[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Bug 41093: Add a patch to unsign APKs.

Pier Angelo Vendrame (@pierov) git at gitlab.torproject.org
Tue Feb 27 11:27:50 UTC 2024 


Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
ede46581 by Pier Angelo Vendrame at 2024-02-27T12:27:17+01:00
Bug 41093: Add a patch to unsign APKs.

Currently, we sign the APKs that were already signed with the QA key.
However, this makes it impossible to copy our signature on top of APKs
built independently, which would be the last step to reproduce our
builds.

With this commit, we provide a patch to go back to the unsigned (but
already aligned) APK, so that we can keep shipping QA-signed APKs for
testers, but we can go back to the unsigned APK for the final signing.

The changes to apply this patch in the signing scripts will be part of
another commit.

- - - - -


4 changed files:

- README
- projects/browser/build.android
- projects/browser/config
- projects/release/build


Changes:

=====================================
README
=====================================
@@ -54,7 +54,7 @@ If you are running Fedora, CentOS or RHEL, you can install them with:
               "perl(Template)" "perl(IO::Handle)" "perl(Capture::Tiny)" \
               "perl(JSON)" "perl(File::Temp)" "perl(Path::Tiny)" \
               "perl(File::Path)" "perl(File::Slurp)" \
-              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)"
+              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)" \
               "perl(Sort::Versions)" "perl(Digest::SHA)" "perl(Data::UUID)" \
               "perl(Data::Dump)" "perl(DateTime)" "perl(XML::Writer)" \
               "perl(Parallel::ForkManager)" perl-ph mercurial git zstd
@@ -237,11 +237,12 @@ builds, and will require that you run Debian Bullseye or Bookworm and
 install build dependencies for all the components that are built. This can
 be done with the following command:
 
-  # apt-get install build-essential python3 automake libtool zip unzip \
-            autoconf2.13 openjdk-11-jdk gettext-base autotools-dev \
-            automake autoconf libtool autopoint libssl-dev pkg-config \
-            zlib1g-dev libparallel-forkmanager-perl libfile-slurp-perl bzip2 \
-            xz-utils apksigner yasm wget bison gyp tcl python3-venv 7zip jq
+  # apt-get install 7zip apksigner autoconf autoconf2.13 automake autopoint \
+                    autotools-dev bison bsdiff build-essential bzip2 \
+                    gettext-base gyp jq libfile-slurp-perl \
+                    libparallel-forkmanager-perl libssl-dev libtool libtool \
+                    openjdk-11-jdk pkg-config python3 python3-venv tcl unzip \
+                    wget xz-utils yasm zip zlib1g-dev
 
 Note that Debian Bullseye requires the bullseye-backports repository to
 get the 7zip package.


=====================================
projects/browser/build.android
=====================================
@@ -66,6 +66,9 @@ zipalign -vp 4 repacked.apk $aligned_apk
 # flag in the manifest.
 apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore --out $qa_apk --in $aligned_apk --ks-key-alias androidqakey --key-pass pass:android --ks-pass pass:android
 
+unsign_patch="[% dest_dir %]/[% c('filename') %]/[% c('var/project-name') %]-qa-unsign-[% c('var/osname') %]-[% c('version') %].bspatch"
+bsdiff $qa_apk $aligned_apk $unsign_patch
+
 [%IF c("var/tor-browser") -%]
   tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]"
   # strip off trailing "$buildid.tar.gz"


=====================================
projects/browser/config
=====================================
@@ -48,6 +48,7 @@ targets:
       arch_deps:
         - 7zip
         - openjdk-17-jdk-headless
+        - bsdiff
       container:
         # 7zip is in backports in bullseye, and we can already use Java 17 for
         # apksigner.


=====================================
projects/release/build
=====================================
@@ -59,7 +59,7 @@ EOF
 # empty any existing sh256sums file
 echo -n > sha256sums-unsigned-build.txt
 # concat sha256sum entry for each file in set
-for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.json | grep -v '\.incremental\.mar$' | sort)
+for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.bspatch *.json | grep -v '\.incremental\.mar$' | sort)
 do
   sha256sum $i >> sha256sums-unsigned-build.txt
 done



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/ede465810bc446831e047dc680a577495bd60bdf

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/ede465810bc446831e047dc680a577495bd60bdf
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240227/2e965d64/attachment-0001.htm>

More information about the tbb-commits mailing list