[tbb-commits] [Git][tpo/applications/tor-browser-build][main] 5 commits: Bug 40851: Integrate android apk signing in do-all-signing
richard (@richard)
git at gitlab.torproject.org
Mon Jun 12 20:18:04 UTC 2023
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
143097f5 by Nicolas Vigier at 2023-06-12T16:49:23+02:00
Bug 40851: Integrate android apk signing in do-all-signing
- - - - -
9281ddbf by Nicolas Vigier at 2023-06-12T16:49:25+02:00
Bug 40875: Update Windows signing config
- - - - -
d511d4ac by Nicolas Vigier at 2023-06-12T16:49:27+02:00
Bug 40875: Re-enable Windows code signing in do-all-signing
- - - - -
867cd64c by Nicolas Vigier at 2023-06-12T16:49:29+02:00
Bug 40877: Update osslsigncode to more recent version
- - - - -
8213c52c by Nicolas Vigier at 2023-06-12T16:49:30+02:00
Bug 40878: Fix default permission on gpg signature files
- - - - -
20 changed files:
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
- projects/android-toolchain/config
- − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch
- projects/osslsigncode/build
- projects/osslsigncode/config
- − projects/osslsigncode/timestamping.patch
- − tools/signing/android-signing.mullvadbrowser
- − tools/signing/android-signing.torbrowser
- tools/signing/authenticode-timestamping.sh
- tools/signing/do-all-signing
- tools/signing/linux-signer-gpg-sign
- + tools/signing/linux-signer-sign-android-apks
- + tools/signing/linux-signer-sign-android-apks.torbrowser
- tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/sudoers.d/sign-apk
- tools/signing/machines-setup/upload-tbb-to-signing-machine
- − tools/signing/set-config.android-signing
- tools/signing/android-signing → tools/signing/wrappers/sign-apk
- tools/signing/wrappers/sign-exe
Changes:
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
=====================================
@@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
-- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
- [ ] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.torbrowser`
=====================================
.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
=====================================
@@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
- `cd tor-browser-build/tools/signing/`
- `./macos-signer-proxy`
- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
-- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
- [ ] run do-all-signing script:
- `cd tor-browser-build/tools/signing/`
- `./do-all-signing.sh`
=====================================
projects/android-toolchain/config
=====================================
@@ -95,9 +95,8 @@ steps:
#!/bin/bash
set -e
mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
- var:
- container:
- use_container: 0
+ container:
+ use_container: 0
input_files:
- URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
name: build_tools
=====================================
projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted
=====================================
@@ -1,324 +0,0 @@
-From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger at gmx.de>
-Date: Sun, 12 Mar 2017 23:00:12 +0100
-Subject: [PATCH] Make code work with OpenSSL 1.1.
-
-Changes in consist of:
-- Use EVP_MD_CTX_new/free API instead of on-stack allocation
-- Remove some M_ prefixes like for ASN1_IA5STRING_new
-- Remove pagehash functionality because it is useless to me and
- fixing it would be a pain. Would require declaring a few
- ASN_SEQUENCES and use that to get the required i2d functions
- from what I could find out.
-- Remove OBJ_create calls that seem to serve no purpose,
- now crash because NULL pointers are no longer handled
- (who changes API that way?!) and even if that was fixed
- lead to errors when these objects are later created
- again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think,
- did not investigate further).
