GitLab

at 2023-11-30T11:59:45+01:00

Bug 41030: Add script to download a torbrowser/mullvadbrowser release

Bug 41030: Add make targets to unsign and compare exe files

 	tools/update-responses/download_missing_versions alpha

 	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha

+torbrowser-compare-windows-signed-unsigned-release: submodule-update

+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser

+

+torbrowser-compare-windows-signed-unsigned-alpha: submodule-update

+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser

+

 ########################

 # Base Browser Targets #

 	tools/update-responses/download_missing_versions alpha

 	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha

+mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update

+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser

+

+mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update

+	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser

+

 ############################

 # Toolchain Update Targets #

 alpha channel. The files can be found in a tar in the directory

 torbrowser/{release,alpha}/update-responses.

+torbrowser-compare-windows-signed-unsigned-{release,alpha}

+----------------------------------------------------------

+Unsign exe files from directory torbrowser/{release,alpha}/signed/$version

+and compare them with the checksum from sha256sums-unsigned-build.txt.

+
+#!/bin/bash

+[% c("var/set_default_env") -%]

+[% IF c("var/nightly") -%]

+  build_dir=[% shell_quote(path(dest_dir)) %]/[%  c("version") %]

+[% ELSE -%]

+  build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]

+[% END -%]

+

+if ! test -d "$build_dir"

+then

+  echo "Error: Directory $build_dir does not exist" 1>&2

+  echo "You can download it with this command:" 1>&2

+  echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2

+  exit 1

+fi

+

+cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt .

+

+tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %]

+

+for file in *.exe

+do

+  ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null

+  mv -f "unsigned-$file" "$file"

+  echo "Unsigned $file"

+done

+

+grep '\.exe$' sha256sums-unsigned-build.txt | sha256sum -c

+

+echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt"
     debug: 0

     input_files: []

     upload_sha256sums: '[% INCLUDE upload_sha256sums %]'

+  compare_windows_signed_unsigned_exe:

+    build_log: '-'

+    debug: 0

+    input_files:

+      - project: osslsigncode

+        name: osslsigncode

+        pkg_type: build

+    compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'
+download-torbrowser
+#!/usr/bin/perl -w

+

+# This script downloads a torbrowser or mullvadbrowser release, checking

+# its signature

+

+use strict;

+use English;

+use LWP::Simple;

+use IO::CaptureOutput qw(capture_exec);

+use File::Temp;

+use File::Basename qw(fileparse);

+use FindBin;

+use File::Path qw(make_path);

+use File::Copy;

+use Path::Tiny;

+use Digest::SHA qw(sha256_hex);

+

+

+sub exit_error {

+  print STDERR "Error: ", $_[0], "\n";

+  chdir '/';

+  exit (exists $_[1] ? $_[1] : 1);

+}

+

+sub gpg_verify_file {

+  my ($file) = @_;

+  if (system('gpg', '--no-default-keyring', '--keyring',

+      "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify',

+      "$file.asc",

+      $file)) {

+    exit_error "Error checking gpg signature for file $file";

+  }

+}

+

+my $progname = fileparse($PROGRAM_NAME);

+my ($projectname) = $progname =~ m/^download-(.+)$/;

+if (@ARGV != 1) {

+  print STDERR "usage: $progname <version>\n";

+  exit 1;

+}

+

+my $version = $ARGV[0];

+my $version_type = $version =~ m/a/ ? 'alpha' : 'release';

+my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version";

+my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version";

+

+make_path($destdir);

+my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp");

+

+foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc

+                     sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) {

+  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {

+    exit_error "Error downloading $urldir/$file";

+  }

+}

+gpg_verify_file("$tmpdir/sha256sums-signed-build.txt");

+move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc";

+move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt";

+gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt");

+move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc";

+move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt";

+

+foreach my $file (qw(sha256sums-signed-build.incrementals.txt

+                     sha256sums-signed-build.incrementals.txt.asc

+                     sha256sums-unsigned-build.incrementals.txt

+                     sha256sums-unsigned-build.incrementals.txt.asc)) {

+  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {

+    last;

+  }

+}

+if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") {

+  gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt");

+  move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc";

+  move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt";

+}

+if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") {

+  gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt");

+  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc";

+  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt";

+}

+

+my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines;

+push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines

+    if -f "$destdir/sha256sums-signed-build.incrementals.txt";

+my %sums = map { chomp; reverse split '  ', $_ } @sha256_lines;

+

+foreach my $file (sort keys %sums) {

+  if (-f "$destdir/$file") {

+    print "Not downloading $file (already there)\n";

+    next;

+  }

+  print "Downloading $file\n";

+  exit_error "Error downloading $urldir/$file\n"

+    unless getstore("$urldir/$file", "$tmpdir/$file") == 200;

+  exit_error "Wrong checksum for $file"

+    unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp);

+  move "$tmpdir/$file", "$destdir/$file";

+}

+

+print "Finished downloading $projectname $version in $destdir\n";

richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

6 changed files:

Changes:

	1	+download-torbrowser
		\ No newline at end of file