richard pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build

Commits:

6 changed files:

Changes:

  • Makefile
    ... ... @@ -233,6 +233,12 @@ torbrowser-dmg2mar-alpha: submodule-update
    233 233
     	$(rbm) build release --step link_old_mar_filenames --target alpha --target torbrowser
    
    234 234
     	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
    
    235 235
     
    
    236
    +torbrowser-compare-windows-signed-unsigned-release: submodule-update
    
    237
    +	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser
    
    238
    +
    
    239
    +torbrowser-compare-windows-signed-unsigned-alpha: submodule-update
    
    240
    +	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser
    
    241
    +
    
    236 242
     
    
    237 243
     ########################
    
    238 244
     # Base Browser Targets #
    
    ... ... @@ -565,6 +571,12 @@ mullvadbrowser-dmg2mar-alpha: submodule-update
    565 571
     	$(rbm) build release --step link_old_mar_filenames --target alpha --target mullvadbrowser
    
    566 572
     	CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
    
    567 573
     
    
    574
    +mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update
    
    575
    +	$(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser
    
    576
    +
    
    577
    +mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update
    
    578
    +	$(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser
    
    579
    +
    
    568 580
     
    
    569 581
     ############################
    
    570 582
     # Toolchain Update Targets #
    

  • doc/MAKEFILE.txt
    ... ... @@ -136,3 +136,8 @@ Create update responses xml files for a signed build in the release or
    136 136
     alpha channel. The files can be found in a tar in the directory
    
    137 137
     torbrowser/{release,alpha}/update-responses.
    
    138 138
     
    
    139
    +torbrowser-compare-windows-signed-unsigned-{release,alpha}
    
    140
    +----------------------------------------------------------
    
    141
    +Unsign exe files from directory torbrowser/{release,alpha}/signed/$version
    
    142
    +and compare them with the checksum from sha256sums-unsigned-build.txt.
    
    143
    +

  • projects/release/compare_windows_signed_unsigned_exe
    1
    +#!/bin/bash
    
    2
    +[% c("var/set_default_env") -%]
    
    3
    +[% IF c("var/nightly") -%]
    
    4
    +  build_dir=[% shell_quote(path(dest_dir)) %]/[%  c("version") %]
    
    5
    +[% ELSE -%]
    
    6
    +  build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
    
    7
    +[% END -%]
    
    8
    +
    
    9
    +if ! test -d "$build_dir"
    
    10
    +then
    
    11
    +  echo "Error: Directory $build_dir does not exist" 1>&2
    
    12
    +  echo "You can download it with this command:" 1>&2
    
    13
    +  echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2
    
    14
    +  exit 1
    
    15
    +fi
    
    16
    +
    
    17
    +cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt .
    
    18
    +
    
    19
    +tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %]
    
    20
    +
    
    21
    +for file in *.exe
    
    22
    +do
    
    23
    +  ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null
    
    24
    +  mv -f "unsigned-$file" "$file"
    
    25
    +  echo "Unsigned $file"
    
    26
    +done
    
    27
    +
    
    28
    +grep '\.exe$' sha256sums-unsigned-build.txt | sha256sum -c
    
    29
    +
    
    30
    +echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt"

  • projects/release/config
    ... ... @@ -263,3 +263,11 @@ steps:
    263 263
         debug: 0
    
    264 264
         input_files: []
    
    265 265
         dmg2mar: '[% INCLUDE dmg2mar %]'
    
    266
    +  compare_windows_signed_unsigned_exe:
    
    267
    +    build_log: '-'
    
    268
    +    debug: 0
    
    269
    +    input_files:
    
    270
    +      - project: osslsigncode
    
    271
    +        name: osslsigncode
    
    272
    +        pkg_type: build
    
    273
    +    compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'

  • tools/download-mullvadbrowser
    1
    +download-torbrowser
    \ No newline at end of file

  • tools/download-torbrowser
    1
    +#!/usr/bin/perl -w
    
    2
    +
    
    3
    +# This script downloads a torbrowser or mullvadbrowser release, checking
    
    4
    +# its signature
    
    5
    +
    
    6
    +use strict;
    
