[tor-commits] [Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] 5 commits: Bug 40851: Integrate android apk signing in do-all-signing

["richard \(@richard\) via tor-commits" <tor-commits@xxxxxxxxxxxxxxxxxxxx>]

Title: GitLab

richard pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build

Commits:

• e36799bf
  by Nicolas Vigier at 2023-06-12T20:19:16+00:00

  Bug 40851: Integrate android apk signing in do-all-signing
  

• f3e593e4
  by Nicolas Vigier at 2023-06-12T20:19:16+00:00

  Bug 40875: Update Windows signing config
  

• f0ab4b7d
  by Nicolas Vigier at 2023-06-12T20:19:16+00:00

  Bug 40875: Re-enable Windows code signing in do-all-signing
  

• 8a7319b1
  by Nicolas Vigier at 2023-06-12T20:19:16+00:00

  Bug 40877: Update osslsigncode to more recent version
  

• bb16c7d2
  by Nicolas Vigier at 2023-06-12T20:19:16+00:00

  Bug 40878: Fix default permission on gpg signature files
  

20 changed files:

• .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
• .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
• projects/android-toolchain/config
• − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch
• projects/osslsigncode/build
• projects/osslsigncode/config
• − projects/osslsigncode/timestamping.patch
• − tools/signing/android-signing.mullvadbrowser
• − tools/signing/android-signing.torbrowser
• tools/signing/authenticode-timestamping.sh
• tools/signing/do-all-signing
• tools/signing/linux-signer-gpg-sign
• + tools/signing/linux-signer-sign-android-apks
• + tools/signing/linux-signer-sign-android-apks.torbrowser
• tools/signing/machines-setup/setup-signing-machine
• + tools/signing/machines-setup/sudoers.d/sign-apk
• tools/signing/machines-setup/upload-tbb-to-signing-machine
• − tools/signing/set-config.android-signing
• tools/signing/android-signing → tools/signing/wrappers/sign-apk
• tools/signing/wrappers/sign-exe

Changes:

.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md

---

...	...	@@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
173	173	- `cd tor-browser-build/tools/signing/`
174	174	- `./macos-signer-proxy`
175	175	- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
176		-- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
177	176	- [ ] run do-all-signing script:
178	177	- `cd tor-browser-build/tools/signing/`
179	178	- `./do-all-signing.torbrowser`

.gitlab/issue_templates/Release Prep - Tor Browser Stable.md

---

...	...	@@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
178	178	- `cd tor-browser-build/tools/signing/`
179	179	- `./macos-signer-proxy`
180	180	- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
181		-- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
182	181	- [ ] run do-all-signing script:
183	182	- `cd tor-browser-build/tools/signing/`
184	183	- `./do-all-signing.sh`

projects/android-toolchain/config

---

...	...	@@ -95,9 +95,8 @@ steps:
95	95	#!/bin/bash
96	96	set -e
97	97	mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
98		- var:
99		- container:
100		- use_container: 0
	98	+ container:
	99	+ use_container: 0
101	100	input_files:
102	101	- URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
103	102	name: build_tools

projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted

---

1		-From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001
2		-From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@xxxxxx>
3		-Date: Sun, 12 Mar 2017 23:00:12 +0100
4		-Subject: [PATCH] Make code work with OpenSSL 1.1.
5		-
6		-Changes in consist of:
7		-- Use EVP_MD_CTX_new/free API instead of on-stack allocation
8		-- Remove some M_ prefixes like for ASN1_IA5STRING_new
9		-- Remove pagehash functionality because it is useless to me and
10		- fixing it would be a pain. Would require declaring a few
11		- ASN_SEQUENCES and use that to get the required i2d functions
12		- from what I could find out.
13		-- Remove OBJ_create calls that seem to serve no purpose,
14		- now crash because NULL pointers are no longer handled
15		- (who changes API that way?!) and even if that was fixed
16		- lead to errors when these objects are later created
17		- again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think,
18		- did not investigate further).
19		-
20		-diff --git a/osslsigncode.c b/osslsigncode.c
21		-index 2978c02..3797458 100644
22		---- a/osslsigncode.c
23		-+++ b/osslsigncode.c
24		-@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
25		- if (desc) {
26		- info->programName = SpcString_new();
27		- info->programName->type = 1;
28		-- info->programName->value.ascii = M_ASN1_IA5STRING_new();
29		-- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
30		-+ info->programName->value.ascii = ASN1_IA5STRING_new();
31		-+ ASN1_STRING_set(info->programName->value.ascii,
32		- (const unsigned char*)desc, strlen(desc));
33		- }
34		-
35		- if (url) {
36		- info->moreInfo = SpcLink_new();
37		- info->moreInfo->type = 0;
38		-- info->moreInfo->value.url = "">
39		-- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
40		-+ info->moreInfo->value.url = "">
41		-+ ASN1_STRING_set(info->moreInfo->value.url,
42		- (const unsigned char*)url, strlen(url));
43		- }
44		-
45		-@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
46		-
47		- if (rfc3161) {
48		- unsigned char mdbuf[EVP_MAX_MD_SIZE];
49		-- EVP_MD_CTX mdctx;
50		-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
51		-
52		-- EVP_MD_CTX_init(&mdctx);
53		-- EVP_DigestInit(&mdctx, md);
54		-- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
55		-- EVP_DigestFinal(&mdctx, mdbuf, NULL);
56		-+ EVP_DigestInit(mdctx, md);
57		-+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
58		-+ EVP_DigestFinal(mdctx, mdbuf, NULL);
59		-+ EVP_MD_CTX_free(mdctx);
60		-+ mdctx = NULL;
61		-
62		- TimeStampReq *req = TimeStampReq_new();
63		- ASN1_INTEGER_set(req->version, 1);
64		- req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
65		- req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new();
66		- req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL;
67		-- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
68		-+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
69		- req->certReq = (void*)0x1;
70		-
71		- len = i2d_TimeStampReq(req, NULL);
72		-@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = {
73		- 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
74		- };
75		-
76		--static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus,
77		-- unsigned int sigpos, int phtype, unsigned int *phlen);
78		--
79		--DECLARE_STACK_OF(ASN1_OCTET_STRING)
80		--#ifndef sk_ASN1_OCTET_STRING_new_null
81		--#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING)
82		--#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st))
83		--#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val))
84		--#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \
85		-- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
86		--#endif
87		--
88		--DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue)
89		--#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null
90		--#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue)
91		--#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st))
92		--#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val))
93		--#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \
94		-- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
95		--#endif
96		--
97		--static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos)
98		--{
99		-- unsigned int phlen;
100		-- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
101		-- if (!ph) {
102		-- fprintf(stderr, "Failed to calculate page hash\n");
103		-- exit(-1);
104		-- }
105		--
106		-- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new();
107		-- M_ASN1_OCTET_STRING_set(ostr, ph, phlen);
108		-- free(ph);
109		--
110		-- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null();
111		-- sk_ASN1_OCTET_STRING_push(oset, ostr);
112		-- unsigned char *p, *tmp;
113		-- unsigned int l;
114		-- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING,
