[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser-build][main] Bug 41093: Add a patch to unsign APKs.

Title: GitLab

Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

  • ede46581
    by Pier Angelo Vendrame at 2024-02-27T12:27:17+01:00 
    Bug 41093: Add a patch to unsign APKs.

Currently, we sign the APKs that were already signed with the QA key.
However, this makes it impossible to copy our signature on top of APKs
built independently, which would be the last step to reproduce our
builds.

With this commit, we provide a patch to go back to the unsigned (but
already aligned) APK, so that we can keep shipping QA-signed APKs for
testers, but we can go back to the unsigned APK for the final signing.

The changes to apply this patch in the signing scripts will be part of
another commit.

4 changed files:

Changes:

  • README
    ... ... @@ -54,7 +54,7 @@ If you are running Fedora, CentOS or RHEL, you can install them with:
    54 54 
                   "perl(Template)" "perl(IO::Handle)" "perl(Capture::Tiny)" \
    55 55 
                   "perl(JSON)" "perl(File::Temp)" "perl(Path::Tiny)" \
    56 56 
                   "perl(File::Path)" "perl(File::Slurp)" \
    57 
    -              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)"
    57 
    +              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)" \
    58 58 
                   "perl(Sort::Versions)" "perl(Digest::SHA)" "perl(Data::UUID)" \
    59 59 
                   "perl(Data::Dump)" "perl(DateTime)" "perl(XML::Writer)" \
    60 60 
                   "perl(Parallel::ForkManager)" perl-ph mercurial git zstd
    ... ... @@ -237,11 +237,12 @@ builds, and will require that you run Debian Bullseye or Bookworm and
    237 237 
     install build dependencies for all the components that are built. This can
    238 238 
     be done with the following command:
    239 239
    240 
    -  # apt-get install build-essential python3 automake libtool zip unzip \
    241 
    -            autoconf2.13 openjdk-11-jdk gettext-base autotools-dev \
    242 
    -            automake autoconf libtool autopoint libssl-dev pkg-config \
    243 
    -            zlib1g-dev libparallel-forkmanager-perl libfile-slurp-perl bzip2 \
    244 
    -            xz-utils apksigner yasm wget bison gyp tcl python3-venv 7zip jq
    240 
    +  # apt-get install 7zip apksigner autoconf autoconf2.13 automake autopoint \
    241 
    +                    autotools-dev bison bsdiff build-essential bzip2 \
    242 
    +                    gettext-base gyp jq libfile-slurp-perl \
    243 
    +                    libparallel-forkmanager-perl libssl-dev libtool libtool \
    244 
    +                    openjdk-11-jdk pkg-config python3 python3-venv tcl unzip \
    245 
    +                    wget xz-utils yasm zip zlib1g-dev
    245 246
    246 247 
     Note that Debian Bullseye requires the bullseye-backports repository to
    247 248 
     get the 7zip package.

  • projects/browser/build.android
    ... ... @@ -66,6 +66,9 @@ zipalign -vp 4 repacked.apk $aligned_apk
    66 66 
     # flag in the manifest.
    67 67 
     apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore --out $qa_apk --in $aligned_apk --ks-key-alias androidqakey --key-pass pass:android --ks-pass pass:android
    68 68
    69 
    +unsign_patch="[% dest_dir %]/[% c('filename') %]/[% c('var/project-name') %]-qa-unsign-[% c('var/osname') %]-[% c('version') %].bspatch"
    70 
    +bsdiff $qa_apk $aligned_apk $unsign_patch
    71 
    +
    69 72 
     [%IF c("var/tor-browser") -%]
    70 73 
       tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]"
    71 74 
       # strip off trailing "$buildid.tar.gz"

  • projects/browser/config
    ... ... @@ -48,6 +48,7 @@ targets:
    48 48 
           arch_deps:
    49 49 
             - 7zip
    50 50 
             - openjdk-17-jdk-headless
    51 
    +        - bsdiff
    51 52 
           container:
    52 53 
             # 7zip is in backports in bullseye, and we can already use Java 17 for
    53 54 
             # apksigner.

  • projects/release/build
    ... ... @@ -59,7 +59,7 @@ EOF
    59 59 
     # empty any existing sh256sums file
    60 60 
     echo -n > sha256sums-unsigned-build.txt
    61 61 
     # concat sha256sum entry for each file in set
    62 
    -for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.json | grep -v '\.incremental\.mar$' | sort)
    62 
    +for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.bspatch *.json | grep -v '\.incremental\.mar$' | sort)
    63 63 
     do
    64 64 
       sha256sum $i >> sha256sums-unsigned-build.txt
    65 65 
     done


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits