[tor-commits] [torbrowser/maint-2.4] Bug 8338: Create watch scripts for monitoring and syncing sources.

mikeperry at torproject.org mikeperry at torproject.org
Thu Apr 11 06:43:19 UTC 2013 

commit 13ec571eae82fd2f76bc07233ba8c11459f6521e
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Mon Apr 1 14:48:14 2013 -0700

    Bug 8338: Create watch scripts for monitoring and syncing sources.
    
    These scripts allow us to keep sources on people.torproject.org so that the
    build machines are not exposed to code exec via MITM.
    
    They also allow others to verify the integrity of our mirror, to ensure
    the mirror is not similarly targeted.
---
 watch-scripts/fetch-thirdparty.sh |   83 +++++++++++++++++++++++++++++++
 watch-scripts/verify-mirror.sh    |   97 +++++++++++++++++++++++++++++++++++++
 watch-scripts/versions.sh         |   33 +++++++++++++
 watch-scripts/watch-firefox.sh    |   29 +++++++++++
 4 files changed, 242 insertions(+), 0 deletions(-)

diff --git a/watch-scripts/fetch-thirdparty.sh b/watch-scripts/fetch-thirdparty.sh
new file mode 100755
index 0000000..3244671
--- /dev/null
+++ b/watch-scripts/fetch-thirdparty.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+#
+# Creates a local mirror of all third party sources. Verifies GPG signatures
+# when possible.
+#
+# Usage:
+# ./fetch-thirdparty.sh [<dir>]
+#
+# Downloads sources into a "sources" subdirectory of the current directory.
+#
+# If <dir> is specified, we change directory into that mirror dir before
+# downloading source.
+
+. ./versions.sh
+
+if [ -d $1 ]; then
+  cd $1
+fi
+
+## Location of files for download
+ZLIB_URL=http://www.zlib.net/${ZLIB_PACKAGE}
+OPENSSL_URL=http://www.openssl.org/source/${OPENSSL_PACKAGE}
+LIBPNG_URL=ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng15/${LIBPNG_PACKAGE}
+QT_URL=ftp://ftp.qt.nokia.com/qt/source/${QT_PACKAGE}
+VIDALIA_URL=https://archive.torproject.org/tor-package-archive/vidalia/${VIDALIA_PACKAGE}
+LIBEVENT_URL=https://github.com/downloads/libevent/libevent/${LIBEVENT_PACKAGE}
+TOR_URL=https://archive.torproject.org/tor-package-archive/${TOR_PACKAGE}
+PIDGIN_URL=http://sourceforge.net/projects/pidgin/files/Pidgin/${PIDGIN_PACKAGE}
+FIREFOX_URL=https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${FIREFOX_VER}/source/${FIREFOX_PACKAGE}
+MOZBUILD_URL=https://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/${MOZBUILD_PACKAGE}
+TORBUTTON_URL=https://people.torproject.org/~mikeperry/${TORBUTTON_PACKAGE}
+NOSCRIPT_URL=https://addons.mozilla.org/firefox/downloads/latest/722/${NOSCRIPT_PACKAGE}
+HTTPSEVERYWHERE_URL=https://www.eff.org/files/${HTTPSEVERYWHERE_PACKAGE}
+OBFSPROXY_URL=https://archive.torproject.org/tor-package-archive/obfsproxy/${OBFSPROXY_PACKAGE}
+
+if [ ! -d sources ]; then
+  mkdir sources
+fi
+
+cd sources
+
+# Get package files
+for i in ZLIB OPENSSL LIBPNG QT VIDALIA LIBEVENT TOR FIREFOX MOZBUILD TORBUTTON NOSCRIPT HTTPSEVERYWHERE OBFSPROXY
+do
+  URL=${i}"_URL"
+  PACKAGE=${i}"_PACKAGE"
+  wget -N --no-remove-listing ${!URL} >& /dev/null
