f}.asc" || echo "${f}.asc does not exist" + total_count=$(( total_count + 2 )) + remaining_files=$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /') + remaining_files=$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /') +done + +for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + test -f ${f} || echo ${f} does not exist + test -f ${f}.asc || echo ${f}.asc does not exist + total_count=$(( total_count + 2 )) + #remaining_files=$(echo ${remaining_files} | sed 's/ '${f}' / /') + remaining_files=$(echo "${remaining_files}" | sed 's/ '${f}' / /') + remaining_files=$(echo "${remaining_files}" | sed 's/ '${f}.asc' / /') +done + +for s in ${SIGNERS}; do + for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt; do + test -f "${f}.asc-${s}" || echo "${f}.asc-${s} does not exist" + total_count=$(( total_count + 1 )) + remaining_files="$(echo "${remaining_files}" | sed 's/ '"${f}.asc-${s}"' / /')" + done +done + +for f in sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt; do + for s in "${f}".asc-*; do + gpg2 --quiet --verify "${s}" ${f} + done +done + +for f in sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + gpg2 --quiet --verify ${f}.asc ${f} +done + +for f in sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt; do + sha256sum --quiet -c $f +done + +f=geckodriver-linux64.tar.xz +test -f ${f} || echo ${f} does not exist +test -f ${f}.asc || echo ${f}.asc does not exist +total_count=$(( total_count + 2 )) +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +for f in tor-browser-linux64-debug.tar.xz tor-linux32-debug.tar.xz tor-linux64-debug.tar.xz; do + test -f ${f} || echo ${f} does not exist + test -f ${f}.asc || echo ${f}.asc does not exist + total_count=$(( total_count + 2 )) + remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" + remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" +done + +test "$(ls src-firefox-tor-browser-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo src-firefox-tor-browser-*.tar.xz is wrong +test "$(ls src-firefox-tor-browser-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo src-firefox-tor-browser-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls src-firefox-tor-browser-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +test "$(ls src-tor-launcher-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo src-tor-launcher-*.tar.xz is wrong +test "$(ls src-tor-launcher-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo src-tor-launcher-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls src-tor-launcher-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +test "$(ls langpacks-tor-browser-linux64-*.tar.xz 2>/dev/null | wc -l)" = 1 || echo langpacks-tor-browser-linux64-*.tar.xz is wrong +test "$(ls langpacks-tor-browser-linux64-*.tar.xz.asc 2>/dev/null | wc -l)" = 1 || echo langpacks-tor-browser-linux64-*.tar.xz.asc is wrong +total_count=$(( total_count + 2 )) +f="$(ls langpacks-tor-browser-linux64-*.tar.xz)" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}"'[ ]*/ /')" +remaining_files="$(echo "${remaining_files}" | sed 's/[ ]*'"${f}.asc"'[ ]*/ /')" + +# Expected file endings +file_count_by_ending="$(ls ./*.tar.xz{,.asc} ./*.zip{,.asc} ./*.exe{,.asc} ./*.mar ./*.dmg{,.asc} ./*.apk{,.asc} ./*.txt{,.asc} ./*.txt.asc-* | wc -l)" +test "${file_count_by_ending}" -eq ${total_count} || echo "Unexpected file endings: counted ${file_count_by_ending} vs ${total_count}" + +test "$(ls | wc -l)" -eq ${total_count} || echo "wrong total count: $(ls | wc -l) vs ${total_count}" +echo "${remaining_files}" +echo done. -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 1e2b74dc8220d9f0074a0c167286b1918c361906 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Thu Mar 24 13:11:05 2022 +0100 Bug 40414: Remove tools/update/format_changelog.pl This is replaced by tools/changelog-format-blog-post --- tools/update/format_changelog.pl | 64 ---------------------------------------- 1 file changed, 64 deletions(-) diff --git a/tools/update/format_changelog.pl b/tools/update/format_changelog.pl deleted file mode 100755 index c469b37..0000000 --- a/tools/update/format_changelog.pl +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -w - -# Read ChangeLog.txt from stdin -# $ ./format_changelog.pl < ChangeLog.txt - -my $once = 0; -my $last_indent=0; - -sub finish { - while ($last_indent > 2) { - print "</ul>\n"; - # Every entry in the ChangeLog is indented by 2 characters - # except for the first Platform line - $last_indent -= 2 - } - exit; -} - -while (<>) { - #print "$_"; - my $line = ""; - if ($_ =~ /^Tor Browser /) { - finish() unless $once == 0; - $once = 1; - next; - } - # Skip empty lines - if ($_ =~ /^\s*$/) { - next; - } - #print ">>> $_"; - if ($_ =~ /(\s+)\* Bug (\d+):(.*)$/) { - my $indentation = $1; - my $bug = $2; - my $description = $3; - my $current_indent = length($indentation); - if ($current_indent > $last_indent) { - $line = "<ul>"; - } elsif ($current_indent < $last_indent) { - $line = "</ul>"; - } - $last_indent = $current_indent; - if ($bug < 40000) { - $line.="<li><a href=\"https://bugs.torproject.org/$bug\">Bug $bug</a>:$3</li>"; - } else { - $description =~ /(.*)\[([a-z-]*)\]$/; - my $project = "tpo/applications/$2/$bug" // "$bug"; - $line.="<li><a href=\"https://bugs.torproject.org/$project\">Bug $bug</a>:$1</li>"; - } - } elsif ($_ =~ /(\s+)\* (.*)$/) { - my $indentation = $1; - my $current_indent = length($indentation); - if ($current_indent > $last_indent) { - $line = "<ul>"; - } elsif ($current_indent < $last_indent) { - $line = "</ul>"; - } - $last_indent = $current_indent; - $line .= "<li>$2"; - } else { - $line = $_; - } - print "$line\n"; -} -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 4c07cbeb6159b36dfc0e019b48e77ede79dd6f49 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Fri Jan 14 12:25:06 2022 +0100 Bug 40414: Add common config and functions files Add common config file used to set Tor Browser version (and later other things). We also add a `functions` file where we can put functions used in multiple scripts. The following lines can be used at the top of a script to use the config and functions files: script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" --- tools/signing/functions | 16 ++++++++++++++++ tools/signing/set-config | 1 + tools/signing/set-config.tbb-version | 7 +++++++ 3 files changed, 24 insertions(+) diff --git a/tools/signing/functions b/tools/signing/functions new file mode 100644 index 0000000..f53f6ed --- /dev/null +++ b/tools/signing/functions @@ -0,0 +1,16 @@ +function exit_error { + for msg in "$@" + do + echo "$msg" > /dev/stderr + done + exit 1 +} + +function var_is_defined { + for var in "$@" + do + test -n "${!var}" || exit_error "$var is not defined (see set-config* files)" + done +} + +. "$script_dir/set-config" diff --git a/tools/signing/set-config b/tools/signing/set-config new file mode 100644 index 0000000..70f1200 --- /dev/null +++ b/tools/signing/set-config @@ -0,0 +1 @@ +. "$script_dir/set-config.tbb-version" diff --git a/tools/signing/set-config.tbb-version b/tools/signing/set-config.tbb-version new file mode 100644 index 0000000..5e844b5 --- /dev/null +++ b/tools/signing/set-config.tbb-version @@ -0,0 +1,7 @@ +# The following 3 lines should be uncommented and updated: + +#tbb_version=11.5a4 +#tbb_version_build=1 +#tbb_version_type=alpha + +var_is_defined tbb_version tbb_version_build tbb_version_type -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 74584a9ae3059d297c48072e3643453fd1d8188d Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Fri Jan 14 13:35:41 2022 +0100 Bug 40414: Improve the gatekeeper-bundling.sh script - use common config - add ddmg.sh - check if needed dependencies are installed --- tools/signing/ddmg.sh | 41 ++++++++++++++++++++++++++++++++ tools/signing/gatekeeper-bundling.sh | 46 ++++++++++++++++++++++++++---------- tools/signing/set-config | 8 +++++++ 3 files changed, 82 insertions(+), 13 deletions(-) diff --git a/tools/signing/ddmg.sh b/tools/signing/ddmg.sh new file mode 100755 index 0000000..45de211 --- /dev/null +++ b/tools/signing/ddmg.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# This script is called from gatekeeper-bundling.sh, and creates a dmg +# file from a directory +# +# Usage: +# ddmg.sh <dmg-file> <src-directory> + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +dest_file="$1" +src_dir="$2" + +set +e +find $src_dir -executable -exec chmod 0755 {} \; 2> /dev/null +find $src_dir ! -executable -exec chmod 0644 {} \; 2> /dev/null + +find $src_dir -exec touch -m -t 200001010101 {} \; 2> /dev/null +set -e + +dmg_tmpdir=$(mktemp -d) +filelist="$dmg_tmpdir/filelist.txt" +cd $src_dir +find . -type f | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" > $filelist +find . -type l | sed -e 's/^\.