[tor-commits] [tor-browser-bundle/master] Add basic support for predictable sig uploading + checking.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Nov 21 08:26:46 UTC 2013
commit cb407069ffe0d789dd0ad5d93b5568a66194213f
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Thu Nov 21 00:18:10 2013 -0800
Add basic support for predictable sig uploading + checking.
---
gitian/Makefile | 12 +++++++++
gitian/README.build | 8 ++++++
gitian/check-match.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++
gitian/gpg/erinn.gpg | Bin 0 -> 17207 bytes
gitian/gpg/ln5.gpg | Bin 0 -> 61902 bytes
gitian/gpg/mikeperry.gpg | Bin 0 -> 7813 bytes
gitian/upload-signature.sh | 32 +++++++++++++++++++++++
7 files changed, 114 insertions(+)
diff --git a/gitian/Makefile b/gitian/Makefile
index bbabc10..b781f34 100644
--- a/gitian/Makefile
+++ b/gitian/Makefile
@@ -14,6 +14,18 @@ build-alpha:
./mkbundle-mac.sh versions.alpha
./hash-bundles.sh versions.alpha
+sign:
+ torsocks ./upload-signature.sh versions
+
+sign-alpha:
+ torsocks ./upload-signature.sh versions.alpha
+
+match:
+ torsocks ./check-match.sh versions
+
+match-alpha:
+ torsocks ./check-match.sh versions.alpha
+
prep:
./check-prerequisites.sh
torsocks ./fetch-inputs.sh ../../gitian-builder/inputs/ versions
diff --git a/gitian/README.build b/gitian/README.build
index 07ea652..157d948 100644
--- a/gitian/README.build
+++ b/gitian/README.build
@@ -11,6 +11,10 @@ QuickStart:
start the build process to produce localized Linux bundles, followed by
Windows bundles, followed by Mac bundles.
+ To check your build results against the official builders, run:
+
+ $ make match
+
By default, the Makefile wraps input downloads in 'torsocks'. This is done
to allow unofficial secret verifiers to remain secret by default. Removing
the 'torsocks' from the 'prep' Makefile rule should be sufficient to avoid
@@ -43,10 +47,14 @@ Detailed Explanation of Scripts:
- vmclean: Remove VM base images
- distclean: Remove source dependency inputs, and run clean and vmclean
- all: The default. It calls clean, prep, and then build.
+ - sign: Signs your build output and uplodas it to people.torproject.org
+ - match: Checks your build output against public signed hashes
To build alpha bundles, alternate targets are provided:
- alpha: The equivalent to the 'all' rule for alpha packages
- build-alpha: The equivalent to the 'build' rule for alpha packages
- prep-alpha: The equivalent to the 'prep' rule for alpha packages
+ - sign-alpha: Signs your build output and uplodas it to people.torproject.org
+ - match-alpha: Checks your build output against public signed hashes
1. check-prerequisites.sh: This script checks if your system is capable of
running Gitian, and if it is not, it tells you what you need to do.
diff --git a/gitian/check-match.sh b/gitian/check-match.sh
new file mode 100755
index 0000000..90f2025
--- /dev/null
+++ b/gitian/check-match.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# XXX: Args?
+HOST=people.torproject.org
+BASE_DIR=public_html/builds/
+USERS="ln5 mikeperry helix gk"
+
+set -e
+set -u
+
+WRAPPER_DIR=$(dirname "$0")
+WRAPPER_DIR=$(readlink -f "$WRAPPER_DIR")
+
+if [ -z "$1" ];
+then
+ VERSIONS_FILE=$WRAPPER_DIR/versions
+else
+ VERSIONS_FILE=$1
+fi
+
+if ! [ -e $VERSIONS_FILE ]; then
+ echo >&2 "Error: $VERSIONS_FILE file does not exist"
+ exit 1
+fi
+
+. $VERSIONS_FILE
+
+VALID=""
+
+for u in $USERS
+do
+ cd $WRAPPER_DIR
+
+ # XXX: Is there a better way to store these and rename them?
+ mkdir -p $TORBROWSER_VERSION/$u
+ cd $TORBROWSER_VERSION/$u
+
+ wget https://$HOST/~$u/builds/$TORBROWSER_VERSION/sha256sums.txt || continue
+ wget https://$HOST/~$u/builds/$TORBROWSER_VERSION/sha256sums.txt.asc || continue
+
+ keyring="../../gpg/$u.gpg"
+
+ # XXX: Remove this dir
+ gpghome=$(mktemp -d)
+ GNUPGHOME="$gpghome" gpg --import "$keyring"
+ GNUPGHOME="$gpghome" gpg sha256sums.txt.asc || exit 1
+
+ diff -u ../sha256sums.txt sha256sums.txt || exit 1
+
+ VALID="$u $VALID"
+done
+
+if [ -z $VALID ];
+then
+ echo "No bundle hashes or sigs published for $TORBROWSER_VERSION."
+ echo
+ exit 1
+else
+ echo "Matching bundles exist from the following users: $VALID"
+ exit 0
+fi
+
diff --git a/gitian/gpg/erinn.gpg b/gitian/gpg/erinn.gpg
new file mode 100644
index 0000000..2adc455
Binary files /dev/null and b/gitian/gpg/erinn.gpg differ
diff --git a/gitian/gpg/ln5.gpg b/gitian/gpg/ln5.gpg
new file mode 100644
index 0000000..66a2f68
Binary files /dev/null and b/gitian/gpg/ln5.gpg differ
diff --git a/gitian/gpg/mikeperry.gpg b/gitian/gpg/mikeperry.gpg
new file mode 100644
index 0000000..ab4acc0
Binary files /dev/null and b/gitian/gpg/mikeperry.gpg differ
diff --git a/gitian/upload-signature.sh b/gitian/upload-signature.sh
new file mode 100755
index 0000000..87bd05d
--- /dev/null
+++ b/gitian/upload-signature.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+HOST=people.torproject.org
+BASE_DIR=public_html/builds/
+
+set -u
+
+WRAPPER_DIR=$(dirname "$0")
+WRAPPER_DIR=$(readlink -f "$WRAPPER_DIR")
+
+if [ -z "$1" ];
+then
+ VERSIONS_FILE=$WRAPPER_DIR/versions
+else
+ VERSIONS_FILE=$1
+fi
+
+if ! [ -e $VERSIONS_FILE ]; then
+ echo >&2 "Error: $VERSIONS_FILE file does not exist"
+ exit 1
+fi
+
+. $VERSIONS_FILE
+
+if [ ! -f $TORBROWSER_VERSION/sha256sums.txt ];
+then
+ cd $TORBROWSER_VERSION && gpg -abs sha256sums.txt
+fi
+
+ssh $HOST "mkdir $BASE_DIR/$TORBROWSER_VERSION"
+scp $TORBROWSER_VERSION/sha256sums.txt* $HOST:$BASE_DIR/$TORBROWSER_VERSION/
+ssh $HOST "chmod 755 $BASE_DIR/$TORBROWSER_VERSION && chmod 644 $BASE_DIR/$TORBROWSER_VERSION/*"
More information about the tor-commits
mailing list