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 2978c02..3797458 100644
---- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
- if (desc) {
- info->programName = SpcString_new();
- info->programName->type = 1;
-- info->programName->value.ascii = M_ASN1_IA5STRING_new();
-- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
-+ info->programName->value.ascii = ASN1_IA5STRING_new();
-+ ASN1_STRING_set(info->programName->value.ascii,
- (const unsigned char*)desc, strlen(desc));
- }
-
- if (url) {
- info->moreInfo = SpcLink_new();
- info->moreInfo->type = 0;
-- info->moreInfo->value.url = M_ASN1_IA5STRING_new();
-- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
-+ info->moreInfo->value.url = ASN1_IA5STRING_new();
-+ ASN1_STRING_set(info->moreInfo->value.url,
- (const unsigned char*)url, strlen(url));
- }
-
-@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
-
- if (rfc3161) {
- unsigned char mdbuf[EVP_MAX_MD_SIZE];
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-
-- EVP_MD_CTX_init(&mdctx);
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
-- EVP_DigestFinal(&mdctx, mdbuf, NULL);
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
-+ EVP_DigestFinal(mdctx, mdbuf, NULL);
-+ EVP_MD_CTX_free(mdctx);
-+ mdctx = NULL;
-
- TimeStampReq *req = TimeStampReq_new();
- ASN1_INTEGER_set(req->version, 1);
- req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
- req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new();
- req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL;
-- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
-+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
- req->certReq = (void*)0x1;
-
- len = i2d_TimeStampReq(req, NULL);
-@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = {
- 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
- };
-
--static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus,
-- unsigned int sigpos, int phtype, unsigned int *phlen);
--
--DECLARE_STACK_OF(ASN1_OCTET_STRING)
--#ifndef sk_ASN1_OCTET_STRING_new_null
--#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING)
--#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st))
--#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val))
--#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \
-- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
--#endif
--
--DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue)
--#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null
--#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue)
--#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st))
--#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val))
--#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \
-- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
--#endif
--
--static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos)
--{
-- unsigned int phlen;
-- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
-- if (!ph) {
-- fprintf(stderr, "Failed to calculate page hash\n");
-- exit(-1);
-- }
--
-- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new();
-- M_ASN1_OCTET_STRING_set(ostr, ph, phlen);
-- free(ph);
--
-- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null();
-- sk_ASN1_OCTET_STRING_push(oset, ostr);
-- unsigned char *p, *tmp;
-- unsigned int l;
-- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING,
-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-- tmp = p = OPENSSL_malloc(l);
-- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING,
-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-- ASN1_OCTET_STRING_free(ostr);
-- sk_ASN1_OCTET_STRING_free(oset);
--
-- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new();
-- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1);
-- aval->value = ASN1_TYPE_new();
-- aval->value->type = V_ASN1_SET;
-- aval->value->value.set = ASN1_STRING_new();
-- ASN1_STRING_set(aval->value->value.set, p, l);
-- OPENSSL_free(p);
--
-- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null();
-- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval);
-- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue,
-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-- tmp = p = OPENSSL_malloc(l);
-- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue,
-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-- sk_SpcAttributeTypeAndOptionalValue_free(aset);
-- SpcAttributeTypeAndOptionalValue_free(aval);
--
-- SpcSerializedObject *so = SpcSerializedObject_new();
-- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash));
-- M_ASN1_OCTET_STRING_set(so->serializedData, p, l);
-- OPENSSL_free(p);
--
-- SpcLink *link = SpcLink_new();
-- link->type = 1;
-- link->value.moniker = so;
-- return link;
--}
--
- static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type,
-- int pagehash, char *indata, unsigned int peheader, int pe32plus,
-+ char *indata, unsigned int peheader, int pe32plus,
- unsigned int sigpos)
- {
- static const unsigned char msistr[] = {
-@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- } else if (type == FILE_TYPE_PE) {
- SpcPeImageData *pid = SpcPeImageData_new();
- ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0);
-- if (pagehash) {
-- int phtype = NID_sha1;
-- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1()))
-- phtype = NID_sha256;
-- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos);
-- } else {
-- pid->file = get_obsolete_link();
-- }
-+ pid->file = get_obsolete_link();
- l = i2d_SpcPeImageData(pid, NULL);
- p = OPENSSL_malloc(l);
- i2d_SpcPeImageData(pid, &p);
-@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- ASN1_INTEGER_set(si->d, 0);
