[tor-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40763: Add support for signing multiple browsers in tools/signing/nightly
boklm (@boklm)
git at gitlab.torproject.org
Mon Mar 20 17:26:29 UTC 2023
boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
38099794 by Nicolas Vigier at 2023-03-20T17:29:45+01:00
Bug 40763: Add support for signing multiple browsers in tools/signing/nightly
- - - - -
3f0b4c83 by Nicolas Vigier at 2023-03-20T17:29:46+01:00
Bug 40807: Add config for basebrowser nightly signing
- - - - -
3 changed files:
- tools/signing/nightly/config.yml
- tools/signing/nightly/create-nightly-mar-signing-key
- tools/signing/nightly/sign-nightly
Changes:
=====================================
tools/signing/nightly/config.yml
=====================================
@@ -3,15 +3,22 @@ martools_version: 9.0.2
martools_url: https://archive.torproject.org/tor-package-archive/torbrowser/
martools_gpg_keyring: keyring/torbrowser.gpg
builds_url: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-builds/tor-browser-builds
-builds_url_auth_basic_username: tor-guest
-builds_url_auth_basic_password: tor-guest
-publish_dirs:
+torbrowser:
+ publish_dirs:
- nightly-linux-x86_64
- nightly-linux-i686
- nightly-windows-x86_64
- nightly-windows-i686
- nightly-macos
-nss_db_dir: nssdb
+ nss_db_dir: nssdb
+basebrowser:
+ publish_dirs:
+ - basebrowser-nightly-linux-x86_64
+ - basebrowser-nightly-linux-i686
+ - basebrowser-nightly-windows-x86_64
+ - basebrowser-nightly-windows-i686
+ - basebrowser-nightly-macos
+ nss_db_dir: nssdb-basebrowser-1
nss_certname: nightly-marsigner
gpg_keyring: keyring/torbrowser-nightly.gpg
rsync_dest: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-updates/
=====================================
tools/signing/nightly/create-nightly-mar-signing-key
=====================================
@@ -1,6 +1,13 @@
#!/bin/bash
set -e
-nssdb="$(dirname "$0")/nssdb"
+if test "$#" -ne 2; then
+ echo "Usage: $0 <nssdb-dir> <Browser Name>" >&2
+ echo >&2
+ echo "Example: $0 nssdb-basebrowser 'Base Browser'" >&2
+ exit 1
+fi
+nssdb="$(dirname "$0")/$1"
+BrowserName="$2"
if test -d $nssdb
then
echo "Error: $nssdb already exists" >&2
@@ -9,5 +16,5 @@ fi
mkdir -p $nssdb
chmod 700 $nssdb
certutil -d $nssdb -N --empty-password
-certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=Tor Browser Nightly MAR signing key" -t,,
+certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=$BrowserName Nightly MAR signing key" -t,,
certutil -d $nssdb -L -r -n nightly-marsigner -o $nssdb/nightly-marsigner.der
=====================================
tools/signing/nightly/sign-nightly
=====================================
@@ -33,13 +33,22 @@ exit_error "Missing config file: $FindBin::Bin/config.yml"
my $config = LoadFile("$FindBin::Bin/config.yml");
my $topdir = "$FindBin::Bin/../../..";
+exit_error "Usage: sign-nightly <project>" unless @ARGV == 1;
+my $project = $ARGV[0];
+
+sub get_config {
+ my ($name) = @_;
+ return $config->{$project}{$name} if defined $config->{$project}{$name};
+ return $config->{$name};
+}
+
{
no warnings 'redefine';
sub LWP::UserAgent::get_basic_credentials {
- if ($config->{builds_url_auth_basic_username}
- && $config->{builds_url_auth_basic_password}) {
- return ( $config->{builds_url_auth_basic_username},
- $config->{builds_url_auth_basic_password} );
+ if (get_config('builds_url_auth_basic_username')
+ && get_config('builds_url_auth_basic_password')) {
+ return ( get_config('builds_url_auth_basic_username'),
+ get_config('builds_url_auth_basic_password') );
}
return ();
}
@@ -51,7 +60,7 @@ sub print_time {
}
END {
- print_time "Exiting sign-nightly (pid: $$)\n";
+ print_time "Exiting sign-nightly (pid: $$, project: $project)\n" if $project;
}
sub run_alone {
@@ -71,10 +80,8 @@ END {
}
sub get_tmpdir {
- my ($config) = @_;
- return File::Temp->newdir($config->{tmp_dir} ?