115		-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
116		-- tmp = p = OPENSSL_malloc(l);
117		-- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING,
118		-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
119		-- ASN1_OCTET_STRING_free(ostr);
120		-- sk_ASN1_OCTET_STRING_free(oset);
121		--
122		-- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new();
123		-- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1);
124		-- aval->value = ASN1_TYPE_new();
125		-- aval->value->type = V_ASN1_SET;
126		-- aval->value->value.set = ASN1_STRING_new();
127		-- ASN1_STRING_set(aval->value->value.set, p, l);
128		-- OPENSSL_free(p);
129		--
130		-- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null();
131		-- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval);
132		-- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue,
133		-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
134		-- tmp = p = OPENSSL_malloc(l);
135		-- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue,
136		-- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
137		-- sk_SpcAttributeTypeAndOptionalValue_free(aset);
138		-- SpcAttributeTypeAndOptionalValue_free(aval);
139		--
140		-- SpcSerializedObject *so = SpcSerializedObject_new();
141		-- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash));
142		-- M_ASN1_OCTET_STRING_set(so->serializedData, p, l);
143		-- OPENSSL_free(p);
144		--
145		-- SpcLink *link = SpcLink_new();
146		-- link->type = 1;
147		-- link->value.moniker = so;
148		-- return link;
149		--}
150		--
151		- static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type,
152		-- int pagehash, char *indata, unsigned int peheader, int pe32plus,
153		-+ char *indata, unsigned int peheader, int pe32plus,
154		- unsigned int sigpos)
155		- {
156		- static const unsigned char msistr[] = {
157		-@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
158		- } else if (type == FILE_TYPE_PE) {
159		- SpcPeImageData *pid = SpcPeImageData_new();
160		- ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0);
161		-- if (pagehash) {
162		-- int phtype = NID_sha1;
163		-- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1()))
164		-- phtype = NID_sha256;
165		-- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos);
166		-- } else {
167		-- pid->file = get_obsolete_link();
168		-- }
169		-+ pid->file = get_obsolete_link();
170		- l = i2d_SpcPeImageData(pid, NULL);
171		- p = OPENSSL_malloc(l);
172		- i2d_SpcPeImageData(pid, &p);
173		-@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
174		- ASN1_INTEGER_set(si->d, 0);
175		- ASN1_INTEGER_set(si->e, 0);
176		- ASN1_INTEGER_set(si->f, 0);
177		-- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
178		-+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
179		- l = i2d_SpcSipInfo(si, NULL);
180		- p = OPENSSL_malloc(l);
181		- i2d_SpcSipInfo(si, &p);
182		-@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
183		- hashlen = EVP_MD_size(md);
184		- hash = OPENSSL_malloc(hashlen);
185		- memset(hash, 0, hashlen);
186		-- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
187		-+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
188		- OPENSSL_free(hash);
189		-
190		- *len = i2d_SpcIndirectDataContent(idc, NULL);
191		-@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
192		- unsigned int peheader, int pe32plus, unsigned int fileend)
193		- {
194		- static unsigned char bfb[16*1024*1024];
195		-- EVP_MD_CTX mdctx;
196		-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
197		-
198		-- EVP_MD_CTX_init(&mdctx);
199		-- EVP_DigestInit(&mdctx, md);
200		-+ EVP_DigestInit(mdctx, md);
201		-
202		- memset(mdbuf, 0, EVP_MAX_MD_SIZE);
203		-
204		- (void)BIO_seek(bio, 0);
205		- BIO_read(bio, bfb, peheader + 88);
206		-- EVP_DigestUpdate(&mdctx, bfb, peheader + 88);
207		-+ EVP_DigestUpdate(mdctx, bfb, peheader + 88);
208		- BIO_read(bio, bfb, 4);
209		- BIO_read(bio, bfb, 60+pe32plus*16);
210		-- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16);
211		-+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16);
212		- BIO_read(bio, bfb, 8);
213		-
214		- unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8;
215		-@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
216		- int l = BIO_read(bio, bfb, want);
217		- if (l <= 0)
218		- break;
219		-- EVP_DigestUpdate(&mdctx, bfb, l);
220		-+ EVP_DigestUpdate(mdctx, bfb, l);
221		- n += l;
222		- }
223		-
224		-- EVP_DigestFinal(&mdctx, mdbuf, NULL);
225		-+ EVP_DigestFinal(mdctx, mdbuf, NULL);
226		-+ EVP_MD_CTX_free(mdctx);
227		- }
228		-
229		-
230		-@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
231		- int phlen = pphlen * (3 + nsections + sigpos / pagesize);
232		- unsigned char *res = malloc(phlen);
233		- unsigned char *zeroes = calloc(pagesize, 1);
234		-- EVP_MD_CTX mdctx;
235		--