\///' | sort | xargs -i echo "{}={}" >> $filelist + +export LD_PRELOAD=$faketime_path +export FAKETIME="2000-01-01 01:01:01" + +echo "Starting: " $(basename $dest_file) + +genisoimage -D -V "Tor Browser" -no-pad -R -apple -o "$dmg_tmpdir/tbb-uncompressed.dmg" -path-list $filelist -graft-points -gid 20 -dir-mode 0755 -new-dir-mode 0755 + +dmg dmg "$dmg_tmpdir/tbb-uncompressed.dmg" "$dest_file" + +echo "Finished: " $(basename $dest_file) + +rm -Rf "$dmg_tmpdir" diff --git a/tools/signing/gatekeeper-bundling.sh b/tools/signing/gatekeeper-bundling.sh index 742bc61..9d3da01 100755 --- a/tools/signing/gatekeeper-bundling.sh +++ b/tools/signing/gatekeeper-bundling.sh @@ -30,20 +30,40 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -TORBROWSER_VERSION=$1 -if [ -z $TORBROWSER_VERSION ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" -builddir=/path/to/the/build/dir -mkdir $builddir/$TORBROWSER_VERSION-signed -for LANG in $BUNDLE_LOCALES +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +which genisoimage > /dev/null || \ + exit_error 'genisoimage is missing. You should install the genisoimage package.' +test -f $faketime_path || \ + exit_error "$faketime_path is missing" +test -d $macos_stapled_dir || \ + exit_error "The stapled macos zip files should be placed in directory $macos_stapled_dir" +libdmg_file="$script_dir/../../out/libdmg-hfsplus/libdmg-hfsplus-dfd5e5cc3dc1-c9296e.tar.gz" +test -f "$libdmg_file" || \ + exit_error "$libdmg_file is missing." \ + "You can build it with:" \ + " ./rbm/rbm build --target no_containers libdmg-hfsplus" \ + "See var/deps in projects/libdmg-hfsplus/config for the list of build dependencies" + +test -d "$macos_signed_dir" || mkdir "$macos_signed_dir" +tmpdir="$macos_stapled_dir/tmp" +rm -Rf "$tmpdir" +mkdir "$tmpdir" +cp -rT "$script_dir/../../projects/tor-browser/Bundle-Data/mac-applications.dmg" "$tmpdir/dmg" + +tar -C "$tmpdir" -xf "$libdmg_file" +export PATH="$PATH:$tmpdir/libdmg-hfsplus" + +for lang in $bundle_locales do - cd $builddir/dmg - unzip -q $builddir/$TORBROWSER_VERSION/tb-${TORBROWSER_VERSION}_$LANG-stapled.zip + cd $tmpdir/dmg + unzip -q $macos_stapled_dir/tb-${tbb_version}_$lang-stapled.zip cd .. - $builddir/ddmg.sh $builddir/$TORBROWSER_VERSION-signed/TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg $builddir/dmg/ + $script_dir/ddmg.sh $macos_signed_dir/TorBrowser-${tbb_version}-osx64_$lang.dmg $tmpdir/dmg/ rm -rf 'dmg/Tor Browser.app' done + +rm -Rf "$tmpdir" diff --git a/tools/signing/set-config b/tools/signing/set-config index 70f1200..99e1bfa 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -1 +1,9 @@ . "$script_dir/set-config.tbb-version" + +bundle_locales="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" + +signed_dir="$script_dir/../../$tbb_version_type/signed" +macos_stapled_dir="$signed_dir/$tbb_version-macos-stapled" +macos_signed_dir="$signed_dir/$tbb_version-macos-signed" + +faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit ef9b7e736d8c42b5e36b5ecade8dc2691009317e Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Jan 17 11:40:29 2022 +0100 Bug 40414: Add osslsigncode project --- .../0001-Make-code-work-with-OpenSSL-1.1.patch | 324 +++++++++++++++++++++ projects/osslsigncode/build | 19 ++ projects/osslsigncode/config | 17 ++ projects/osslsigncode/timestamping.patch | 56 ++++ 4 files changed, 416 insertions(+) diff --git a/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch new file mode 100644 index 0000000..e290ab0 --- /dev/null +++ b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch @@ -0,0 +1,324 @@ +From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de> +Date: Sun, 12 Mar 2017 23:00:12 +0100 +Subject: [PATCH] Make code work with OpenSSL 1.1. + +Changes in consist of: +- Use EVP_MD_CTX_new/free API instead of on-stack allocation +- Remove some M_ prefixes like for ASN1_IA5STRING_new +- Remove pagehash functionality because it is useless to me and + fixing it would be a pain. Would require declaring a few + ASN_SEQUENCES and use that to get the required i2d functions + from what I could find out. +- Remove OBJ_create calls that seem to serve no purpose, + now crash because NULL pointers are no longer handled + (who changes API that way?!) and even if that was fixed + lead to errors when these objects are later created + again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think, + did not investigate further). + +diff --git a/osslsigncode.c b/osslsigncode.c +index 2978c02..3797458 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url) + if (desc) { + info->programName = SpcString_new(); + info->programName->type = 1; +- info->programName->value.ascii = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii, ++ info->programName->value.ascii = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->programName->value.ascii, + (const unsigned char*)desc, strlen(desc)); + } + + if (url) { + info->moreInfo = SpcLink_new(); + info->moreInfo->type = 0; +- info->moreInfo->value.url = M_ASN1_IA5STRING_new(); +- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url, ++ info->moreInfo->value.url = ASN1_IA5STRING_new(); ++ ASN1_STRING_set(info->moreInfo->value.url, + (const unsigned char*)url, strlen(url)); + } + +@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const + + if (rfc3161) { + unsigned char mdbuf[EVP_MAX_MD_SIZE]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length); +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + + TimeStampReq *req = TimeStampReq_new(); + ASN1_INTEGER_set(req->version, 1); + req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); + req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new(); + req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL; +- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); ++ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md)); + req->certReq = (void*)0x1; + + len = i2d_TimeStampReq(req, NULL); +@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = { + 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 + }; + +-static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, +- unsigned int sigpos, int phtype, unsigned int *phlen); +- +-DECLARE_STACK_OF(ASN1_OCTET_STRING) +-#ifndef sk_ASN1_OCTET_STRING_new_null +-#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING) +-#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st)) +-#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val)) +-#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue) +-#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null +-#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue) +-#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st)) +-#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val)) +-#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \ +- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) +-#endif +- +-static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) +-{ +- unsigned int phlen; +- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); +- if (!ph) { +- fprintf(stderr, "Failed to calculate page hash\n"); +- exit(-1); +- } +- +- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new(); +- M_ASN1_OCTET_STRING_set(ostr, ph, phlen); +- free(ph); +- +- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null(); +- sk_ASN1_OCTET_STRING_push(oset, ostr); +- unsigned char *p, *tmp; +- unsigned int l; +- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- ASN1_OCTET_STRING_free(ostr); +- sk_ASN1_OCTET_STRING_free(oset); +- +- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new(); +- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1); +- aval->value = ASN1_TYPE_new(); +- aval->value->type = V_ASN1_SET; +- aval->value->value.set = ASN1_STRING_new(); +- ASN1_STRING_set(aval->value->value.set, p, l); +- OPENSSL_free(p); +- +- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null(); +- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- tmp = p = OPENSSL_malloc(l); +- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue, +- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET); +- sk_SpcAttributeTypeAndOptionalValue_free(aset); +- SpcAttributeTypeAndOptionalValue_free(aval); +- +- SpcSerializedObject *so = SpcSerializedObject_new(); +- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash)); +- M_ASN1_OCTET_STRING_set(so->serializedData, p, l); +- OPENSSL_free(p); +- +- SpcLink *link = SpcLink_new(); +- link->type = 1; +- link->value.moniker = so; +- return link; +-} +- + static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, +- int pagehash, char *indata, unsigned int peheader, int pe32plus, ++ char *indata, unsigned int peheader, int pe32plus, + unsigned int sigpos) + { + static const unsigned char msistr[] = { +@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + } else if (type == FILE_TYPE_PE) { + SpcPeImageData *pid = SpcPeImageData_new(); + ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0); +- if (pagehash) { +- int phtype = NID_sha1; +- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1())) +- phtype = NID_sha256; +- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos); +- } else { +- pid->file = get_obsolete_link(); +- } ++ pid->file = get_obsolete_link(); + l = i2d_SpcPeImageData(pid, NULL); + p = OPENSSL_malloc(l); + i2d_SpcPeImageData(pid, &p); +@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + ASN1_INTEGER_set(si->d, 0); + ASN1_INTEGER_set(si->e, 0); + ASN1_INTEGER_set(si->f, 0); +- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); ++ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr)); + l = i2d_SpcSipInfo(si, NULL); + p = OPENSSL_malloc(l); + i2d_SpcSipInfo(si, &p); +@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi + hashlen = EVP_MD_size(md); + hash = OPENSSL_malloc(hashlen); + memset(hash, 0, hashlen); +- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); ++ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); + OPENSSL_free(hash); + + *len = i2d_SpcIndirectDataContent(idc, NULL); +@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + unsigned int peheader, int pe32plus, unsigned int fileend) + { + static unsigned char bfb[16*1024*1024]; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + + memset(mdbuf, 0, EVP_MAX_MD_SIZE); + + (void)BIO_seek(bio, 0); + BIO_read(bio, bfb, peheader + 88); +- EVP_DigestUpdate(&mdctx, bfb, peheader + 88); ++ EVP_DigestUpdate(mdctx, bfb, peheader + 88); + BIO_read(bio, bfb, 4); + BIO_read(bio, bfb, 60+pe32plus*16); +- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16); ++ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16); + BIO_read(bio, bfb, 8); + + unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8; +@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, + int l = BIO_read(bio, bfb, want); + if (l <= 0) + break; +- EVP_DigestUpdate(&mdctx, bfb, l); ++ EVP_DigestUpdate(mdctx, bfb, l); + n += l; + } + +- EVP_DigestFinal(&mdctx, mdbuf, NULL); ++ EVP_DigestFinal(mdctx, mdbuf, NULL); ++ EVP_MD_CTX_free(mdctx); + } + + +@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + int phlen = pphlen * (3 + nsections + sigpos / pagesize); + unsigned char *res = malloc(phlen); + unsigned char *zeroes = calloc(pagesize, 1); +- EVP_MD_CTX mdctx; +- +- EVP_MD_CTX_init(&mdctx); +- EVP_DigestInit(&mdctx, md); +- EVP_DigestUpdate(&mdctx, indata, peheader + 88); +- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16); +- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize); ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ ++ EVP_DigestInit(mdctx, md); ++ EVP_DigestUpdate(mdctx, indata, peheader + 88); ++ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16); ++ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16)); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize); + memset(res, 0, 4); +- EVP_DigestFinal(&mdctx, res + 4, NULL); ++ EVP_DigestFinal(mdctx, res + 4, NULL); + + unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20); + char *sections = indata + peheader + 24 + sizeofopthdr; +@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe + unsigned int l; + for (l=0; l < rs; l+=pagesize, pi++) { + PUT_UINT32_LE(ro + l, res + pi*pphlen); +- EVP_DigestInit(&mdctx, md); ++ EVP_DigestInit(mdctx, md); + if (rs - l < pagesize) { +- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l); +- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l)); ++ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l); ++ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l)); + } else { +- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize); ++ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize); + } +- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL); ++ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL); + } + lastpos = ro + rs; + sections += 40; + } ++ EVP_MD_CTX_free(mdctx); ++ mdctx = NULL; + PUT_UINT32_LE(lastpos, res + pi*pphlen); + memset(res + pi*pphlen + 4, 0, EVP_MD_size(md)); + pi++; +@@ -2413,7 +2333,7 @@ int main(int argc, char **argv) + int nturl = 0, ntsurl = 0; + int addBlob = 0; + u_char *p = NULL; +- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; ++ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0; + unsigned int tmp, peheader = 0, padlen = 0; + off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; + file_type_t type; +@@ -2448,13 +2368,6 @@ int main(int argc, char **argv) + ERR_load_crypto_strings(); + OPENSSL_add_all_algorithms_conf(); + +- /* create some MS Authenticode OIDS we need later on */ +- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || +- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || +- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) || +- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL)) +- DO_EXIT_0("Failed to add objects\n"); +- + md = EVP_sha1(); + + if (argc > 1) { +@@ -2531,8 +2444,6 @@ int main(int argc, char **argv) + readpass = *(++argv); + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) { + comm = 1; +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) { +- pagehash = 1; + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +@@ -3243,7 +3154,7 @@ int main(int argc, char **argv) + p7x = NULL; + } + +- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend); ++ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend); + len -= EVP_MD_size(md); + memcpy(buf, p, len); + OPENSSL_free(p); +-- +2.34.1 + diff --git a/projects/osslsigncode/build b/projects/osslsigncode/build new file mode 100644 index 0000000..0f7ae9b --- /dev/null +++ b/projects/osslsigncode/build @@ -0,0 +1,19 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +distdir=$(pwd)/dist +mkdir -p $distdir/[% project %] +tar xf [% project %]-[% c('version') %].tar.gz +cd [% project %]-[% c('version') %] +patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch +patch -p1 < ../timestamping.patch + +./autogen.sh +./configure --prefix=/[% project %] +make +make DESTDIR=$distdir install + +cd $distdir +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/osslsigncode/config b/projects/osslsigncode/config new file mode 100644 index 0000000..03dbcba --- /dev/null +++ b/projects/osslsigncode/config @@ -0,0 +1,17 @@ +# vim: filetype=yaml sw=2 +version: '[% c("abbrev") %]' +git_url: https://github.com/mtrojnar/osslsigncode +git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +var: + container: + use_container: 0 + deps: + - autoconf + - libtool + - pkg-config + - libssl-dev + - libcurl4-openssl-dev +input_files: + - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch + - filename: timestamping.patch diff --git a/projects/osslsigncode/timestamping.patch b/projects/osslsigncode/timestamping.patch new file mode 100644 index 0000000..94b5261 --- /dev/null +++ b/projects/osslsigncode/timestamping.patch @@ -0,0 +1,56 @@ +From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 +From: Georg Koppen <gk@torproject.org> +Date: Fri, 5 Feb 2016 09:23:10 +0000 +Subject: [PATCH] Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 32e37c8..2978c02 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) + if (--argc < 1) usage(argv0); + url = *(++argv); + #ifdef ENABLE_CURL +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { + if (--argc < 1) usage(argv0); + turl[nturl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { + if (--argc < 1) usage(argv0); + tsurl[ntsurl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { + if (--argc < 1) usage(argv0); + proxy = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { + noverifypeer = 1; + #endif + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { +-- +2.7.0 + + +From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001 +From: Georg Koppen <gk@torproject.org> +Date: Sat, 11 Apr 2020 05:50:36 +0000 +Subject: [PATCH] fixup! Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 3797458..4f4b897 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2447,7 +2447,7 @@ int main(int argc, char **argv) + } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) { + if (--argc < 1) usage(argv0); + desc = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) { + if (--argc < 1) usage(argv0); + ++argv; + if (!strcmp(*argv, "md5")) { +-- +2.26.0 -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 3401ffc1dbe06470320042b26b3813f4d69e8a83 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Jan 17 12:56:52 2022 +0100 Bug 40414: Improve the authenticode-timestamping.sh script --- tools/signing/authenticode-timestamping.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/tools/signing/authenticode-timestamping.sh b/tools/signing/authenticode-timestamping.sh index 77973b7..4e07ae3 100755 --- a/tools/signing/authenticode-timestamping.sh +++ b/tools/signing/authenticode-timestamping.sh @@ -32,10 +32,30 @@ set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz" + +test -f "$osslsigncode_file" || + exit_error "$osslsigncode_file is missing." \ + "You can build it with:" \ + " ./rbm/rbm build osslsigncode" \ + "See var/deps in projects/osslsigncode/config for the list of build dependencies" + +which rename > /dev/null 2>&1 || + exit_error '`rename` is missing.' + +tmp_dir="$signed_dir/$tbb_version/tmp-timestamp" +mkdir "$tmp_dir" +tar -C "$tmp_dir" -xf "$osslsigncode_file" +export PATH="$PATH:$tmp_dir/osslsigncode/bin" + +cd "$signed_dir/$tbb_version" COUNT=0 for i in `find . -name "*.exe" -print` do - /path/to/patched/osslsigncode add \ + osslsigncode add \ -t http://timestamp.digicert.com \ -p socks://127.0.0.1:9050 \ $i $i-timestamped @@ -44,3 +64,5 @@ do done echo "Timestamped $COUNT .exe files, now renaming" rename -f 's/-timestamped//' *-timestamped + +rm -Rf "$tmp_dir" -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 517f4e6bd8f1f70219592f7f8ef28460166e3281 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Jan 17 14:13:11 2022 +0100 Bug 40414: Add sync-* signing scripts --- tools/signing/set-config | 6 ++++++ tools/signing/set-config.hosts | 6 ++++++ tools/signing/sync-builder-to-local | 8 ++++++++ tools/signing/sync-builder-to-local.dry-run | 1 + tools/signing/sync-builder-unsigned-to-local-signed | 8 ++++++++ tools/signing/sync-builder-unsigned-to-local-signed.dry-run | 1 + tools/signing/sync-linux-signer-to-local | 8 ++++++++ tools/signing/sync-linux-signer-to-local.dry-run | 1 + tools/signing/sync-local-to-builder | 8 ++++++++ tools/signing/sync-local-to-builder.dry-run | 1 + tools/signing/sync-local-to-linux-signer | 8 ++++++++ tools/signing/sync-local-to-linux-signer.dry-run | 1 + tools/signing/sync-local-to-staticiforme | 6 ++++++ tools/signing/sync-local-to-staticiforme.dry-run | 1 + tools/signing/sync-macos-local-to-macos-signer | 8 ++++++++ tools/signing/sync-macos-local-to-macos-signer.dry-run | 1 + tools/signing/sync-macos-signer-stapled-to-macos-local-stapled | 8 ++++++++ .../sync-macos-signer-stapled-to-macos-local-stapled.dry-run | 1 + tools/signing/sync-scripts-to-linux-signer | 8 ++++++++ tools/signing/sync-scripts-to-linux-signer.dry-run | 1 + tools/signing/sync-scripts-to-macos-signer | 8 ++++++++ tools/signing/sync-scripts-to-macos-signer.dry-run | 1 + 22 files changed, 100 insertions(+) diff --git a/tools/signing/set-config b/tools/signing/set-config index 99e1bfa..e81ccac 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -1,9 +1,15 @@ . "$script_dir/set-config.tbb-version" +. "$script_dir/set-config.hosts" bundle_locales="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" signed_dir="$script_dir/../../$tbb_version_type/signed" +signed_version_dir="$signed_dir/$tbb_version" macos_stapled_dir="$signed_dir/$tbb_version-macos-stapled" macos_signed_dir="$signed_dir/$tbb_version-macos-signed" faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 + +echo "${BASH_ARGV0:-}" | grep -q '\.dry-run$' && DRY_RUN='--dry-run' +test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" +rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" diff --git a/tools/signing/set-config.hosts b/tools/signing/set-config.hosts new file mode 100644 index 0000000..6a2d939 --- /dev/null +++ b/tools/signing/set-config.hosts @@ -0,0 +1,6 @@ +ssh_host_builder=tbbuild +ssh_host_linux_signer=linux-signer-notor +ssh_host_macos_signer=mac-signer-notor +ssh_host_staticiforme=staticiforme.torproject.org + +builder_tor_browser_build_dir=/home/user/tor-browser-build diff --git a/tools/signing/sync-builder-to-local b/tools/signing/sync-builder-to-local new file mode 100755 index 0000000..5a251b5 --- /dev/null +++ b/tools/signing/sync-builder-to-local @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/" "$signed_version_dir/" diff --git a/tools/signing/sync-builder-to-local.dry-run b/tools/signing/sync-builder-to-local.dry-run