[tor-commits] [builders/tor-browser-build] branch main updated: Bug 40574: Improve tools/signing/android-signing
gitolite role
git at cupani.torproject.org
Fri Aug 26 18:51:06 UTC 2022
This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch main
in repository builders/tor-browser-build.
The following commit(s) were added to refs/heads/main by this push:
new 751756c Bug 40574: Improve tools/signing/android-signing
751756c is described below
commit 751756c2e7d7239df0636bf5ac8cc22d4781cbc6
Author: Nicolas Vigier <boklm at torproject.org>
AuthorDate: Tue Jul 12 16:48:51 2022 +0200
Bug 40574: Improve tools/signing/android-signing
* use projects/android-toolchain/config to download android build-tools
* download unsigned apk files for pkgstage and upload them to pkgstage
when signed
* use set-config.android-signing
---
projects/android-toolchain/config | 21 +++++++-
tools/signing/android-signing | 93 +++++++++++++++++++++++---------
tools/signing/set-config.android-signing | 7 +++
3 files changed, 93 insertions(+), 28 deletions(-)
diff --git a/projects/android-toolchain/config b/projects/android-toolchain/config
index 57c38c1..a2f34ae 100644
--- a/projects/android-toolchain/config
+++ b/projects/android-toolchain/config
@@ -47,11 +47,13 @@ var:
sdk_tools_version: 4333796
commandlinetools_version: 7583922
commandlinetools_version_string: 5.0
+ build_tools_filename: build-tools_r31-linux.zip
+ build_tools_sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8
input_files:
- project: container-image
- - URL: '[% c("var/google_repo") %]/build-tools_r31-linux.zip'
+ - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
name: build_tools
- sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8
+ sha256sum: '[% c("var/build_tools_sha256sum") %]'
- URL: '[% c("var/google_repo") %]/build-tools_r[% c("var/version_30") %]-linux.zip'
name: build_tools_30
sha256sum: 565af786dc0cc1941002174fb945122eabd080b222cd4c7c3d9a2ae0fabf5dc4
@@ -85,3 +87,18 @@ input_files:
- URL: '[% c("var/google_repo") %]/android-ndk-r[% c("var/android_ndk_version") %][% c("var/android_ndk_revision") %]-linux-x86_64.zip'
name: android_ndk_compiler
sha256sum: dd6dc090b6e2580206c64bcee499bc16509a5d017c6952dcd2bed9072af67cbd
+steps:
+ # The get_build_tools step is used by tools/signing/android-signing
+ get_build_tools:
+ filename: 'android-[% c("var/build_tools_filename") %]'
+ get_build_tools: |
+ #!/bin/bash
+ set -e
+ mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
+ var:
+ container:
+ use_container: 0
+ input_files:
+ - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
+ name: build_tools
+ sha256sum: '[% c("var/build_tools_sha256sum") %]'
diff --git a/tools/signing/android-signing b/tools/signing/android-signing
index 7c2ee50..16610e7 100755
--- a/tools/signing/android-signing
+++ b/tools/signing/android-signing
@@ -1,23 +1,64 @@
#!/bin/bash
# Sign apk for each target architecture.
-# This script requires two command line arguments.
-# Usage: android-signing <version> <path/to/signing/key>
+# This script does not require command line argument, but it needs
+# some configuration options to be set in set-config.android-signing:
+# - ssh_host_pkgstage is the host which you use for staging packages
+# during signing. The script will download the unsigned .apk files
+# from this host, and upload the signed .apk there
+# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
+# on pkgstage
+# - android_signing_key_dir: the local path where the android signing
+# keys are located. That directory should contains files tba_alpha.p12
+# and tba_release.p12 for alpha and release signing keys.
+# The Tor Browser version is taken from set-config.tbb-version
-# In addition, hard-coding the path to an Android SDK build-tools version, as
-# BUILD_TOOLS, is required.
-
-set -x
set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.android-signing"
-VERSION=$1
-SIGNING_KEY_PATH=$2
+topdir="$script_dir/../.."