- ASN1_INTEGER_set(si->e, 0);
- ASN1_INTEGER_set(si->f, 0);
-- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
-+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
- l = i2d_SpcSipInfo(si, NULL);
- p = OPENSSL_malloc(l);
- i2d_SpcSipInfo(si, &p);
-@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- hashlen = EVP_MD_size(md);
- hash = OPENSSL_malloc(hashlen);
- memset(hash, 0, hashlen);
-- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
-+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
- OPENSSL_free(hash);
-
- *len = i2d_SpcIndirectDataContent(idc, NULL);
-@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
- unsigned int peheader, int pe32plus, unsigned int fileend)
- {
- static unsigned char bfb[16*1024*1024];
-- EVP_MD_CTX mdctx;
-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-
-- EVP_MD_CTX_init(&mdctx);
-- EVP_DigestInit(&mdctx, md);
-+ EVP_DigestInit(mdctx, md);
-
- memset(mdbuf, 0, EVP_MAX_MD_SIZE);
-
- (void)BIO_seek(bio, 0);
- BIO_read(bio, bfb, peheader + 88);
-- EVP_DigestUpdate(&mdctx, bfb, peheader + 88);
-+ EVP_DigestUpdate(mdctx, bfb, peheader + 88);
- BIO_read(bio, bfb, 4);
- BIO_read(bio, bfb, 60+pe32plus*16);
-- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16);
-+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16);
- BIO_read(bio, bfb, 8);
-
- unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8;
-@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
- int l = BIO_read(bio, bfb, want);
- if (l <= 0)
- break;
-- EVP_DigestUpdate(&mdctx, bfb, l);
-+ EVP_DigestUpdate(mdctx, bfb, l);
- n += l;
- }
-
-- EVP_DigestFinal(&mdctx, mdbuf, NULL);
-+ EVP_DigestFinal(mdctx, mdbuf, NULL);
-+ EVP_MD_CTX_free(mdctx);
- }
-
-
-@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
- int phlen = pphlen * (3 + nsections + sigpos / pagesize);
- unsigned char *res = malloc(phlen);
- unsigned char *zeroes = calloc(pagesize, 1);
-- EVP_MD_CTX mdctx;
--
-- EVP_MD_CTX_init(&mdctx);
-- EVP_DigestInit(&mdctx, md);
-- EVP_DigestUpdate(&mdctx, indata, peheader + 88);
-- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16);
-- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
-- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize);
-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-+
-+ EVP_DigestInit(mdctx, md);
-+ EVP_DigestUpdate(mdctx, indata, peheader + 88);
-+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16);
-+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
-+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize);
- memset(res, 0, 4);
-- EVP_DigestFinal(&mdctx, res + 4, NULL);
-+ EVP_DigestFinal(mdctx, res + 4, NULL);
-
- unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20);
- char *sections = indata + peheader + 24 + sizeofopthdr;
-@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
- unsigned int l;
- for (l=0; l < rs; l+=pagesize, pi++) {
- PUT_UINT32_LE(ro + l, res + pi*pphlen);
-- EVP_DigestInit(&mdctx, md);
-+ EVP_DigestInit(mdctx, md);
- if (rs - l < pagesize) {
-- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l);
-- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l));
-+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l);
-+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l));
- } else {
-- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize);
-+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize);
- }
-- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL);
-+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL);
- }
- lastpos = ro + rs;
- sections += 40;
- }
-+ EVP_MD_CTX_free(mdctx);
-+ mdctx = NULL;
- PUT_UINT32_LE(lastpos, res + pi*pphlen);
- memset(res + pi*pphlen + 4, 0, EVP_MD_size(md));
- pi++;
-@@ -2413,7 +2333,7 @@ int main(int argc, char **argv)
- int nturl = 0, ntsurl = 0;
- int addBlob = 0;
- u_char *p = NULL;
-- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
-+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0;
- unsigned int tmp, peheader = 0, padlen = 0;
- off_t filesize, fileend, sigfilesize, sigfileend, outdatasize;
- file_type_t type;
-@@ -2448,13 +2368,6 @@ int main(int argc, char **argv)
- ERR_load_crypto_strings();
- OPENSSL_add_all_algorithms_conf();
-
-- /* create some MS Authenticode OIDS we need later on */
-- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
-- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
-- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) ||
-- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL))
-- DO_EXIT_0("Failed to add objects\n");
--
- md = EVP_sha1();
-
- if (argc > 1) {
-@@ -2531,8 +2444,6 @@ int main(int argc, char **argv)
- readpass = *(++argv);
- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) {
- comm = 1;
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) {
-- pagehash = 1;
- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
- if (--argc < 1) usage(argv0);
- desc = *(++argv);
-@@ -3243,7 +3154,7 @@ int main(int argc, char **argv)
- p7x = NULL;
- }
-
-- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend);
-+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend);
- len -= EVP_MD_size(md);
- memcpy(buf, p, len);
- OPENSSL_free(p);
---
-2.34.1
-
=====================================
projects/osslsigncode/build
=====================================
@@ -4,11 +4,10 @@ distdir=$(pwd)/dist
mkdir -p $distdir/[% project %]
tar xf [% project %]-[% c('version') %].tar.gz
cd [% project %]-[% c('version') %]
-patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch
-patch -p1 < ../timestamping.patch
-./autogen.sh
-./configure --prefix=/[% project %]
+mkdir build
+cd build
+cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S ..