new file mode 120000 index 0000000..f6de9e2 --- /dev/null +++ b/tools/signing/sync-builder-to-local.dry-run @@ -0,0 +1 @@ +sync-builder-to-local \ No newline at end of file diff --git a/tools/signing/sync-builder-unsigned-to-local-signed b/tools/signing/sync-builder-unsigned-to-local-signed new file mode 100755 index 0000000..769faf2 --- /dev/null +++ b/tools/signing/sync-builder-unsigned-to-local-signed @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/unsigned/$tbb_version-build$tbb_version_build/" "$signed_version_dir/" diff --git a/tools/signing/sync-builder-unsigned-to-local-signed.dry-run b/tools/signing/sync-builder-unsigned-to-local-signed.dry-run new file mode 120000 index 0000000..d3a4554 --- /dev/null +++ b/tools/signing/sync-builder-unsigned-to-local-signed.dry-run @@ -0,0 +1 @@ +sync-builder-unsigned-to-local-signed \ No newline at end of file diff --git a/tools/signing/sync-linux-signer-to-local b/tools/signing/sync-linux-signer-to-local new file mode 100755 index 0000000..ea29971 --- /dev/null +++ b/tools/signing/sync-linux-signer-to-local @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$ssh_host_linux_signer:$tbb_version/" "$signed_version_dir/" diff --git a/tools/signing/sync-linux-signer-to-local.dry-run b/tools/signing/sync-linux-signer-to-local.dry-run new file mode 120000 index 0000000..6c687e1 --- /dev/null +++ b/tools/signing/sync-linux-signer-to-local.dry-run @@ -0,0 +1 @@ +sync-linux-signer-to-local \ No newline at end of file diff --git a/tools/signing/sync-local-to-builder b/tools/signing/sync-local-to-builder new file mode 100755 index 0000000..f6a7e25 --- /dev/null +++ b/tools/signing/sync-local-to-builder @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_builder builder_tor_browser_build_dir + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_builder:$builder_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/" diff --git a/tools/signing/sync-local-to-builder.dry-run b/tools/signing/sync-local-to-builder.dry-run new file mode 120000 index 0000000..24f6e15 --- /dev/null +++ b/tools/signing/sync-local-to-builder.dry-run @@ -0,0 +1 @@ +sync-local-to-builder \ No newline at end of file diff --git a/tools/signing/sync-local-to-linux-signer b/tools/signing/sync-local-to-linux-signer new file mode 100755 index 0000000..cc4192c --- /dev/null +++ b/tools/signing/sync-local-to-linux-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_linux_signer:$tbb_version/" diff --git a/tools/signing/sync-local-to-linux-signer.dry-run b/tools/signing/sync-local-to-linux-signer.dry-run new file mode 120000 index 0000000..c4498ad --- /dev/null +++ b/tools/signing/sync-local-to-linux-signer.dry-run @@ -0,0 +1 @@ +sync-local-to-linux-signer \ No newline at end of file diff --git a/tools/signing/sync-local-to-staticiforme b/tools/signing/sync-local-to-staticiforme new file mode 100755 index 0000000..2372623 --- /dev/null +++ b/tools/signing/sync-local-to-staticiforme @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +rsync $rsync_options "$signed_version_dir/" "$ssh_host_staticiforme:/srv/dist-master.torproject.org/htdocs/torbrowser/$tbb_version/" diff --git a/tools/signing/sync-local-to-staticiforme.dry-run b/tools/signing/sync-local-to-staticiforme.dry-run new file mode 120000 index 0000000..3e0a7fd --- /dev/null +++ b/tools/signing/sync-local-to-staticiforme.dry-run @@ -0,0 +1 @@ +sync-local-to-staticiforme \ No newline at end of file diff --git a/tools/signing/sync-macos-local-to-macos-signer b/tools/signing/sync-macos-local-to-macos-signer new file mode 100755 index 0000000..75dd3a1 --- /dev/null +++ b/tools/signing/sync-macos-local-to-macos-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$signed_version_dir"/*.dmg "$ssh_host_macos_signer:$tbb_version/" diff --git a/tools/signing/sync-macos-local-to-macos-signer.dry-run b/tools/signing/sync-macos-local-to-macos-signer.dry-run new file mode 120000 index 0000000..e8f1262 --- /dev/null +++ b/tools/signing/sync-macos-local-to-macos-signer.dry-run @@ -0,0 +1 @@ +sync-macos-local-to-macos-signer \ No newline at end of file diff --git a/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled new file mode 100755 index 0000000..2d170bf --- /dev/null +++ b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$ssh_host_macos_signer:$tbb_version/*-stapled.zip" "$macos_stapled_dir/" diff --git a/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run new file mode 120000 index 0000000..f397acd --- /dev/null +++ b/tools/signing/sync-macos-signer-stapled-to-macos-local-stapled.dry-run @@ -0,0 +1 @@ +sync-macos-signer-stapled-to-macos-local-stapled \ No newline at end of file diff --git a/tools/signing/sync-scripts-to-linux-signer b/tools/signing/sync-scripts-to-linux-signer new file mode 100755 index 0000000..6e46120 --- /dev/null +++ b/tools/signing/sync-scripts-to-linux-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer + +rsync $rsync_options "$script_dir/" "$ssh_host_linux_signer:signing-$tbb_version_type/" diff --git a/tools/signing/sync-scripts-to-linux-signer.dry-run b/tools/signing/sync-scripts-to-linux-signer.dry-run new file mode 120000 index 0000000..4fa2b82 --- /dev/null +++ b/tools/signing/sync-scripts-to-linux-signer.dry-run @@ -0,0 +1 @@ +sync-scripts-to-linux-signer \ No newline at end of file diff --git a/tools/signing/sync-scripts-to-macos-signer b/tools/signing/sync-scripts-to-macos-signer new file mode 100755 index 0000000..d56328d --- /dev/null +++ b/tools/signing/sync-scripts-to-macos-signer @@ -0,0 +1,8 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer + +rsync $rsync_options "$script_dir/" "$ssh_host_macos_signer:signing-$tbb_version_type/" diff --git a/tools/signing/sync-scripts-to-macos-signer.dry-run b/tools/signing/sync-scripts-to-macos-signer.dry-run new file mode 120000 index 0000000..1f00d0a --- /dev/null +++ b/tools/signing/sync-scripts-to-macos-signer.dry-run @@ -0,0 +1 @@ +sync-scripts-to-macos-signer \ No newline at end of file -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit dcd8ff5ec4f914e4c3c860dd964fc0e1ba326110 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Sun Feb 6 08:41:47 2022 +0100 Bug 40414: add macos-signer-proxy --- tools/signing/macos-signer-proxy | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/signing/macos-signer-proxy b/tools/signing/macos-signer-proxy new file mode 100755 index 0000000..8eff373 --- /dev/null +++ b/tools/signing/macos-signer-proxy @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +ssh -R :1080 "$ssh_host_macos_signer" 'python ~/proxy.py --port 8443' -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 8a74ee7633f9f0f06f35552659a4f929df110121 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Feb 7 20:00:23 2022 +0100 Bug 40414: Move hash_signed_bundles.sh to the signing directory --- tools/{ => signing}/hash_signed_bundles.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tools/hash_signed_bundles.sh b/tools/signing/hash_signed_bundles.sh similarity index 100% rename from tools/hash_signed_bundles.sh rename to tools/signing/hash_signed_bundles.sh -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit b7549fe6a13a1791bd7331f097bf1cb9d3d81b06 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Feb 7 20:05:31 2022 +0100 Bug 40414: Improve hash_signed_bundles.sh Automatically change to the signed directory before creating the sha256sums-signed files. --- tools/signing/hash_signed_bundles.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tools/signing/hash_signed_bundles.sh b/tools/signing/hash_signed_bundles.sh index 1e21c49..e7a1247 100755 --- a/tools/signing/hash_signed_bundles.sh +++ b/tools/signing/hash_signed_bundles.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Copyright (c) 2018, The Tor Project, Inc. # @@ -30,12 +30,18 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Usage: -# 1) Change into the directory containing the files to be hashed -# 2) Run /path/to/hash_signed_bundles.sh +# This script will generate sha256sums-signed-build.txt and +# sha256sums-signed-build.incrementals.txt files in the signed directory. + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" export LC_ALL=C +cd "$signed_version_dir" + rm -f sha256sums-signed-build.txt sha256sums-signed-build.incrementals.txt sha256sum `ls -1 | grep -v '\.incremental\.mar$' | grep -v '^sha256sums*' | \ sort` > sha256sums-signed-build.txt -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit a6783cfbaf30968c70390c7591633bf18bd1389f Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Feb 8 19:11:46 2022 +0100 Bug 40414: Add download-unsigned-sha256sums-gpg-signatures-from-people-tpo script --- ...ad-unsigned-sha256sums-gpg-signatures-from-people-tpo | 16 ++++++++++++++++ tools/signing/set-config | 2 ++ 2 files changed, 18 insertions(+) diff --git a/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo b/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo new file mode 100755 index 0000000..a26b051 --- /dev/null +++ b/tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo @@ -0,0 +1,16 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +for builder in $tb_builders +do + for file in sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.incrementals.txt.asc + do + tmpfile=$(mktemp) + chmod 644 "$tmpfile" + wget -q -O "$tmpfile" "https://people.torproject.org/~$builder/builds/$tbb_version-build$tbb_versio..." || \ + wget -q -O "$tmpfile" "https://people.torproject.org/~$builder/builds/tor-browser/$tbb_version-buil..." && \ + mv "$tmpfile" "$signed_version_dir/$file-$builder" && echo "Added $file-$builder" + done +done diff --git a/tools/signing/set-config b/tools/signing/set-config index e81ccac..70bd311 100644 --- a/tools/signing/set-config +++ b/tools/signing/set-config @@ -13,3 +13,5 @@ faketime_path=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 echo "${BASH_ARGV0:-}" | grep -q '\.dry-run$' && DRY_RUN='--dry-run' test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress" rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}" + +tb_builders='aguestuser boklm gk pierov richard sysrqb' -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 0447c30c7926710cfb0d32110e7f9be08332dd2e Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Feb 14 19:41:23 2022 +0100 Bug 40414: Add linux-signer-signmars This is a copy from tor-browser-bundle/gitian/signmars.sh that we currently use for mar signing. --- tools/signing/linux-signer-signmars | 133 ++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars new file mode 100755 index 0000000..269610f --- /dev/null +++ b/tools/signing/linux-signer-signmars @@ -0,0 +1,133 @@ +#!