+  if [ $? -ne 0 ]; then
+    echo "$i url ${!URL} is broken!"
+    mv ${!PACKAGE} ${!PACKAGE}".removed"
+    exit 1
+  fi
+done
+
+# Get+verify sigs that exist
+# XXX: This doesn't cover everything. See #8525
+for i in TORBUTTON FIREFOX LIBEVENT TOR VIDALIA OBFSPROXY OPENSSL
+do
+  URL=${i}"_URL"
+  PACKAGE=${i}"_PACKAGE"
+  if [ ! -f ${!PACKAGE}".asc" ]; then
+    wget ${!URL}".asc" >& /dev/null
+    if [ $? -ne 0 ]; then
+      echo "$i GPG sig url ${!URL} is broken!"
+      mv ${!PACKAGE} ${!PACKAGE}".nogpg"
+      exit 1
+    fi
+  fi
+  gpg ${!PACKAGE}".asc" >& /dev/null
+  if [ $? -ne 0 ]; then
+    echo "$i GPG signature is broken for ${!URL}"
+    mv ${!PACKAGE} ${!PACKAGE}".badgpg"
+    exit 1
+  fi
+done
+
+# Record sha256sums
+rm -f sha256sums.txt
+for i in ZLIB OPENSSL LIBPNG QT VIDALIA LIBEVENT TOR FIREFOX MOZBUILD TORBUTTON NOSCRIPT HTTPSEVERYWHERE OBFSPROXY
+do
+  PACKAGE=${i}"_PACKAGE"
+  sha256sum ${!PACKAGE} >> sha256sums.txt
+done
diff --git a/watch-scripts/verify-mirror.sh b/watch-scripts/verify-mirror.sh
new file mode 100755
index 0000000..3627ab7
--- /dev/null
+++ b/watch-scripts/verify-mirror.sh
@@ -0,0 +1,97 @@
+#!/bin/bash
+#
+# verify-mirror.sh - Verifies that our source mirror matches Internet sources
+#
+# Run this script on a non-torproject.org machine to verify that
+# people.torproject.org was not subject to targeted MITM attacks on
+# unauthenticated source code.
+#
+# Usage:
+# ./verify-mirror.sh [<dir>]
+#
+# Verifies the integrity of a remote mirror against a local cache in
+# "sources/", or from the Internet.
+# 
+# If <dir> is specified, change into that directory before performing
+# verification.
+
+. ./versions.sh
+
+# Always update our local cache before verifying remote mirror
+./fetch-thirdparty.sh $1
+
+if [ -d $1 ]; then
+  cd $1
+fi
+
+MIRROR_URL=https://people.torproject.org/~mikeperry/mirrors/sources/
+
+# Let's make a verification directory
+mkdir verify-sources
+cd verify-sources
+
+# Get package files from mirror
+for i in ZLIB OPENSSL LIBPNG QT VIDALIA LIBEVENT TOR FIREFOX MOZBUILD TORBUTTON NOSCRIPT HTTPSEVERYWHERE OBFSPROXY
+do
+  PACKAGE=${i}"_PACKAGE"
+  URL=${MIRROR_URL}${!PACKAGE}
+  rm -f ${!PACKAGE}
+  wget ${URL} >& /dev/null
+  if [ $? -ne 0 ]; then
+    echo "$i url ${URL} is broken!"
+    exit 1
+  fi
+done
+
+# Get+verify sigs that exist
+# XXX: This doesn't cover everything. See #8525
+for i in TORBUTTON FIREFOX LIBEVENT TOR VIDALIA OBFSPROXY OPENSSL
+do
+  PACKAGE=${i}"_PACKAGE"
+  URL=${MIRROR_URL}${!PACKAGE}
+  if [ ! -f ${!PACKAGE}".asc" ]; then
+    wget ${URL}".asc" >& /dev/null
+    if [ $? -ne 0 ]; then
+      echo "$i GPG sig url ${URL} is broken!"
+      mv ${!PACKAGE} ${!PACKAGE}".nogpg"
+      exit 1
+    fi
+  fi
+  gpg ${!PACKAGE}".asc" >& /dev/null
+  if [ $? -ne 0 ]; then
+    echo "$i GPG signature is broken for ${URL}"
+    mv ${!PACKAGE} ${!PACKAGE}".badgpg"
+    exit 1
+  fi
+done
+
+# Check remote sha256sums
+rm -f sha256sums.txt
+wget $MIRROR_URL"/sha256sums.txt" >& /dev/null
+if [ $? -ne 0 ]; then
+  echo "SHA256SUMS are absent!!"