make
make DESTDIR=$distdir install
=====================================
projects/osslsigncode/config
=====================================
@@ -1,20 +1,16 @@
# vim: filetype=yaml sw=2
version: '[% c("git_hash").substr(0, 12) %]'
git_url: https://github.com/mtrojnar/osslsigncode
-git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
+git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed
filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
container:
use_container: 0
var:
deps:
- - autoconf
- - libtool
- - pkg-config
+ - cmake
- libssl-dev
- libcurl4-openssl-dev
input_files:
- - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
- - filename: timestamping.patch
- filename: '[% c("var/srcfile") %]'
enable: '[% c("var/no-git") %]'
=====================================
projects/osslsigncode/timestamping.patch deleted
=====================================
@@ -1,56 +0,0 @@
-From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001
-From: Georg Koppen <gk at torproject.org>
-Date: Fri, 5 Feb 2016 09:23:10 +0000
-Subject: [PATCH] Allow timestamping with the 'add' command
-
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 32e37c8..2978c02 100644
---- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -2556,16 +2556,16 @@ int main(int argc, char **argv)
- if (--argc < 1) usage(argv0);
- url = *(++argv);
- #ifdef ENABLE_CURL
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) {
-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) {
- if (--argc < 1) usage(argv0);
- turl[nturl++] = *(++argv);
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) {
-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) {
- if (--argc < 1) usage(argv0);
- tsurl[ntsurl++] = *(++argv);
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) {
-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
- if (--argc < 1) usage(argv0);
- proxy = *(++argv);
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) {
-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) {
- noverifypeer = 1;
- #endif
- } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
---
-2.7.0
-
-
-From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001
-From: Georg Koppen <gk at torproject.org>
-Date: Sat, 11 Apr 2020 05:50:36 +0000
-Subject: [PATCH] fixup! Allow timestamping with the 'add' command
-
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 3797458..4f4b897 100644
---- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -2447,7 +2447,7 @@ int main(int argc, char **argv)
- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
- if (--argc < 1) usage(argv0);
- desc = *(++argv);
-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) {
-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) {
- if (--argc < 1) usage(argv0);
- ++argv;
- if (!strcmp(*argv, "md5")) {
---
-2.26.0
=====================================
tools/signing/android-signing.mullvadbrowser deleted
=====================================
@@ -1 +0,0 @@
-android-signing
\ No newline at end of file
=====================================
tools/signing/android-signing.torbrowser deleted
=====================================
@@ -1 +0,0 @@
-android-signing
\ No newline at end of file
=====================================
tools/signing/authenticode-timestamping.sh
=====================================
@@ -35,7 +35,7 @@ set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
-osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz"
+osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"
test -f "$osslsigncode_file" ||
exit_error "$osslsigncode_file is missing." \
=====================================
tools/signing/do-all-signing
=====================================
@@ -17,9 +17,12 @@ echo
test -f "$steps_dir/linux-signer-signmars.done" ||
read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
echo
-#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
-# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
-#echo
+test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
+ read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
+echo
+test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+ read -sp "Enter windows authenticode passphrase: " YUBIPASS
+echo