- (DIR => $config->{tmp_dir})
- : ());
+ my $tmp_dir = get_config('tmp_dir');
+ return File::Temp->newdir($tmp_dir ? (DIR => $tmp_dir) : ());
}
sub basedir_path {
@@ -83,15 +90,16 @@ sub basedir_path {
}
sub get_last_build_version {
- my ($config, $publish_dir) = @_;
+ my ($publish_dir) = @_;
my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
my @last_days;
for my $i (1..5) {
my $dt = DateTime->now - DateTime::Duration->new(days => $i);
push @last_days, 'tbb-nightly.' . $dt->ymd('.');
}
+ my $builds_url = get_config('builds_url');
for my $version ($today, @last_days) {
- my $url = "$config->{builds_url}/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
+ my $url = "$builds_url/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
if ($url =~ m|^/|) {
return $version if -f $url;
} else {
@@ -115,10 +123,10 @@ sub set_current_version {
}
sub get_new_version {
- my ($config, $publish_dir) = @_;
+ my ($publish_dir) = @_;
my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
my $current_ver = get_current_version($publish_dir);
- my $last_ver = get_last_build_version($config, $publish_dir);
+ my $last_ver = get_last_build_version($publish_dir);
return $last_ver unless defined($current_ver);
return undef if $current_ver eq $today;
return undef unless defined($last_ver);
@@ -147,13 +155,13 @@ sub get_file_sha256sum {
}
sub fetch_version {
- my ($config, $publish_dir, $version) = @_;
- my $tmpdir = get_tmpdir($config);
- my $urldir = "$config->{builds_url}/$version/$publish_dir";
+ my ($publish_dir, $version) = @_;
+ my $tmpdir = get_tmpdir();
+ my $urldir = get_config('builds_url') . "/$version/$publish_dir";
my $destdir = "$topdir/nightly/$publish_dir/$version";
return if -d $destdir;
- my $gpg_keyring = basedir_path($config->{gpg_keyring}, $topdir);
+ my $gpg_keyring = basedir_path(get_config('gpg_keyring'), $topdir);
for my $file (qw/sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt/) {
my $url = "$urldir/$file";
exit_error "Error getting $url"
@@ -184,17 +192,17 @@ sub fetch_version {
}
sub setup_martools {
- my ($config) = @_;
- my $martools_dir = "$FindBin::Bin/mar-tools-$config->{martools_version}";
+ my $martools_dir = "$FindBin::Bin/mar-tools-" . get_config('martools_version');
if (! -d $martools_dir) {
my $file = "mar-tools-linux64.zip";
- my $url = "$config->{martools_url}/$config->{martools_version}/$file";
- my $tmpdir = get_tmpdir($config);
+ my $url = join('/', get_config('martools_url'),
+ get_config('martools_version'), $file);
+ my $tmpdir = get_tmpdir();
exit_error "Error downloading $url"
unless getstore($url, "$tmpdir/$file") == 200;
exit_error "Error downloading $url.asc"
unless getstore("$url.asc", "$tmpdir/$file.asc") == 200;
- my $gpg_keyring = basedir_path($config->{martools_gpg_keyring}, $topdir);
+ my $gpg_keyring = basedir_path(get_config('martools_gpg_keyring'), $topdir);
exit_error "Error checking gpg signature for $url"
if system('gpg', '--no-default-keyring', '--keyring', $gpg_keyring,
'--verify', "$tmpdir/$file.asc",
@@ -212,14 +220,14 @@ sub setup_martools {
}
sub sign_version {
- my ($config, $publish_dir, $version) = @_;
