[tor-commits] [tor-browser-bundle/master] Bug 20217: check that OSX incremental MARs are made with code signing

[gk at torproject.org]

commit 9836227e4ae27123a3eb27167dc6dca13b5d1027
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Mon Oct 10 19:44:10 2016 +0200

    Bug 20217: check that OSX incremental MARs are made with code signing
    
    When updating the OSX incremental MAR files after running dmg2mar, we check
    that both the old and the new mar files contain code signing.
    
    We don't check this while creating the incremental MAR files during the
    build.
---
 gitian/Makefile                         | 4 ++--
 tools/update-responses/update_responses | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/gitian/Makefile b/gitian/Makefile
index f008834..a4a757f 100644
--- a/gitian/Makefile
+++ b/gitian/Makefile
@@ -48,12 +48,12 @@ signmars-nightly:
 dmg2mars:
 	cd $(shell ../tools/update-responses/get_channel_version release) && ../../tools/dmg2mar
 	$(TORSOCKS) ../tools/update-responses/download_missing_versions release
-	MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals release
+	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals release
 
 dmg2mars-alpha:
 	cd $(shell ../tools/update-responses/get_channel_version alpha) && ../../tools/dmg2mar
 	$(TORSOCKS) ../tools/update-responses/download_missing_versions alpha
-	MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals alpha
+	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 ../tools/update-responses/gen_incrementals alpha
 
 update_responses:
 	../tools/update-responses/update_responses release
diff --git a/tools/update-responses/update_responses b/tools/update-responses/update_responses
index 7962f69..ceba144 100755
--- a/tools/update-responses/update_responses
+++ b/tools/update-responses/update_responses
@@ -197,6 +197,12 @@ sub create_incremental_mar {
     my $tmpdir = File::Temp->newdir();
     extract_mar(mar_filename($from_version, $os, $lang), "$tmpdir/A");
     extract_mar(mar_filename($new_version, $os, $lang), "$tmpdir/B");
+    if ($ENV{CHECK_CODESIGNATURE_EXISTS}) {
+        unless (-f "$tmpdir/A/TorBrowser.app/Contents/_CodeSignature/CodeResources"
+            && -f "$tmpdir/B/TorBrowser.app/Contents/_CodeSignature/CodeResources") {
+            exit_error "Missing code signature while creating $mar_file";
+        }
+    }
     my ($out, $err, $success) = capture_exec('make_incremental_update.sh',
                                    $mar_file_path, "$tmpdir/A", "$tmpdir/B");
     if (!$success) {