/bin/bash +# +# +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. + +set -e +set -u + +WRAPPER_DIR=$(dirname "$0") +WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") + +if [ -z "${NSS_DB_DIR+x}" ]; then + NSS_DB_DIR=$WRAPPER_DIR/nssdb +fi + +if [ -z "${NSS_CERTNAME+x}" ]; then + NSS_CERTNAME=marsigner +fi + +# Incorporate definitions from the versions file. +if [ -z "$1" ]; then + VERSIONS_FILE=$WRAPPER_DIR/versions +else + VERSIONS_FILE=$1 +fi + +if ! [ -e $VERSIONS_FILE ]; then + echo >&2 "Error: $VERSIONS_FILE file does not exist" + exit 1 +fi + +. $VERSIONS_FILE +#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) + +export LC_ALL=C + +# Check some prerequisites. +if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then + >&2 echo "Please create and populate the $NSS_DB_DIR directory" + exit 2 +fi + +OSNAME="" +ARCH="$(uname -s)-$(uname -m)" +case $ARCH in + Linux-x86_64) + OSNAME="linux64" + ;; + Linux-i*86) + OSNAME="linux32" + ;; + *) + >&2 echo "Unsupported architecture $ARCH" + exit 2 +esac + +# Extract the MAR tools so we can use the signmar program. +MARTOOLS_TMP_DIR=$(mktemp -d) +trap "rm -rf $MARTOOLS_TMP_DIR" EXIT +MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip" +cd $MARTOOLS_TMP_DIR +unzip -q "$MARTOOLS_ZIP" +cd $WRAPPER_DIR +export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" +if [ -z "${LD_LIBRARY_PATH+x}" ]; then + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" +else + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +fi + +# Prompt for the NSS password. +# TODO: Test that the entered NSS password is correct. But how? Unfortunately, +# both certutil and signmar keep trying to read a new password when they are +# given an incorrect one. +read -s -p "NSS password:" NSSPASS +echo "" + +# Sign each MAR file. +# +# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION +# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: +# If a file has not been signed, we move it to the -unsigned/ directory. +# If a file has already been signed and a file with the same name exists in +# the -unsigned/ directory, we just delete the signed file. +# If a file has already been signed but no corresponding file exists in +# the -unsigned/ directory, we report an error and exit. +# +# Once the above is done, the -unsigned/ directory contains a set of .mar +# files that need to be signed, so we go ahead and sign them one-by-one. +SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" +UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" +mkdir -p "$UNSIGNED_DIR" +cd "$SIGNED_DIR" +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + + # First, we check for an existing signature. The signmar -T output will + # include a line like "Signature block found with N signatures". + SIGINFO_PREFIX="Signature block found with " + SIGINFO=$(signmar -T "$marfile" | grep "^${SIGINFO_PREFIX}") + SIGCOUNT=0 + if [ ! -z "$SIGINFO" ]; then + SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/\([0-9]*\).*$/\1/') + fi + if [ $SIGCOUNT -eq 0 ]; then + # No signature; move this .mar file to the -unsigned/ directory. + mv "$marfile" "$UNSIGNED_DIR/" + else + echo "Skipping $marfile (already signed)" + fi +done + +# Use signmar to sign each .mar file that is now in the -unsigned directory. +TMPMAR="$SIGNED_DIR/tmp.mar" +trap "rm -f $TMPMAR" EXIT +cd "$UNSIGNED_DIR" +echo "Starting the signing..." +COUNT=0 +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ + "$marfile" "$TMPMAR" + mv "$TMPMAR" "$SIGNED_DIR/$marfile" + COUNT=$((COUNT + 1)) + echo "Signed MAR file $COUNT" + rm "$marfile" +done + +echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed." -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit da9a132a75356b76954debbda095369e8490f027 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Feb 14 20:01:38 2022 +0100 Bug 40414: Improve linux-signer-signmars - automatically change to bundle directory - allow setting password with an environment variable (useful for tor-browser-build#40476) - some cleaning --- tools/signing/linux-signer-signmars | 90 +++++++------------------------------ 1 file changed, 16 insertions(+), 74 deletions(-) diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars index 269610f..23b400d 100755 --- a/tools/signing/linux-signer-signmars +++ b/tools/signing/linux-signer-signmars @@ -1,37 +1,23 @@ #!/bin/bash # # -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script +# (if you don't want to use the default values). set -e set -u -WRAPPER_DIR=$(dirname "$0") -WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=$WRAPPER_DIR/nssdb + NSS_DB_DIR=/home/gk/marsigning/nssdb7 fi if [ -z "${NSS_CERTNAME+x}" ]; then NSS_CERTNAME=marsigner fi -# Incorporate definitions from the versions file. -if [ -z "$1" ]; then - VERSIONS_FILE=$WRAPPER_DIR/versions -else - VERSIONS_FILE=$1 -fi - -if ! [ -e $VERSIONS_FILE ]; then - echo >&2 "Error: $VERSIONS_FILE file does not exist" - exit 1 -fi - -. $VERSIONS_FILE -#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE) - export LC_ALL=C # Check some prerequisites. @@ -40,27 +26,11 @@ if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then exit 2 fi -OSNAME="" -ARCH="$(uname -s)-$(uname -m)" -case $ARCH in - Linux-x86_64) - OSNAME="linux64" - ;; - Linux-i*86) - OSNAME="linux32" - ;; - *) - >&2 echo "Unsupported architecture $ARCH" - exit 2 -esac - # Extract the MAR tools so we can use the signmar program. MARTOOLS_TMP_DIR=$(mktemp -d) trap "rm -rf $MARTOOLS_TMP_DIR" EXIT -MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip" -cd $MARTOOLS_TMP_DIR -unzip -q "$MARTOOLS_ZIP" -cd $WRAPPER_DIR +MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip +unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP" export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" if [ -z "${LD_LIBRARY_PATH+x}" ]; then export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" @@ -72,25 +42,11 @@ fi # TODO: Test that the entered NSS password is correct. But how? Unfortunately, # both certutil and signmar keep trying to read a new password when they are # given an incorrect one. -read -s -p "NSS password:" NSSPASS +test -n "${NSSPASS:-}" || read -s -p "NSS password:" NSSPASS echo "" -# Sign each MAR file. -# -# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION -# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: -# If a file has not been signed, we move it to the -unsigned/ directory. -# If a file has already been signed and a file with the same name exists in -# the -unsigned/ directory, we just delete the signed file. -# If a file has already been signed but no corresponding file exists in -# the -unsigned/ directory, we report an error and exit. -# -# Once the above is done, the -unsigned/ directory contains a set of .mar -# files that need to be signed, so we go ahead and sign them one-by-one. -SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" -UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" -mkdir -p "$UNSIGNED_DIR" -cd "$SIGNED_DIR" +COUNT=0 +cd ~/"$tbb_version" for marfile in *.mar; do if [ ! -f "$marfile" ]; then continue; @@ -104,30 +60,16 @@ for marfile in *.mar; do if [ ! -z "$SIGINFO" ]; then SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/\([0-9]*\).*$/\1/') fi - if [ $SIGCOUNT -eq 0 ]; then - # No signature; move this .mar file to the -unsigned/ directory. - mv "$marfile" "$UNSIGNED_DIR/" - else + if [ $SIGCOUNT -ne 0 ]; then echo "Skipping $marfile (already signed)" - fi -done - -# Use signmar to sign each .mar file that is now in the -unsigned directory. -TMPMAR="$SIGNED_DIR/tmp.mar" -trap "rm -f $TMPMAR" EXIT -cd "$UNSIGNED_DIR" -echo "Starting the signing..." -COUNT=0 -for marfile in *.mar; do - if [ ! -f "$marfile" ]; then continue; fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ - "$marfile" "$TMPMAR" - mv "$TMPMAR" "$SIGNED_DIR/$marfile" + "$marfile" tmp.mar + mv -f tmp.mar "$marfile" COUNT=$((COUNT + 1)) - echo "Signed MAR file $COUNT" - rm "$marfile" + echo "Signed MAR file $COUNT ($marfile)" done -echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed." +echo "$COUNT MAR files have been signed." -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit d7e5a16f1d9c95c08e9b7ec066f483bbe9a6488c Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Fri Feb 18 20:28:04 2022 +0100 Bug 40414: Add tools/signing/create-blog-post --- tools/signing/create-blog-post | 61 ++++++++++++++++++++++++++++++++++++++++++ tools/signing/set-config.blog | 4 +++ 2 files changed, 65 insertions(+) diff --git a/tools/signing/create-blog-post b/tools/signing/create-blog-post new file mode 100755 index 0000000..5a43ec3 --- /dev/null +++ b/tools/signing/create-blog-post @@ -0,0 +1,61 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.blog" + +var_is_defined blog_publish_user blog_directory + +content_dir="$blog_directory/content/blog" +test -d "$content_dir" || exit_error "$content_dir is not a direcotry" + +blog_dir="$content_dir/new-release-tor-browser-"$(echo $tbb_version | sed 's/\.//g') + +test -d "$blog_dir" && exit_error "$blog_dir already exists" + +mkdir "$blog_dir" +echo "Created directory $blog_dir" + +if test "$tbb_version_type" = "release" +then + lead=../../../assets/static/images/blog/tor-browser-11.jpg +else + lead=../../../assets/static/images/blog/tor-browser_0_0.png +fi +ln -s "$lead" "$blog_dir/lead.jpg" +echo "Created $blog_dir/lead.jpg -> $lead" + + +if test "$tbb_version_type" = "release" +then + title="New Release: Tor Browser $tbb_version" + download_page='https://www.torproject.org/download/' +else + title="New Alpha Release: Tor Browser $tbb_version" + download_page='https://www.torproject.org/download/alpha/' +fi + +contents_lr="$blog_dir/contents.lr" +cat > "$contents_lr" << EOF +title: $title +--- +pub_date: $(date +%Y-%m-%d) +--- +author: $blog_publish_user +--- +categories: + +applications +releases +--- +summary: Tor Browser $tbb_version is now available from the Tor Browser download page and also from our distribution directory. +--- +body: +Tor Browser $tbb_version is now available from the [Tor Browser download page]($download_page) and also from our [distribution directory](https://www.torproject.org/dist/torbrowser/$tbb_version/). + +This version includes important [security updates](https://www.mozilla.org/en-US/security/advisories/) to Firefox. + +EOF + +$script_dir/../changelog-format-blog-post >> "$contents_lr" +echo "Created $contents_lr" diff --git a/tools/signing/set-config.blog b/tools/signing/set-config.blog new file mode 100644 index 0000000..4bf320d --- /dev/null +++ b/tools/signing/set-config.blog @@ -0,0 +1,4 @@ +# You should uncomment the following 2 lines: + +#blog_directory=/path/to/blog.git +#blog_publish_user=user -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit b3f7612f4cbdd5bbbc44461a32ce56dedd6c7373 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Feb 21 11:53:30 2022 +0100 Bug 40414: Add tools/signing/upload-update_responses-to-staticiforme --- tools/signing/functions | 6 +++ .../upload-update_responses-to-staticiforme | 49 ++++++++++++++++++++++ tools/update/publish_version.sh | 12 ------ 3 files changed, 55 insertions(+), 12 deletions(-) diff --git a/tools/signing/functions b/tools/signing/functions index f53f6ed..ed7ca8b 100644 --- a/tools/signing/functions +++ b/tools/signing/functions @@ -13,4 +13,10 @@ function var_is_defined { done } +function check_torbrowser_version_var { + local tbver=$("$script_dir/../../rbm/rbm" showconf tor-browser var/torbrowser_version) + test "$tbver" != "$tbb_version" && exit_error "Wrong tbb_version: $tbver != $tbb_version" + return 0 +} + . "$script_dir/set-config" diff --git a/tools/signing/upload-update_responses-to-staticiforme b/tools/signing/upload-update_responses-to-staticiforme new file mode 100755 index 0000000..755963b --- /dev/null +++ b/tools/signing/upload-update_responses-to-staticiforme @@ -0,0 +1,49 @@ +#!/bin/bash +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +check_torbrowser_version_var + +update_responses_tar_filename="update-responses-$tbb_version_type-$tbb_version.tar" +update_responses_tar="$script_dir/../../$tbb_version_type/update-responses/$update_responses_tar_filename" +if test -f "$update_responses_tar" +then + echo "$update_responses_tar_filename already exists: not running 'make update_responses-$tbb_version_type'" +else + echo "Running 'make update_responses-$tbb_version_type'" + pushd "$script_dir/../.." > /dev/null + make update_responses-$tbb_version_type + popd > /dev/null +fi + +update_dir=/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3 +deploy_script=$(mktemp) +trap "rm -Rf $deploy_script" EXIT +cat << EOF > "$deploy_script" +#!/bin/bash +set -e + +tmpdir="\$(mktemp -d)" + +trap "rm -Rf \$tmpdir" EXIT + +rm -Rf "$update_dir/$tbb_version_type.old" +test -d "$update_dir/$tbb_version_type" && \\ + mv -v "$update_dir/$tbb_version_type" "$update_dir/$tbb_version_type.old" + +tar -C "\$tmpdir" -xf ~/$update_responses_tar_filename +chmod 775 "\$tmpdir"/$tbb_version_type +chmod 664 "\$tmpdir"/$tbb_version_type/* "\$tmpdir"/$tbb_version_type/.htaccess +chgrp -R torwww "\$tmpdir"/$tbb_version_type +mv -v "\$tmpdir"/$tbb_version_type "$update_dir/$tbb_version_type" + +static-update-component aus1.torproject.org +EOF + +chmod +x $deploy_script +scp -p "$update_responses_tar" "$ssh_host_staticiforme:" +scp -p $deploy_script $ssh_host_staticiforme:deploy_update_responses-$tbb_version_type.sh + +echo 'To enable updates you can now run:' +echo " ssh $ssh_host_staticiforme ./deploy_update_responses-$tbb_version_type.sh" diff --git a/tools/update/publish_version.sh b/tools/update/publish_version.sh index 25083e3..393701d 100755 --- a/tools/update/publish_version.sh +++ b/tools/update/publish_version.sh @@ -14,22 +14,10 @@ if [ -z "${PREV_TORBROWSER_VERSION}" ]; then exit 1 fi -TORBROWSER_UPDATE_CHANNEL=$3 -if [ -z "${TORBROWSER_UPDATE_CHANNEL}" ]; then - echo "please specify the release channel (release|alpha)" - exit 1 -fi - wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~sysrqb/builds/${TORBROWSER_VERSION}" #wget --continue -nH --cut-dirs=2 -r -l 1 "https://people.torproject.org/~gk/builds/${TORBROWSER_VERSION}" rm "${TORBROWSER_VERSION}/index.html*" -# Rename the update responses directory to .old to make it easier to -# revert in case of problem (see the file RollingBackUpdate for more -# details about this) -rm -rf "/srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/${TORBROWSER_UPDATE_CHANNEL}.old" -mv /srv/aus1-master.torproject.org/htdocs/torbrowser/update_3/"${TORBROWSER_UPDATE_CHANNEL}"{,.old} - date mv "${TORBROWSER_VERSION}" /srv/dist-master.torproject.org/htdocs/torbrowser/ cp "/srv/dist-master.torproject.org/htdocs/torbrowser/${PREV_TORBROWSER_VERSION}/.htaccess" "/srv/dist-master.torproject.org/htdocs/torbrowser/${TORBROWSER_VERSION}/" -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 9adebc482e8ae2a4a0e921e2b4f0b7ef41fce9a7 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Mon Mar 7 13:40:28 2022 +0100 Bug 40414: Add tools/signing/dmg2mar --- tools/signing/dmg2mar | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tools/signing/dmg2mar b/tools/signing/dmg2mar new file mode 100755 index 0000000..246809b --- /dev/null +++ b/tools/signing/dmg2mar @@ -0,0 +1,29 @@ +#!/bin/bash + +# This script runs `make dmg2mar-release` or `make dmg2mar-alpha`, after +# moving the signed dmg files from the $tbb_version-macos-signed directory +# to the normal signed directory. +# It should be run after `gatekeeper-bundling.sh`. + +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +cd "$script_dir/../.." + +version=$(./rbm/rbm showconf tor-browser --target alpha --target torbrowser-linux-x86_64 var/torbrowser_version) +test "$version" = "$tbb_version" || \ + exit_error "Incorrect tor browser version: $version != $tbb_version" + +test -d "$macos_signed_dir" || \ + exit_error "$macos_signed_dir does not exist" + +nb_locales=$(echo $bundle_locales | wc -w) +nb_bundles=$(ls -1 "$macos_signed_dir"/TorBrowser-*.dmg | wc -l) +test "$nb_locales" -eq "$nb_bundles" || \ + exit_error "Wrong number of bundles: $nb_locales != $nb_bundles" + +mv -vf "$macos_signed_dir"/TorBrowser-*.dmg "$signed_version_dir"/ + +make dmg2mar-$tbb_version_type -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit a8805ed6cac39e2e97bcb73e4aec7c9e05ab9699 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 16:45:08 2022 +0100 Bug 40414: Rename gatekeeper-signing.sh to macos-signer-gatekeeper-signing --- tools/signing/{gatekeeper-signing.sh => macos-signer-gatekeeper-signing} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tools/signing/gatekeeper-signing.sh b/tools/signing/macos-signer-gatekeeper-signing similarity index 100% rename from tools/signing/gatekeeper-signing.sh rename to tools/signing/macos-signer-gatekeeper-signing -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 1d17b75a820b2b7a1dc340f2f053abf4644ef842 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 16:53:43 2022 +0100 Bug 40414: Update stable.entitlements.xml Update stable.entitlements.xml with the version currently in use on the signing machine. --- tools/signing/stable.entitlements.xml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/stable.entitlements.xml index 3097c05..3062b9d 100644 --- a/tools/signing/stable.entitlements.xml +++ b/tools/signing/stable.entitlements.xml @@ -20,9 +20,6 @@ <!-- Code paged in from disk should match the signature at page in-time --> <key>com.apple.security.cs.disable-executable-page-protection</key><false/> - <!-- Allow loading third party libraries. Needed for Flash and CDMs --> - <key>com.apple.security.cs.disable-library-validation</key><true/> - <!-- Allow dyld environment variables. Needed because Firefox uses dyld variables to load libaries from within the .app bundle. --> <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit fff6a80765402c239516539c88ea1dc8976cd21d Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 17:10:35 2022 +0100 Bug 40414: Update macos-signer-gatekeeper-signing Update macos-signer-gatekeeper-signing to the version currently in use. --- tools/signing/macos-signer-gatekeeper-signing | 117 ++++++++++++++++++-------- 1 file changed, 83 insertions(+), 34 deletions(-) diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing index 3f31f82..38e119e 100755 --- a/tools/signing/macos-signer-gatekeeper-signing +++ b/tools/signing/macos-signer-gatekeeper-signing @@ -1,34 +1,4 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +set -x TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; @@ -36,16 +6,95 @@ then echo "Please call this script with a Tor Browser version!" exit 1 fi -ENTITLEMENTS=/path/to/stable.entitlements.xml -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi + +function check_signature() { + LANG=$1 + TORBROWSER_VERSION=$2 + UNZIP=$3 + local failed_open=0 + local failed_exec=0 + if [ ${UNZIP} -eq 1 ] + then + test -d test_${LANG} && rm -r test_${LANG} + unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip + pushd test_${LANG} + fi + echo "Checking $LANG..." + spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/' + if [ $? -ne 3 ]; then + echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open. + failed_open=1 + fi + spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/' + if [ $? -ne 0 ]; then + echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec. + failed_exec=1 + fi + if [ ${UNZIP} -eq 1 ] + then + popd + rm -r test_${LANG} + fi + if [ ${failed_open} -ne 0 -o ${failed_exec} -ne 0 ] + then + return 1 + fi +} + for LANG in $BUNDLE_LOCALES do + if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ] + then + echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip" + rm tb-${TORBROWSER_VERSION}_${LANG}.zip + fi + if [ -d "Tor