- setup_martools($config);
- my $nss_db_dir = basedir_path($config->{nss_db_dir}, $FindBin::Bin);
+ my ($publish_dir, $version) = @_;
+ setup_martools();
+ my $nss_db_dir = basedir_path(get_config('nss_db_dir'), $FindBin::Bin);
for my $marfile (path("$topdir/nightly/$publish_dir/$version")->children(qr/\.mar$/)) {
print "Signing $marfile\n";
exit_error "Error signing $marfile"
unless system('signmar', '-d', $nss_db_dir, '-n',
- $config->{nss_certname}, '-s', $marfile,
+ get_config('nss_certname'), '-s', $marfile,
"$marfile-signed") == 0;
move("$marfile-signed", $marfile);
}
@@ -232,7 +240,7 @@ sub get_buildinfos {
}
sub update_responses {
- my ($config, $publish_dir, $version) = @_;
+ my ($publish_dir, $version) = @_;
my $ur_config = LoadFile("$FindBin::Bin/update-responses-base-config.yml");
$ur_config->{download}{mars_url} .= "/$publish_dir";
$ur_config->{releases_dir} = "$topdir/nightly/$publish_dir";
@@ -253,7 +261,7 @@ sub update_responses {
}
sub remove_oldversions {
- my ($config, $publish_dir, $version) = @_;
+ my ($publish_dir, $version) = @_;
for my $dir (path("$topdir/nightly/$publish_dir")->children) {
my ($filename) = fileparse($dir);
next if $filename eq $version;
@@ -262,27 +270,27 @@ sub remove_oldversions {
}
sub sync_dest {
- my ($config) = @_;
exit_error "Error running rsync"
if system('rsync', '-aH', '--delete-after',
- "$topdir/nightly/", "$config->{rsync_dest}/");
- if ($config->{post_rsync_cmd}) {
- exit_error "Error running $config->{post_rsync_cmd}"
- if system($config->{post_rsync_cmd});
+ "$topdir/nightly/", get_config('rsync_dest') . '/');
+ my $post_rsync_cmd = get_config('post_rsync_cmd');
+ if ($post_rsync_cmd) {
+ exit_error "Error running $post_rsync_cmd"
+ if system($post_rsync_cmd);
}
}
-print_time "Starting sign-nightly (pid: $$)\n";
+print_time "Starting sign-nightly (pid: $$, project: $project)\n";
run_alone;
my $some_updates = 0;
-foreach my $publish_dir (@{$config->{publish_dirs}}) {
- my $new_version = get_new_version($config, $publish_dir);
+foreach my $publish_dir (@{get_config('publish_dirs')}) {
+ my $new_version = get_new_version($publish_dir);
next unless $new_version;
- fetch_version($config, $publish_dir, $new_version);
- sign_version($config, $publish_dir, $new_version);
- update_responses($config, $publish_dir, $new_version);
+ fetch_version($publish_dir, $new_version);
+ sign_version($publish_dir, $new_version);
+ update_responses($publish_dir, $new_version);
set_current_version($publish_dir, $new_version);
- remove_oldversions($config, $publish_dir, $new_version);
+ remove_oldversions($publish_dir, $new_version);
$some_updates = 1;
}
-sync_dest($config) if $some_updates;
+sync_dest() if $some_updates;
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/e13d27af06720184d3c75ef33e3dc09a8200719d...3f0b4c83bf925b3873d9b5f5b5ca144f242615cd
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/e13d27af06720184d3c75ef33e3dc09a8200719d...3f0b4c83bf925b3873d9b5f5b5ca144f242615cd
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230320/9c8344d9/attachment-0001.htm>
More information about the tor-commits
mailing list