    7
    +use English;
    
    8
    +use LWP::Simple;
    
    9
    +use IO::CaptureOutput qw(capture_exec);
    
    10
    +use File::Temp;
    
    11
    +use File::Basename qw(fileparse);
    
    12
    +use FindBin;
    
    13
    +use File::Path qw(make_path);
    
    14
    +use File::Copy;
    
    15
    +use Path::Tiny;
    
    16
    +use Digest::SHA qw(sha256_hex);
    
    17
    +
    
    18
    +
    
    19
    +sub exit_error {
    
    20
    +  print STDERR "Error: ", $_[0], "\n";
    
    21
    +  chdir '/';
    
    22
    +  exit (exists $_[1] ? $_[1] : 1);
    
    23
    +}
    
    24
    +
    
    25
    +sub gpg_verify_file {
    
    26
    +  my ($file) = @_;
    
    27
    +  if (system('gpg', '--no-default-keyring', '--keyring',
    
    28
    +      "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify',
    
    29
    +      "$file.asc",
    
    30
    +      $file)) {
    
    31
    +    exit_error "Error checking gpg signature for file $file";
    
    32
    +  }
    
    33
    +}
    
    34
    +
    
    35
    +my $progname = fileparse($PROGRAM_NAME);
    
    36
    +my ($projectname) = $progname =~ m/^download-(.+)$/;
    
    37
    +if (@ARGV != 1) {
    
    38
    +  print STDERR "usage: $progname <version>\n";
    
    39
    +  exit 1;
    
    40
    +}
    
    41
    +
    
    42
    +my $version = $ARGV[0];
    
    43
    +my $version_type = $version =~ m/a/ ? 'alpha' : 'release';
    
    44
    +my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version";
    
    45
    +my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version";
    
    46
    +
    
    47
    +make_path($destdir);
    
    48
    +my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp");
    
    49
    +
    
    50
    +foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc
    
    51
    +                     sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) {
    
    52
    +  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
    
    53
    +    exit_error "Error downloading $urldir/$file";
    
    54
    +  }
    
    55
    +}
    
    56
    +gpg_verify_file("$tmpdir/sha256sums-signed-build.txt");
    
    57
    +move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc";
    
    58
    +move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt";
    
    59
    +gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt");
    
    60
    +move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc";
    
    61
    +move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt";
    
    62
    +
    
    63
    +foreach my $file (qw(sha256sums-signed-build.incrementals.txt
    
    64
    +                     sha256sums-signed-build.incrementals.txt.asc
    
    65
    +                     sha256sums-unsigned-build.incrementals.txt
    
    66
    +                     sha256sums-unsigned-build.incrementals.txt.asc)) {
    
    67
    +  if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
    
    68
    +    last;
    
    69
    +  }
    
    70
    +}
    
    71
    +if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") {
    
    72
    +  gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt");
    
    73
    +  move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc";
    
    74
    +  move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt";
    
    75
    +}
    
    76
    +if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") {
    
    77
    +  gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt");
    
    78
    +  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc";
    
    79
    +  move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt";
    
    80
    +}
    
    81
    +
    
    82
    +my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines;
    
    83
    +push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines
    
    84
    +    if -f "$destdir/sha256sums-signed-build.incrementals.txt";
    
    85
    +my %sums = map { chomp; reverse split '  ', $_ } @sha256_lines;
    
    86
    +
    
    87
    +foreach my $file (sort keys %sums) {
    
    88
    +  if (-f "$destdir/$file") {
    
    89
    +    print "Not downloading $file (already there)\n";
    
    90
    +    next;
    
    91
    +  }
    
    92
    +  print "Downloading $file\n";
    
    93
    +  exit_error "Error downloading $urldir/$file\n"
    
    94
    +    unless getstore("$urldir/$file", "$tmpdir/$file") == 200;
    
    95
    +  exit_error "Wrong checksum for $file"
    
    96
    +    unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp);
    
    97
    +  move "$tmpdir/$file", "$destdir/$file";
    
    98
    +}
    
    99
    +
    
    100
    +print "Finished downloading $projectname $version in $destdir\n";