+  exit 1
+fi
+
+sha256sum --quiet -c sha256sums.txt
+if [ $? -ne 0 ]; then
+  echo "Remote sha256sums don't match data!"
+  exit 1
+fi
+
+# Make sure our mirror matches
+REMOTE_METASUM=`sha256sum sha256sums.txt`
+
+cd ../sources/
+LOCAL_METASUM=`sha256sum sha256sums.txt`
+
+if [ "z$REMOTE_METASUM" != "z$LOCAL_METASUM" ]; then
+  echo "Remote sha256sums don't match local values!"
+  exit 1
+fi
+
+cd ..
+rm -rf ./verify-sources/
+
+exit 0
+
diff --git a/watch-scripts/versions.sh b/watch-scripts/versions.sh
new file mode 100755
index 0000000..3559c96
--- /dev/null
+++ b/watch-scripts/versions.sh
@@ -0,0 +1,33 @@
+ZLIB_VER=1.2.7
+OPENSSL_VER=1.0.0k
+LIBPNG_VER=1.5.15
+QT_VER=4.8.1
+VIDALIA_VER=0.2.21
+LIBEVENT_VER=2.0.21-stable
+TOR_VER=0.2.3.25
+PIDGIN_VER=2.6.4
+FIREFOX_VER=17.0.5esr
+MOZBUILD_VER=1.5.1
+TORBUTTON_VER=1.5.1
+NOSCRIPT_VER=2.6.5.9
+HTTPSEVERYWHERE_VER=3.1.4
+OTR_VER=3.2.0
+OBFSPROXY_VER=0.1.4
+
+## File names for the source packages
+ZLIB_PACKAGE=zlib-${ZLIB_VER}.tar.gz
+OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz
+LIBPNG_PACKAGE=libpng-${LIBPNG_VER}.tar.bz2
+QT_PACKAGE=qt-everywhere-opensource-src-${QT_VER}.tar.gz
+VIDALIA_PACKAGE=vidalia-${VIDALIA_VER}.tar.gz
+LIBEVENT_PACKAGE=libevent-${LIBEVENT_VER}.tar.gz
+TOR_PACKAGE=tor-${TOR_VER}.tar.gz
+PIDGIN_PACKAGE=pidgin-${PIDGIN_VER}.tar.bz2
+FIREFOX_PACKAGE=firefox-${FIREFOX_VER}.source.tar.bz2
+MOZBUILD_PACKAGE=MozillaBuildSetup-${MOZBUILD_VER}.exe
+TORBUTTON_PACKAGE=torbutton-${TORBUTTON_VER}.xpi
+NOSCRIPT_PACKAGE=addon-722-latest.xpi
+HTTPSEVERYWHERE_PACKAGE=https-everywhere-${HTTPSEVERYWHERE_VER}.xpi
+OBFSPROXY_PACKAGE=obfsproxy-${OBFSPROXY_VER}.tar.gz
+
+
diff --git a/watch-scripts/watch-firefox.sh b/watch-scripts/watch-firefox.sh
new file mode 100755
index 0000000..4e2b67d
--- /dev/null
+++ b/watch-scripts/watch-firefox.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+NEXTESR="17\.0\.[567]esr/"
+NEXTRAPID="17\.0/|16\.0\.[34]/"
+
+URL="https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/"
+urldump=`wget -q $URL -O -`
+
+echo $urldump | egrep $NEXTESR > /dev/null
+if [ $? -eq 0 -a ! -f ~/emailt-esr ]
+then
+  echo "New Firefox ESR release is out at $URL" | mail mikeperry at torproject.org -s "New Firefox 17.x ESR is out!"
+  echo "New Firefox ESR release is out at $URL" | mail erinn at torproject.org -s "New Firefox 17.x ESR is out!"
+  echo "New Firefox ESR release is out at $URL" | mail sebastian at torproject.org -s "New Firefox 17.x ESR is out!"
+  touch ~/emailt-esr
+fi
+
+exit
+
+echo $urldump | egrep $NEXTRAPID > /dev/null
+if [ $? -eq 0 -a ! -f ~/emailt-rr ]
+then
+  echo "New Firefox Rapid Release is out at $URL" | mail mikeperry at torproject.org -s "New Firefox Rapid Release is out!"
+  echo "New Firefox Rapid Release is out at $URL" | mail erinn at torproject.org -s "New Firefox Rapid Release is out"
+  echo "New Firefox Rapid Release is out at $URL" | mail sebastian at torproject.org -s "New Firefox Rapid Release is out!"
+  touch ~/emailt-rr
+fi
+
+

More information about the tor-commits mailing list