test -f "$steps_dir/linux-signer-gpg-sign.done" ||
read -sp "Enter gpg passphrase: " GPG_PASS
echo
@@ -106,6 +109,18 @@ function sync-after-signmars {
"$script_dir/sync-linux-signer-to-local"
}
+function linux-signer-sign-android-apks {
+ ssh "$ssh_host_linux_signer" 'bash -s' << EOF
+ export KSPASS=$KSPASS
+ ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
+EOF
+ unset KSPASS
+}
+
+function sync-after-sign-android-apks {
+ "$script_dir/sync-linux-signer-to-local"
+}
+
function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
"$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
}
@@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer
do_step sync-before-linux-signer-signmars
do_step linux-signer-signmars
do_step sync-after-signmars
-#do_step linux-signer-authenticode-signing
-#do_step sync-after-authenticode-signing
-#do_step authenticode-timestamping
-#do_step sync-after-authenticode-timestamping
+is_project torbrowser && \
+ do_step linux-signer-sign-android-apks
+is_project torbrowser && \
+ do_step sync-after-sign-android-apks
+do_step linux-signer-authenticode-signing
+do_step sync-after-authenticode-signing
+do_step authenticode-timestamping
+do_step sync-after-authenticode-timestamping
do_step hash_signed_bundles
do_step sync-after-hash
do_step linux-signer-gpg-sign
=====================================
tools/signing/linux-signer-gpg-sign
=====================================
@@ -20,4 +20,5 @@ do
tmpsig=$(mktemp)
echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
mv -f "$tmpsig" "${i}.asc"
+ chmod 644 "${i}.asc"
done
=====================================
tools/signing/linux-signer-sign-android-apks
=====================================
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.generated-config"
+
+topdir="$script_dir/../.."
+ARCHS="armv7 aarch64 x86 x86_64"
+projname=$(project-name)
+# tbb_version_type is used in wrappers/sign-apk, so we export it
+export tbb_version_type
+
+check_installed_packages() {
+ local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+ for package in $packages
+ do
+ dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+ exit_error "package $package is missing"
+ done
+}
+
+setup_build_tools() {
+ build_tools_dir=/signing/android-build-tools
+ test -f "$build_tools_dir"/android-12/apksigner || \
+ exit_error "$build_tools_dir/android-12/apksigner is missing"
+ export PATH="$build_tools_dir/android-12:${PATH}"
+}
+
+sign_apk() {
+ sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
+}
+
+verify_apk() {
+ verified=$(apksigner verify --print-certs --verbose "$1")
+ scheme_v1="Verified using v1 scheme (JAR signing): true"
+ scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
+
+ # Verify the expected signing key was used, Alpha verses Release based on the filename.
+ if test "$tbb_version_type" = "alpha"; then
+ cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
+ pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
+ else
+ cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
+ pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
+ fi
+ for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
+ if ! echo "${verified}" | grep -q "${digest}"; then
+ echo "Expected digest not found:"
+ echo ${digest}
+ echo "in:"
+ echo ${verified}
+ exit 1
+ fi
+ done
+}
+
+check_installed_packages
+
+if [ -z "$KSPASS" ]; then
+ echo "Enter keystore passphrase"
+ stty -echo; read KSPASS; stty echo
+ export KSPASS
+fi
+
+setup_build_tools
+
+mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+
+# Sign all packages
+for arch in ${ARCHS}; do
+ qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
+ signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
+ sign_apk "$qa_apk" "$signed_apk"
+ verify_apk "$signed_apk"
+ cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
+done
+
+rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
=====================================
tools/signing/linux-signer-sign-android-apks.torbrowser
=====================================
@@ -0,0 +1 @@
+linux-signer-sign-android-apks
\ No newline at end of file
=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -83,11 +83,12 @@ create_group signing
create_user signing-gpg
