richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits: 07898fd4 by Nicolas Vigier at 2023-11-30T11:59:45+01:00 Bug 41030: Add script to download a torbrowser/mullvadbrowser release

- - - - - 93819f81 by Nicolas Vigier at 2023-11-30T11:59:49+01:00 Bug 41030: Add make targets to unsign and compare exe files

- - - - -

6 changed files:

- Makefile - doc/MAKEFILE.txt - + projects/release/compare_windows_signed_unsigned_exe - projects/release/config - + tools/download-mullvadbrowser - + tools/download-torbrowser

Changes:

===================================== Makefile ===================================== @@ -229,6 +229,12 @@ torbrowser-dmg2mar-alpha: submodule-update tools/update-responses/download_missing_versions alpha CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha

+torbrowser-compare-windows-signed-unsigned-release: submodule-update + $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser + +torbrowser-compare-windows-signed-unsigned-alpha: submodule-update + $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser +

######################## # Base Browser Targets # @@ -557,6 +563,12 @@ mullvadbrowser-dmg2mar-alpha: submodule-update tools/update-responses/download_missing_versions alpha CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha

+mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update + $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser + +mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update + $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser +

############################ # Toolchain Update Targets #

===================================== doc/MAKEFILE.txt ===================================== @@ -136,3 +136,8 @@ Create update responses xml files for a signed build in the release or alpha channel. The files can be found in a tar in the directory torbrowser/{release,alpha}/update-responses.

+torbrowser-compare-windows-signed-unsigned-{release,alpha} +---------------------------------------------------------- +Unsign exe files from directory torbrowser/{release,alpha}/signed/$version +and compare them with the checksum from sha256sums-unsigned-build.txt. +

===================================== projects/release/compare_windows_signed_unsigned_exe ===================================== @@ -0,0 +1,30 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +[% IF c("var/nightly") -%] + build_dir=[% shell_quote(path(dest_dir)) %]/[% c("version") %] +[% ELSE -%] + build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %] +[% END -%] + +if ! test -d "$build_dir" +then + echo "Error: Directory $build_dir does not exist" 1>&2 + echo "You can download it with this command:" 1>&2 + echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2 + exit 1 +fi + +cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt . + +tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %] + +for file in *.exe +do + ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null + mv -f "unsigned-$file" "$file" + echo "Unsigned $file" +done + +grep '.exe$' sha256sums-unsigned-build.txt | sha256sum -c + +echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt"

===================================== projects/release/config ===================================== @@ -263,3 +263,11 @@ steps: debug: 0 input_files: [] upload_sha256sums: '[% INCLUDE upload_sha256sums %]' + compare_windows_signed_unsigned_exe: + build_log: '-' + debug: 0 + input_files: + - project: osslsigncode + name: osslsigncode + pkg_type: build + compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'

===================================== tools/download-mullvadbrowser ===================================== @@ -0,0 +1 @@ +download-torbrowser \ No newline at end of file

===================================== tools/download-torbrowser ===================================== @@ -0,0 +1,100 @@ +#!/usr/bin/perl -w + +# This script downloads a torbrowser or mullvadbrowser release, checking +# its signature + +use strict; +use English; +use LWP::Simple; +use IO::CaptureOutput qw(capture_exec); +use File::Temp; +use File::Basename qw(fileparse); +use FindBin; +use File::Path qw(make_path); +use File::Copy; +use Path::Tiny; +use Digest::SHA qw(sha256_hex); + + +sub exit_error { + print STDERR "Error: ", $_[0], "\n"; + chdir '/'; + exit (exists $_[1] ? $_[1] : 1); +} + +sub gpg_verify_file { + my ($file) = @_; + if (system('gpg', '--no-default-keyring', '--keyring', + "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify', + "$file.asc", + $file)) { + exit_error "Error checking gpg signature for file $file"; + } +} + +my $progname = fileparse($PROGRAM_NAME); +my ($projectname) = $progname =~ m/^download-(.+)$/; +if (@ARGV != 1) { + print STDERR "usage: $progname <version>\n"; + exit 1; +} + +my $version = $ARGV[0]; +my $version_type = $version =~ m/a/ ? 'alpha' : 'release'; +my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version"; +my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version"; + +make_path($destdir); +my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp"); + +foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc + sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) { + if (getstore("$urldir/$file", "$tmpdir/$file") != 200) { + exit_error "Error downloading $urldir/$file"; + } +} +gpg_verify_file("$tmpdir/sha256sums-signed-build.txt"); +move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc"; +move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt"; +gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt"); +move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc"; +move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt"; + +foreach my $file (qw(sha256sums-signed-build.incrementals.txt + sha256sums-signed-build.incrementals.txt.asc + sha256sums-unsigned-build.incrementals.txt + sha256sums-unsigned-build.incrementals.txt.asc)) { + if (getstore("$urldir/$file", "$tmpdir/$file") != 200) { + last; + } +} +if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") { + gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt"); + move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc"; + move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt"; +} +if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") { + gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt"); + move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc"; + move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt"; +} + +my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines; +push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines + if -f "$destdir/sha256sums-signed-build.incrementals.txt"; +my %sums = map { chomp; reverse split ' ', $_ } @sha256_lines; + +foreach my $file (sort keys %sums) { + if (-f "$destdir/$file") { + print "Not downloading $file (already there)\n"; + next; + } + print "Downloading $file\n"; + exit_error "Error downloading $urldir/$file\n" + unless getstore("$urldir/$file", "$tmpdir/$file") == 200; + exit_error "Wrong checksum for $file" + unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp); + move "$tmpdir/$file", "$destdir/$file"; +} + +print "Finished downloading $projectname $version in $destdir\n";

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/9...