Browser.app" ] + then + echo "Deleting Tor Browser.app" + rm -r "Tor Browser.app" + fi + if [ -d '/Volumes/Tor Browser' ]; then + echo "DMG already mounted. Please correct." + exit 1 + fi hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" echo "Signing Tor Browser_$LANG.app" - codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "$ID" "Tor Browser.app/" + codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" + echo "codesign exit code: $?" + check_signature $LANG $TORBROWSER_VERSION 0 + if [ $? -eq 1 ] + then + echo Signature verification failed. + rm -r "Tor Browser.app" + hdiutil detach "/Volumes/Tor Browser" + exit 1 + fi echo "Zipping up" zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" rm -rf "Tor Browser.app" hdiutil detach "/Volumes/Tor Browser" + check_signature $LANG $TORBROWSER_VERSION 1 + if [ $? -eq 1 ] + then + echo Signature verification failed. + rm -r "Tor Browser.app" + fi done +#for LANG in $BUNDLE_LOCALES +#do +# hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg +# cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" +# echo "Signing Tor Browser_$LANG.app" +# codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" +# #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" +# echo "Zipping up" +# zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" +# rm -rf "Tor Browser.app" +# hdiutil detach "/Volumes/Tor Browser" +#done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit a20376ccd729c6ba777a57c5b6d28f100b925e81 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 17:29:23 2022 +0100 Bug 40414: Improve macos-signer-gatekeeper-signing - get tbb_version and BUNDLE_LOCALES from config - automatically change to ~/$tbb_version directory - unlock keychain - use entitlements.xml from script directory - allow setting password with an environment variable (useful for tor-browser-build#40476) - cleanups --- tools/signing/macos-signer-gatekeeper-signing | 76 +++++++++++----------- ...e.entitlements.xml => release.entitlements.xml} | 0 2 files changed, 37 insertions(+), 39 deletions(-) diff --git a/tools/signing/macos-signer-gatekeeper-signing b/tools/signing/macos-signer-gatekeeper-signing index 38e119e..9df621f 100755 --- a/tools/signing/macos-signer-gatekeeper-signing +++ b/tools/signing/macos-signer-gatekeeper-signing @@ -1,38 +1,31 @@ -set -x +#!/bin/bash +set -e -TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -ENTITLEMENTS=/Users/torbrowser/signing/alpha.entitlements.xml -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml" function check_signature() { LANG=$1 - TORBROWSER_VERSION=$2 - UNZIP=$3 + UNZIP=$2 local failed_open=0 local failed_exec=0 if [ ${UNZIP} -eq 1 ] then test -d test_${LANG} && rm -r test_${LANG} - unzip -d test_${LANG} -q tb-${TORBROWSER_VERSION}_$LANG.zip + unzip -d test_${LANG} -q tb-${tbb_version}_$LANG.zip pushd test_${LANG} fi echo "Checking $LANG..." spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/' if [ $? -ne 3 ]; then - echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed open. + echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open. failed_open=1 fi spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/' if [ $? -ne 0 ]; then - echo tb-${TORBROWSER_VERSION}_$LANG.zip not signed correctly. Failed exec. + echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec. failed_exec=1 fi if [ ${UNZIP} -eq 1 ] @@ -46,12 +39,24 @@ function check_signature() { fi } -for LANG in $BUNDLE_LOCALES +cd ~/${tbb_version} + +if test -n "$KEYCHAIN_PW" +then + KPW="-p $KEYCHAIN_PW" +fi + +security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-alpha.keychain +security unlock $KPW /Users/torbrowser/Library/Keychains/tbb-signing-2021.keychain + +unset KPW KEYCHAIN_PW + +for LANG in $bundle_locales do - if [ -f tb-${TORBROWSER_VERSION}_${LANG}.zip ] + if [ -f tb-${tbb_version}_${LANG}.zip ] then - echo "Deleting tb-${TORBROWSER_VERSION}_${LANG}.zip" - rm tb-${TORBROWSER_VERSION}_${LANG}.zip + echo "Deleting tb-${tbb_version}_${LANG}.zip" + rm tb-${tbb_version}_${LANG}.zip fi if [ -d "Tor Browser.app" ] then @@ -62,12 +67,13 @@ do echo "DMG already mounted. Please correct." exit 1 fi - hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg + hdiutil attach TorBrowser-${tbb_version}-osx64_$LANG.dmg cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" echo "Signing Tor Browser_$LANG.app" codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" echo "codesign exit code: $?" - check_signature $LANG $TORBROWSER_VERSION 0 + set +e + check_signature $LANG 0 if [ $? -eq 1 ] then echo Signature verification failed. @@ -75,26 +81,18 @@ do hdiutil detach "/Volumes/Tor Browser" exit 1 fi - echo "Zipping up" - zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" + set -e + echo "Zipping up tb-${tbb_version}_${LANG}.zip" + zip -qr tb-${tbb_version}_${LANG}.zip "Tor Browser.app" rm -rf "Tor Browser.app" hdiutil detach "/Volumes/Tor Browser" - check_signature $LANG $TORBROWSER_VERSION 1 + set +e + check_signature $LANG 1 if [ $? -eq 1 ] then - echo Signature verification failed. + echo Signature verification failed ($LANG). rm -r "Tor Browser.app" + exit 1 fi + set -e done -#for LANG in $BUNDLE_LOCALES -#do -# hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg -# cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" -# echo "Signing Tor Browser_$LANG.app" -# codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" -# #codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp=none -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/" -# echo "Zipping up" -# zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" -# rm -rf "Tor Browser.app" -# hdiutil detach "/Volumes/Tor Browser" -#done diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/release.entitlements.xml similarity index 100% rename from tools/signing/stable.entitlements.xml rename to tools/signing/release.entitlements.xml -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 2b8d923de784254fabe32b802a3e04401c500962 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:05:22 2022 +0100 Bug 40414: Rename notarization.sh to macos-signer-notarization --- tools/signing/{notarization.sh => macos-signer-notarization} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tools/signing/notarization.sh b/tools/signing/macos-signer-notarization similarity index 100% rename from tools/signing/notarization.sh rename to tools/signing/macos-signer-notarization -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 8d120f9e48d5c27aea863c333ee30751d9b9eccf Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:12:49 2022 +0100 Bug 40414: Update macos-signer-notarization Update macos-signer-notarization to the version currently in use. --- tools/signing/macos-signer-notarization | 58 ++++++++++++++------------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/tools/signing/macos-signer-notarization b/tools/signing/macos-signer-notarization index eb29e74..239d6fe 100755 --- a/tools/signing/macos-signer-notarization +++ b/tools/signing/macos-signer-notarization @@ -1,50 +1,40 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +set -e +set -x +ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; then echo "Please call this script with a Tor Browser version!" exit 1 fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +if [ -z "${PW}" ]; then + stty -echo; read PW; stty echo; export PW +fi +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi for LANG in $BUNDLE_LOCALES do + if test -d ${LANG}; then + mv ${LANG}/tb-${TORBROWSER_VERSION}_$LANG.zip ./ + rm -r ${LANG}/ + fi mkdir $LANG cd $LANG mv ../tb-${TORBROWSER_VERSION}_$LANG.zip . unzip -q tb-${TORBROWSER_VERSION}_$LANG.zip echo "Notarizing $LANG..." - xcrun altool --notarize-app -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip - --primary-bundle-id org.torproject.torbrowser -u USERNAME -p @env:PW --output-format xml + #xcrun altool --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + $ALTOOL --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + + request_uuid=`grep -A1 RequestUUID tb-${TORBROWSER_VERSION}_$LANG.zip.log | grep -o '[0-9a-f]\+[0-9a-f-]\+'` + if [ -z "${request_uuid}" ]; then + echo "Request UUID not present. Notarization failed" + exit 1 + fi + echo ${request_uuid} > tb-${TORBROWSER_VERSION}_$LANG.zip.uuid + cd .. done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 80cb85943f9d3e796df509dd37e726546063cf88 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:21:25 2022 +0100 Bug 40414: Improve macos-signer-notarization - get tbb_version, bundle_locales and macos_notarization_user from config - automatically change to ~/$tbb_version directory - add text to ask for notarization password - cleanup --- tools/signing/macos-signer-notarization | 42 ++++++++++++++++------------- tools/signing/set-config.macos-notarization | 5 ++++ 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/tools/signing/macos-signer-notarization b/tools/signing/macos-signer-notarization index 239d6fe..f242a71 100755 --- a/tools/signing/macos-signer-notarization +++ b/tools/signing/macos-signer-notarization @@ -1,40 +1,44 @@ +#!