create_user signing-mar
create_user signing-win yubihsm
-
+create_user signing-apk signing
sudoers_file sign-gpg
sudoers_file sign-mar
sudoers_file sign-exe
+sudoers_file sign-apk
authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
create_user richard signing
@@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl
# Install deps for building yubihsm-shell
install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
+# Install deps for android/apk signing
+install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
+
# Build and install yubihsm-pkcs11 package
create_user build-pkgs
if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
@@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then
chmod go+rX "$tmpdir/mar-tools"/*
mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
fi
+
+for rel in release alpha; do
+ keypath=/home/signing-apk/keys/tba_$rel.p12
+ if ! test -f "$keypath"; then
+ echo "$rel key for android should be put in $keypath"
+ else
+ chown signing-apk "$keypath"
+ chmod 700 "$keypath"
+ fi
+done
=====================================
tools/signing/machines-setup/sudoers.d/sign-apk
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk
=====================================
tools/signing/machines-setup/upload-tbb-to-signing-machine
=====================================
@@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
echo "Fetched $yubihsm_filename"
fi
+android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
+if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
+ ./rbm/rbm build --step get_build_tools android-toolchain
+ echo "Fetched $android_build_tools_filename"
+fi
+
signing_machine='linux-signer'
setup_user='setup'
signing_dir='/signing'
@@ -43,14 +49,26 @@ signing_dir='/signing'
echo "Uploading $osslsigncodefile to $signing_machine"
chmod go+r "./out/osslsigncode/$osslsigncodefile"
rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
+
echo "Uploading rbm.tar to $signing_machine"
rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
+
echo "Uploading $martools_filename"
chmod go+r "./out/mar-tools/$martools_filename"
rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
+
echo "Uploading $yubihsm_filename"
chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
+
+echo "Uploading $android_build_tools_filename"
+chmod go+r "./out/android-toolchain/$android_build_tools_filename"
+rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
+echo "Extracting $android_build_tools_filename"
+ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
+ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
+ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
+
echo "Uploading tor-browser-build.tar to $signing_machine"
scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
echo "Extracting tor-browser-build.tar on $signing_machine"
=====================================
tools/signing/set-config.android-signing deleted
=====================================
@@ -1,7 +0,0 @@
-# The following line should be uncommented and updated:
-
-#ssh_host_pkgstage=tbbuild
-#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
-#android_signing_key_dir=/path/to/signing/key/dir
-
-var_is_defined ssh_host_pkgstage android_signing_key_dir
=====================================
tools/signing/android-signing → tools/signing/wrappers/sign-apk
=====================================
@@ -1,69 +1,34 @@
#!/bin/bash
-
-# Sign apk for each target architecture.
-# This script does not require command line argument, but it needs
-# some configuration options to be set in set-config.android-signing:
-# - ssh_host_pkgstage is the host which you use for staging packages
-# during signing. The script will download the unsigned .apk files
-# from this host, and upload the signed .apk there
-# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
-# on pkgstage
-# - android_signing_key_dir: the local path where the android signing
-# keys are located. That directory should contains files tba_alpha.p12
-# and tba_release.p12 for alpha and release signing keys.
-# The Tor Browser version is taken from set-config.tbb-version
-
set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.android-signing"
-topdir="$script_dir/../.."