+ARCHS="armv7 aarch64 x86 x86_64"
-# TODO set correctly.
-BUILD_TOOLS=/path/to/build-tools/version
-export PATH="${BUILD_TOOLS}:${PATH}"
+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
-ARCHS="armv7 aarch64 x86 x86_64"
+check_installed_packages() {
+ local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+ for package in $packages
+ do
+ dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+ exit_error "package $package is missing"
+ done
+}
+
+setup_build_tools() {
+ local rbm="$topdir/rbm/rbm"
+ local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
+ if ! test -f "$build_tools_zipfile"; then
+ "$rbm" build --step get_build_tools android-toolchain
+ test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
+ fi
+ local build_tools_dir=$(mktemp -d)
+ trap "rm -Rf $build_tools_dir" EXIT
+ unzip -d "$build_tools_dir" "$build_tools_zipfile"
+ test -f "$build_tools_dir"/android-12/apksigner || \
+ exit_error "$build_tools_dir/android-12/apksigner is missing"
+ export PATH="$build_tools_dir/android-12:${PATH}"
+}
+
+download_unsigned_apks() {
+ apks_dir=$(mktemp -d)
+ trap "rm -Rf $apks_dir" EXIT
+ rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
+}
+
+upload_signed_apks() {
+ rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
+ --exclude="*-unsigned.apk" "$apks_dir/" \
+ "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/"
+}
# Sign individual apk
sign_apk() {
@@ -57,7 +98,7 @@ sign_apk() {
# Step 3: Sign
# Use this command if reading key from file
- apksigner sign --verbose -ks ${SIGNING_KEY_PATH} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
+ apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
# Or, use below command if using a hardware token
# apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
@@ -81,18 +122,18 @@ sign_apk() {
# Rename and verify signing certificate
finalize() {
for arch in ${ARCHS}; do
- mv tor-browser-${VERSION}-android-${arch}-multi{-qa,}.apk
+ mv tor-browser-${tbb_version}-android-${arch}-multi{-qa,}.apk
done
for arch in ${ARCHS}; do
- verified=`apksigner verify --print-certs --verbose tor-browser-${VERSION}-android-${arch}-multi.apk`
+ verified=`apksigner verify --print-certs --verbose tor-browser-${tbb_version}-android-${arch}-multi.apk`
scheme_v1=
scheme_v2=
cert_digest=
pubkey_digest=
# Verify the expected signing key was used, Alpha verses Release based on the filename.
- if `echo ${VERSION} | grep -q a`; then
+ if test "$tbb_version_type" = "alpha"; then
scheme_v1="Verified using v1 scheme (JAR signing): true"
scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
@@ -117,15 +158,7 @@ finalize() {
echo Done.
}
-if [ -z "$VERSION" ]; then
- echo Provide version number
- exit
-fi
-
-if [ -z "${SIGNING_KEY_PATH}" ]; then
- echo Provide the path to the signing key: release or alpha
- exit
-fi
+check_installed_packages
if [ -z "$KSPASS" ]; then
echo "Enter keystore passphrase"
@@ -133,9 +166,17 @@ if [ -z "$KSPASS" ]; then
export KSPASS
fi
+setup_build_tools
+
+download_unsigned_apks
+
+cd $apks_dir
+
# Sign all packages
for arch in ${ARCHS}; do
- sign_apk tor-browser-${VERSION}-android-${arch}-multi-qa.apk
+ sign_apk tor-browser-${tbb_version}-android-${arch}-multi-qa.apk
done
finalize
+
+upload_signed_apks
diff --git a/tools/signing/set-config.android-signing b/tools/signing/set-config.android-signing
new file mode 100644
index 0000000..1731efc
--- /dev/null
+++ b/tools/signing/set-config.android-signing
@@ -0,0 +1,7 @@
+# The following line should be uncommented and updated:
+
+#ssh_host_pkgstage=tbbuild
+#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
+#android_signing_key_dir=/path/to/signing/key/dir
+
+var_is_defined ssh_host_pkgstage android_signing_key_dir
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the tor-commits
mailing list