[tor-commits] [tor-browser-spec/master] Bug 21249: Update release process documentation

gk at torproject.org gk at torproject.org
Fri Jun 16 11:16:03 UTC 2017 

commit a6a9e1a534e8d14f511401f7cbd915f410ad2174
Author: Georg Koppen <gk at torproject.org>
Date:   Fri Jun 16 11:07:13 2017 +0000

    Bug 21249: Update release process documentation
    
    We add instructions covering our signing procedures
---
 processes/ReleaseProcess | 59 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 49 insertions(+), 10 deletions(-)

diff --git a/processes/ReleaseProcess b/processes/ReleaseProcess
index e4d261e..55c31a4 100644
--- a/processes/ReleaseProcess
+++ b/processes/ReleaseProcess
@@ -70,29 +70,68 @@
    # For stable releases put tails-dev at boum.org into Cc
 
 #. Code Sign the OS X dmg files:
-   # XXX: Document
+   torsocks ssh mac-signer "mkdir $TORBROWSER_VERSION"
+   torsocks rsync -avP $TORBROWSER_BUILDDIR/*.dmg mac-signer:$TORBROWSER_VERSION/
+   torsocks ssh mac-signer
+   # Unlock the keychain and then...
+   cd $TORBROWSER_VERSION
+   # Sign the bundles
+   ../gatekeeper-signing.sh $TORBROWSER_VERSION
+   # Check that it worked
+   tar xf torbrowser-$TORBROWSER_VERSION-osx_zh-CN-signed.tar.bz2
+   spctl -a -t exec -vv TorBrowser.app/
+   rm -rf TorBrowser.app
+   exit
+   torsocks rsync -avP mac-signer:$TORBROWSER_VERSION/*.bz2 .
 
 #. Regenerate OS X MAR files from code signed dmg files
+   # XXX Go to your directory prepared for recreating the .dmg files and containing
+   # the uploaded .bz2 files
+   ./gatekeeper-bundling.sh $TORBROWSER_VERSION
+   rsync -avP *.dmg $TORBROWSER_BUILDDIR/
+   cd $TORBROWSER_BUILDDIR/..
    # The code signed dmg files should be in the $TORBROWSER_VERSION directory
    # Install a recent p7zip version (see ../tools/dmg2mar for instructions)
    make dmg2mars # or dmg2mars-alpha
 
 #. Sign the MAR update files
-   # First, copy the torbrowser tree to removable storage:
-   rsync -avP $TORBROWSER_BUILDDIR/../../../ /media/storage/TBB/
-   # Then, remove storage, attach to offline computer that houses TBB signing key.
-   # Run the following from that rsync'ed removable storage dir:
+   # First, copy the torbrowser tree to the signing machine:
+   torsocks rsync -avP $TORBROWSER_BUILDDIR/../../../ signing-machine
+   torsocks ssh signing-machine "mkdir tor-browser-bundle/gitian/$TORBROWSER_VERSION"
+   torsocks rsync -avP $TORBROWSER_BUILDDIR/*.mar signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
+   torsocks ssh signing-machine
+   cd tor-browser-bundle/gitian
+   # XXX Modify the signmars.sh script to comment out the eval call.
+   export TORBROWSER_VERSION=$TORBROWSER_VERSION
    export NSS_DB_DIR=/path/to/nssdb
    # Only needed if you are not owner of the marsigner cert
    export NSS_CERTNAME=your_certname
    make signmars
-   # Now, re-attach storage to the online computer, and sync the signed
-   # results to a version-only directory (without the build number)
-   torsocks ssh people.torproject.org "cp -a public_html/builds/$TORBROWSER_BUILDDIR public_html/builds/$TORBROWSER_VERSION"
-   torsocks rsync -avP /media/storage/TBB/tor-browser-bundle/gitian/$TORBROWSER_BUILDDIR/*.mar people.torproject.org:public_html/builds/$TORBROWSER_VERSION
+   exit
+   torsocks rsync -avP signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/*.mar $TORBROWSER_BUILDDIR/
 
 #. Sign individual bundle files:
-   # XXX: Document
+   # Authenticode signing first
+   torsocks ssh windows-signing-machine "mkdir tor-browser-bundle/gitian/$TORBROWSER_VERSION"
+   torsocks rsync -avP $TORBROWSER_BUILDDIR/*.exe windows-signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
+   torsocks ssh windows-signing-machine
+   cd tor-browser-bundle/gitian/$TORBROWSER_VERSION
+   /path/to/authenticode-signing.sh
+   exit
+   torsocks rsync -avP window-signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/*.mar $TORBROWSER_BUILDDIR/
+   # Authenticode timestamping next
+   cd $TORBROWSER_BUILDDIR
+   export OSSLSIGNCODE=/path/to/osslsigncode
+   /path/to/authenticode-timestamping.sh
+
+   # All the GPG signatures at last
+   torsocks rsync -avP $TORBROWSER_BUILDDIR/* signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
+   cd tor-browser-bundle/gitian/$TORBROWSER_VERSION
+   /path/to/tbb-signing.sh
+   exit
+
+#. Sync to people.torproject.org
+   torsocks rsync -avP $TORBROWSER_VERSION/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR
 
 #. Clear out old builds, transfer builds to staticiforme
 #. Remote:

More information about the tor-commits mailing list