-ARCHS="armv7 aarch64 x86 x86_64"
-projname=$(project-name)
-
-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
-test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
-
-check_installed_packages() {
- local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
- for package in $packages
+function exit_error {
+ for msg in "$@"
do
- dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
- exit_error "package $package is missing"
+ echo "$msg" >&2
done
+ exit 1
}
+if test "$tbb_version_type" != 'release' \
+ && test "$tbb_version_type" != 'alpha'; then
+ exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
+fi
+
+android_signing_key_dir=/home/signing-apk/keys
+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
+
setup_build_tools() {
- local rbm="$topdir/rbm/rbm"
- local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
- if ! test -f "$build_tools_zipfile"; then
- "$rbm" build --step get_build_tools android-toolchain
- test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
- fi
- local build_tools_dir=$(mktemp -d)
- trap "rm -Rf $build_tools_dir" EXIT
- unzip -d "$build_tools_dir" "$build_tools_zipfile"
+ build_tools_dir=/signing/android-build-tools
test -f "$build_tools_dir"/android-12/apksigner || \
exit_error "$build_tools_dir/android-12/apksigner is missing"
export PATH="$build_tools_dir/android-12:${PATH}"
}
-download_unsigned_apks() {
- apks_dir=$(mktemp -d)
- trap "rm -Rf $apks_dir" EXIT
- rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
-}
-
-upload_signed_apks() {
- rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
- --exclude="*-unsigned.apk" "$apks_dir/" \
- "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
-}
-
# Sign individual apk
sign_apk() {
INPUTAPK="$1"
+ OUTPUTAPK="$2"
# https://developer.android.com/studio/publish/app-signing#sign-manually
# After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
@@ -75,10 +40,11 @@ sign_apk() {
echo Aligning and signing ${INPUTAPK}
# Append the different stages of signing
- UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
+ UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
+ # ${INPUTAPK} is full path. We copy to local tmp directory.
cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
# Step 1: Align
@@ -117,67 +83,16 @@ sign_apk() {
exit 1
fi
+ mv -f "${SIGNED_APK}" "$OUTPUTAPK"
echo apksigner verify succeeded
}
-# Rename and verify signing certificate
-finalize() {
- for arch in ${ARCHS}; do
- mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
- done
-
- for arch in ${ARCHS}; do
- verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
- scheme_v1=
- scheme_v2=
- cert_digest=
- pubkey_digest=
-
- # Verify the expected signing key was used, Alpha verses Release based on the filename.
- if test "$tbb_version_type" = "alpha"; then
- scheme_v1="Verified using v1 scheme (JAR signing): true"
- scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
- cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
- pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
- else
- scheme_v1="Verified using v1 scheme (JAR signing): true"
- scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
- cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
- pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
- fi
- for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
- if ! `echo "${verified}" | grep -q "${digest}"`; then
- echo "Expected digest not found:"
- echo ${digest}
- echo "in:"
- echo ${verified}
- exit 1
- fi
- done
- done
-
- echo Done.
-}
-
-check_installed_packages
-
-if [ -z "$KSPASS" ]; then
- echo "Enter keystore passphrase"
- stty -echo; read KSPASS; stty echo
- export KSPASS
-fi
-
setup_build_tools
-download_unsigned_apks
-
-cd $apks_dir
-
-# Sign all packages
-for arch in ${ARCHS}; do
- sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
-done
+tmpdir=$(mktemp -d)
+cd "$tmpdir"
-finalize
+sign_apk "$1" "$2"
-upload_signed_apks
+cd -
+rm -Rf "$tmpdir"
=====================================
tools/signing/wrappers/sign-exe
=====================================
@@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then
exit 2
fi
-yubipass="$1"
+pass="$1"
to_sign_exe="$2"
-tpo_cert=/home/signing-win/tpo-cert.crt
+key_dir=/home/signing-win/keys/key-1
+tpo_cert=$key_dir/the_tor_project_inc.crt
+tpo_key=$key_dir/private.pem
if ! test -f "$tpo_cert"; then
echo "File $tpo_cert is missing" >&2
@@ -26,12 +28,10 @@ rm -f "$output_signed_exe"
export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
/home/signing-win/osslsigncode/bin/osslsigncode \
- -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
- -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
- -pass "$yubipass" \
+ -pass "$pass" \
-h sha256 \
-certs "$tpo_cert" \
- -key 1c40 \
+ -key "$tpo_key" \
"$to_sign_exe" "$output_signed_exe"
chmod 644 "$output_signed_exe"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/0ce5dccf1b818ceea05bd2b971dd9f12b1c16460...8213c52c566667e7629fabd3f3311498b1ea5611
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/0ce5dccf1b818ceea05bd2b971dd9f12b1c16460...8213c52c566667e7629fabd3f3311498b1ea5611
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230612/093093cf/attachment-0001.htm>
More information about the tbb-commits
mailing list