[tor-commits] [tor-browser-build/master] Bug 32895: Improve MAR-signing check script

sysrqb at torproject.org sysrqb at torproject.org
Mon Jun 22 17:16:44 UTC 2020


commit a3c272d2e53ea60c1a596bc25189e6f63a535471
Author: Georg Koppen <gk at torproject.org>
Date:   Sat May 23 20:37:55 2020 +0000

    Bug 32895: Improve MAR-signing check script
    
    We improve the script in the following ways:
    
    1) Properly check the signature of the MAR files
    2) Take #20254 into account
    3) Fix all issues `shellcheck` found
---
 tools/marsigning_check.sh | 127 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 91 insertions(+), 36 deletions(-)

diff --git a/tools/marsigning_check.sh b/tools/marsigning_check.sh
index 3e58249..fb5e4f6 100755
--- a/tools/marsigning_check.sh
+++ b/tools/marsigning_check.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2019, The Tor Project, Inc.
+# Copyright (c) 2020, The Tor Project, Inc.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -33,9 +33,20 @@
 # Usage:
 # 1) Let SIGNMAR point to your signmar binary
 # 2) Let LD_LIBRARY_PATH point to the mar-tools directory
-# 3) Change into the directory containing the MAR files and the
+# 3) Let NSS_DB_DIR point to the directory containing the database with the
+#    signing certificate to check against.
+#
+#    To create the database to use for signature checking import the
+#    release*.der certificate of your choice found in
+#    toolkit/mozapps/update/updater by issuing the following commands:
+#
+#    mkdir nssdb
+#    certutil -d nssdb -N --empty-password
+#    certutil -A -n "marsigner" -t,, -d nssdb -i /path/to/.der
+#
+# 4) Change into the directory containing the MAR files and the
 #    sha256sums-unsigned-build.txt/sha256sums-unsigned-build.incrementals.txt.
-# 4) Run /path/to/marsigning_check.sh
+# 5) Run /path/to/marsigning_check.sh
 
 if [ -z "$SIGNMAR" ]
 then
@@ -49,60 +60,104 @@ then
   exit 1
 fi
 
-UNSIGNED_MARS=0
-BADSIGNED_MARS=0
+if [ -z "$NSS_DB_DIR" ]
+then
+  echo "The path to your nssdb directory is missing!"
+  exit 1
+fi
+
+unsigned_mars=0
+badsigned_mars=0
+not_reproduced_mars=0
+# XXX: Stripping the signature of signed macOS MAR files is currently not
+# expected to be reproducible, see: #20254.
+not_reproduced_mars_expected=0
 
 mkdir tmp
 
-for f in `ls *.mar`; do
+for f in *.mar; do
   case $f in
-    *.incremental.mar) SHA256_TXT=`grep "$f" \
-      sha256sums-unsigned-build.incrementals.txt`;;
-    *) SHA256_TXT=`grep "$f" sha256sums-unsigned-build.txt`;;
+    *.incremental.mar) sha256_txt=$(grep "$f" \
+      sha256sums-unsigned-build.incrementals.txt);;
+    *) sha256_txt=$(grep "$f" sha256sums-unsigned-build.txt);;
   esac
 
-  # Test 1: Is the .mar file still unsigned? I.e. does its SHA-256 sum still
-  # match the one we had before we signed it? If so, notify us later and exit.
-  if [ "$SHA256_TXT" = "`sha256sum $f`" ]
+  # Test 1: Is the MAR file correctly signed?
+  echo "Verifying the MAR signature of $f..."
+  if ! $SIGNMAR -d "$NSS_DB_DIR" -n marsigner -v "$f"
   then
-    echo "$f has still the SHA-256 sum of the unsigned MAR file!"
-    UNSIGNED_MARS=`expr $UNSIGNED_MARS + 1`
+    # Something went wrong. Let's figure out what.
+    if [ "$sha256_txt" = "$(sha256sum "$f")" ]
+    then
+      echo "$f has still the SHA-256 sum of the unsigned MAR file!"
+      unsigned_mars=$((unsigned_mars + 1))
+    else
+      echo "$f is either signed with the wrong key or the signature is" \
+           "corrupted!"
+      badsigned_mars=$((badsigned_mars +1))
+    fi
   fi
 
-  # Test 2: Do we get the old SHA-256 sum after stripping the MAR signature? If
-  # not, notify us later and exit.
-  if [ "$UNSIGNED_MARS" = "0" ]
+  # Test 2: Do we get the old SHA-256 sum after stripping the MAR signature? We
+  # want to have a test for that to be sure we've the signed MAR files in front
+  # of us which we actually want to ship to our users.
+  if [ "$unsigned_mars" = "0" ] && [ "$badsigned_mars" = "0" ]
   then
-    # At least we seem to have attempted to sign the MAR file. Let's see if we
-    # succeeded by stripping the signature. This behavior is reproducible.
-    # Thus, we know if we don't get the same SHA-256 sum we did not sign the
-    # bundle correctly.
-    echo "Trying to strip the MAR signature of $f..."
-    ${SIGNMAR} -r $f tmp/$f
-    cd tmp
-    if ! [ "$SHA256_TXT" = "`sha256sum $f`" ]
+    # At least we seem to have succeeded in signing the MAR file. Let's see if
+    # it is the expected one.
+    echo "Checking the SHA-256 sum of the stripped $f..."
+    ${SIGNMAR} -r "$f" tmp/"$f"
+    cd tmp || exit 1
+    if ! [ "$sha256_txt" = "$(sha256sum "$f")" ]
     then
-      echo "$f does not have the SHA-256 sum of the unsigned MAR file!"
-      BADSIGNED_MARS=`expr $BADSIGNED_MARS + 1`
+      not_reproduced_mars=$((not_reproduced_mars + 1))
+      case "$f" in
+        *osx64*)
+          not_reproduced_mars_expected=$((not_reproduced_mars_expected + 1))
+          ;;
+        *) echo "$f does not have the SHA-256 sum of the unsigned MAR file!"
+          ;;
+      esac
     fi
-    rm $f
+    rm "$f"
     cd ..
   fi
+  echo ""
 done
 
 rm -rf tmp/
 
-if ! [ "$UNSIGNED_MARS" = "0" ]
+if ! [ "$unsigned_mars" = "0" ] || ! [ "$badsigned_mars" = "0" ]
 then
-  echo "We got $UNSIGNED_MARS unsigned MAR file(s), exiting..."
+  echo "We got:"
+  if ! [ "$unsigned_mars" = "0" ]
+  then
+    echo "$unsigned_mars unsigned MAR file(s)"
+  fi
+  if ! [ "$badsigned_mars" = "0" ]
+  then
+    echo "$badsigned_mars badly signed MAR file(s)"
+  fi
+  echo "exiting..."
   exit 1
 fi
 
-if ! [ "$BADSIGNED_MARS" = "0" ]
+if ! [ "$not_reproduced_mars" = "0" ]
 then
-  echo "We got $BADSIGNED_MARS badly signed MAR file(s), exiting..."
-  exit 1
+  echo "We got $not_reproduced_mars non-matching, signed MAR files."
+  if [ "$not_reproduced_mars" -eq "$not_reproduced_mars_expected" ]
+  then
+    echo "This is currently expected as we got the same amount of" \
+         "non-matching macOS MAR files."
+    echo "The signatures and non-macOS MAR files are fine."
+    exit 0
+  else
+    echo "This is currently unexpected as we only got" \
+         "$not_reproduced_mars_expected non-matching macOS MAR files," \
+         "exiting..."
+    exit 1
+  fi
+else
+  echo "The signatures and MAR files are fine."
+  exit 0
 fi
-
-echo "The signatures are fine."
-exit 0





More information about the tor-commits mailing list