/bin/bash set -e -set -x + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" +source "$script_dir/set-config.macos-notarization" ALTOOL=~/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/Versions/A/Support/altool -TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi + +cd ~/${tbb_version} + if [ -z "${PW}" ]; then + echo "Please enter notarization password:" stty -echo; read PW; stty echo; export PW fi -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi -for LANG in $BUNDLE_LOCALES + +for LANG in $bundle_locales do + if test -f ${LANG}/tb-${tbb_version}_$LANG.zip.uuid + then + echo "Skipping ${LANG}/tb-${tbb_version}_$LANG.zip" + continue; + fi if test -d ${LANG}; then - mv ${LANG}/tb-${TORBROWSER_VERSION}_$LANG.zip ./ + mv ${LANG}/tb-${tbb_version}_$LANG.zip ./ rm -r ${LANG}/ fi mkdir $LANG cd $LANG - mv ../tb-${TORBROWSER_VERSION}_$LANG.zip . - unzip -q tb-${TORBROWSER_VERSION}_$LANG.zip + mv ../tb-${tbb_version}_$LANG.zip . + unzip -q tb-${tbb_version}_$LANG.zip echo "Notarizing $LANG..." - #xcrun altool --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 - $ALTOOL --notarize-app --verbose -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u boklm@torproject.org -p @env:PW --output-format xml | tee tb-${TORBROWSER_VERSION}_$LANG.zip.log 2>&1 + $ALTOOL --notarize-app --verbose -t osx -f tb-${tbb_version}_$LANG.zip --primary-bundle-id org.torproject.torbrowser -u "$macos_notarization_user" -p @env:PW --output-format xml | tee tb-${tbb_version}_$LANG.zip.log 2>&1 - request_uuid=`grep -A1 RequestUUID tb-${TORBROWSER_VERSION}_$LANG.zip.log | grep -o '[0-9a-f]\+[0-9a-f-]\+'` + request_uuid=`grep -A1 RequestUUID tb-${tbb_version}_$LANG.zip.log | grep -o '[0-9a-f]\+[0-9a-f-]\+'` if [ -z "${request_uuid}" ]; then echo "Request UUID not present. Notarization failed" exit 1 fi - echo ${request_uuid} > tb-${TORBROWSER_VERSION}_$LANG.zip.uuid + echo ${request_uuid} > tb-${tbb_version}_$LANG.zip.uuid + echo "Notarization done for $LANG." cd .. done diff --git a/tools/signing/set-config.macos-notarization b/tools/signing/set-config.macos-notarization new file mode 100644 index 0000000..5d97a9b --- /dev/null +++ b/tools/signing/set-config.macos-notarization @@ -0,0 +1,5 @@ +# The following line should be uncommented and updated: + +#macos_notarization_user='user@email' + +var_is_defined macos_notarization_user -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit cbc10003405b2841bfcbd76c9cf643438da16f2f Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:35:18 2022 +0100 Bug 40414: Rename stapler.sh to macos-signer-stapler --- tools/signing/{stapler.sh => macos-signer-stapler} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tools/signing/stapler.sh b/tools/signing/macos-signer-stapler similarity index 100% rename from tools/signing/stapler.sh rename to tools/signing/macos-signer-stapler -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit bfdcad19d76de12bbb2dad5de0bc002bc7e629dd Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:37:13 2022 +0100 Bug 40414: Update macos-signer-stapler Update macos-signer-stapler to the version currently in use. --- tools/signing/macos-signer-stapler | 40 ++++++-------------------------------- 1 file changed, 6 insertions(+), 34 deletions(-) diff --git a/tools/signing/macos-signer-stapler b/tools/signing/macos-signer-stapler index cdbb466..d82c485 100755 --- a/tools/signing/macos-signer-stapler +++ b/tools/signing/macos-signer-stapler @@ -1,47 +1,19 @@ -#!/bin/bash - -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - +STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler TORBROWSER_VERSION=$1 if [ -z "$TORBROWSER_VERSION" ]; then echo "Please call this script with a Tor Browser version!" exit 1 fi -BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +if [ -z "$BUNDLE_LOCALES" ]; +then + BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" +fi for LANG in $BUNDLE_LOCALES do echo "Stapling $LANG..." cd $LANG - xcrun stapler staple Tor\ Browser.app + $STAPLER staple Tor\ Browser.app zip -qr ../tb-${TORBROWSER_VERSION}_$LANG-stapled.zip Tor\ Browser.app cd .. done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 0f9db0e5e9030c8def5c2db8ed6fa8d2dfb9929f Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Wed Mar 16 19:42:12 2022 +0100 Bug 40414: Improve macos-signer-stapler - get tbb_version, and bundle_locales from config - automatically change to ~/$tbb_version directory --- tools/signing/macos-signer-stapler | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/tools/signing/macos-signer-stapler b/tools/signing/macos-signer-stapler index d82c485..e7ed1f7 100755 --- a/tools/signing/macos-signer-stapler +++ b/tools/signing/macos-signer-stapler @@ -1,19 +1,18 @@ +#!/bin/bash +set -e + +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + STAPLER=/Users/torbrowser/Xcode.app/Contents//Developer/usr/bin/stapler -TORBROWSER_VERSION=$1 -if [ -z "$TORBROWSER_VERSION" ]; -then - echo "Please call this script with a Tor Browser version!" - exit 1 -fi -if [ -z "$BUNDLE_LOCALES" ]; -then - BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko lt mk ms my nb-NO nl pl pt-BR ro ru sv-SE th tr vi zh-CN zh-TW" -fi -for LANG in $BUNDLE_LOCALES + +cd ~/${tbb_version} + +for LANG in $bundle_locales do echo "Stapling $LANG..." cd $LANG $STAPLER staple Tor\ Browser.app - zip -qr ../tb-${TORBROWSER_VERSION}_$LANG-stapled.zip Tor\ Browser.app + zip -qr ../tb-${tbb_version}_$LANG-stapled.zip Tor\ Browser.app cd .. done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 3daf04d4dfe91c389cc5373ebefbf046415f56e8 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Mar 22 18:50:12 2022 +0100 Bug 40414: Rename tbb-signing.sh to linux-signer-gpg-sign --- tools/signing/{tbb-signing.sh => linux-signer-gpg-sign} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tools/signing/tbb-signing.sh b/tools/signing/linux-signer-gpg-sign similarity index 100% rename from tools/signing/tbb-signing.sh rename to tools/signing/linux-signer-gpg-sign -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit d59c22b2a785eb73020baf1c03ed716c6ca8724b Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Mar 22 18:57:00 2022 +0100 Bug 40414: Update linux-signer-gpg-sign Update linux-signer-gpg-sign to the version currently in use. --- tools/signing/linux-signer-gpg-sign | 42 ++++++++----------------------------- 1 file changed, 9 insertions(+), 33 deletions(-) diff --git a/tools/signing/linux-signer-gpg-sign b/tools/signing/linux-signer-gpg-sign index 42ea235..723599b 100755 --- a/tools/signing/linux-signer-gpg-sign +++ b/tools/signing/linux-signer-gpg-sign @@ -1,38 +1,14 @@ #!/bin/bash -# Copyright (c) 2019, The Tor Project, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: - -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following disclaimer -# in the documentation and/or other materials provided with the -# distribution. -# -# * Neither the names of the copyright owners nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -export GNUPGHOME=/path/to/gpg-key read -sp "Enter passphrase: " pass -for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk"` +for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do - echo "$pass" | gpg -absu $key! --passphrase-fd 0 $i + if test -f "$i.asc" + then + echo "Removing $i.asc" + rm -f "$i.asc" + fi + echo "Signing $i" + echo "$pass" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i + test $? || echo "Signing $i failed" done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit 220006dfc9016d3eb38bf811d5713affebebdc87 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Mar 22 18:59:35 2022 +0100 Bug 40414: Improve linux-signer-gpg-sign - Automatically change to ~/$tbb_version directory - allow setting password with an environment variable (useful for tor-browser-build#40476) --- tools/signing/linux-signer-gpg-sign | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/signing/linux-signer-gpg-sign b/tools/signing/linux-signer-gpg-sign index 723599b..35058df 100755 --- a/tools/signing/linux-signer-gpg-sign +++ b/tools/signing/linux-signer-gpg-sign @@ -1,6 +1,12 @@ #!/bin/bash +set -e -read -sp "Enter passphrase: " pass +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +cd ~/"$tbb_version" + +test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort` do if test -f "$i.asc" @@ -9,6 +15,5 @@ do rm -f "$i.asc" fi echo "Signing $i" - echo "$pass" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i - test $? || echo "Signing $i failed" + echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --passphrase-fd 0 $i done -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit c955e9facc13ae27b3ba7f05e8f11a1ffc907118 Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Apr 5 10:23:41 2022 +0200 Bug 40414: Update nssdb7 path in linux-signer-signmars --- tools/signing/linux-signer-signmars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars index 23b400d..97678dd 100755 --- a/tools/signing/linux-signer-signmars +++ b/tools/signing/linux-signer-signmars @@ -11,7 +11,7 @@ script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) source "$script_dir/functions" if [ -z "${NSS_DB_DIR+x}" ]; then - NSS_DB_DIR=/home/gk/marsigning/nssdb7 + NSS_DB_DIR=/home/boklm/marsigning/nssdb7 fi if [ -z "${NSS_CERTNAME+x}" ]; then -- To stop receiving notification emails like this one, please contact the administrator of this repository.
This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch master in repository builders/tor-browser-build. commit da516e6bff8f1716ca07d2ac9acebd6922437aef Author: Nicolas Vigier <boklm@torproject.org> AuthorDate: Tue Apr 19 12:11:19 2022 +0200 Bug 40414: Add finished-signing-clean-* --- tools/signing/finished-signing-clean-linux-signer | 14 ++++++++++++++ tools/signing/finished-signing-clean-macos-signer | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tools/signing/finished-signing-clean-linux-signer b/tools/signing/finished-signing-clean-linux-signer new file mode 100755 index 0000000..154babd --- /dev/null +++ b/tools/signing/finished-signing-clean-linux-signer @@ -0,0 +1,14 @@ +#!/bin/bash + +# Remove current tbb version from linux-signer. You should run this +# when all signing has been done. + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_linux_signer tbb_version + +ssh "$ssh_host_linux_signer" 'bash -s' << EOF + test -n "$tbb_version" && rm -Rfv ~/"$tbb_version" +EOF diff --git a/tools/signing/finished-signing-clean-macos-signer b/tools/signing/finished-signing-clean-macos-signer new file mode 100755 index 0000000..d44d779 --- /dev/null +++ b/tools/signing/finished-signing-clean-macos-signer @@ -0,0 +1,14 @@ +#!/bin/bash + +# Remove current tbb version from macos-signer. You should run this +# when all signing has been done. + +set -e +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source "$script_dir/functions" + +var_is_defined ssh_host_macos_signer tbb_version + +ssh "$ssh_host_macos_signer" 'bash -s' << EOF + test -n "$tbb_version" && rm -Rfv ~/"$tbb_version" +EOF -- To stop receiving notification emails like this one, please contact the administrator of this repository.
participants (1)
-
gitolite role