236		-- EVP_MD_CTX_init(&mdctx);
237		-- EVP_DigestInit(&mdctx, md);
238		-- EVP_DigestUpdate(&mdctx, indata, peheader + 88);
239		-- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16);
240		-- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
241		-- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize);
242		-+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
243		-+
244		-+ EVP_DigestInit(mdctx, md);
245		-+ EVP_DigestUpdate(mdctx, indata, peheader + 88);
246		-+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16);
247		-+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
248		-+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize);
249		- memset(res, 0, 4);
250		-- EVP_DigestFinal(&mdctx, res + 4, NULL);
251		-+ EVP_DigestFinal(mdctx, res + 4, NULL);
252		-
253		- unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20);
254		- char *sections = indata + peheader + 24 + sizeofopthdr;
255		-@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
256		- unsigned int l;
257		- for (l=0; l < rs; l+=pagesize, pi++) {
258		- PUT_UINT32_LE(ro + l, res + pi*pphlen);
259		-- EVP_DigestInit(&mdctx, md);
260		-+ EVP_DigestInit(mdctx, md);
261		- if (rs - l < pagesize) {
262		-- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l);
263		-- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l));
264		-+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l);
265		-+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l));
266		- } else {
267		-- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize);
268		-+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize);
269		- }
270		-- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL);
271		-+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL);
272		- }
273		- lastpos = ro + rs;
274		- sections += 40;
275		- }
276		-+ EVP_MD_CTX_free(mdctx);
277		-+ mdctx = NULL;
278		- PUT_UINT32_LE(lastpos, res + pi*pphlen);
279		- memset(res + pi*pphlen + 4, 0, EVP_MD_size(md));
280		- pi++;
281		-@@ -2413,7 +2333,7 @@ int main(int argc, char **argv)
282		- int nturl = 0, ntsurl = 0;
283		- int addBlob = 0;
284		- u_char *p = NULL;
285		-- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
286		-+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0;
287		- unsigned int tmp, peheader = 0, padlen = 0;
288		- off_t filesize, fileend, sigfilesize, sigfileend, outdatasize;
289		- file_type_t type;
290		-@@ -2448,13 +2368,6 @@ int main(int argc, char **argv)
291		- ERR_load_crypto_strings();
292		- OPENSSL_add_all_algorithms_conf();
293		-
294		-- /* create some MS Authenticode OIDS we need later on */
295		-- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
296		-- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
297		-- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) ||
298		-- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL))
299		-- DO_EXIT_0("Failed to add objects\n");
300		--
301		- md = EVP_sha1();
302		-
303		- if (argc > 1) {
304		-@@ -2531,8 +2444,6 @@ int main(int argc, char **argv)
305		- readpass = *(++argv);
306		- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) {
307		- comm = 1;
308		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) {
309		-- pagehash = 1;
310		- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
311		- if (--argc < 1) usage(argv0);
312		- desc = *(++argv);
313		-@@ -3243,7 +3154,7 @@ int main(int argc, char **argv)
314		- p7x = NULL;
315		- }
316		-
317		-- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend);
318		-+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend);
319		- len -= EVP_MD_size(md);
320		- memcpy(buf, p, len);
321		- OPENSSL_free(p);
322		---
323		-2.34.1
324		-

projects/osslsigncode/build

---

...	...	@@ -4,11 +4,10 @@ distdir=$(pwd)/dist
4	4	mkdir -p $distdir/[% project %]
5	5	tar xf [% project %]-[% c('version') %].tar.gz
6	6	cd [% project %]-[% c('version') %]
7		-patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch
8		-patch -p1 < ../timestamping.patch
9	7
10		-./autogen.sh
11		-./configure --prefix=/[% project %]
	8	+mkdir build
	9	+cd build
	10	+cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S ..
12	11	make
13	12	make DESTDIR=$distdir install
14	13

projects/osslsigncode/config

---

1	1	# vim: filetype=yaml sw=2
2	2	version: '[% c("git_hash").substr(0, 12) %]'
3	3	git_url: https://github.com/mtrojnar/osslsigncode
4		-git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
	4	+git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed
5	5	filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
6	6	container:
7	7	use_container: 0
8	8	var:
9	9	deps:
10		- - autoconf
11		- - libtool
12		- - pkg-config
	10	+ - cmake
13	11	- libssl-dev
14	12	- libcurl4-openssl-dev
15	13	input_files:
16		- - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
17		- - filename: timestamping.patch
18	14	- filename: '[% c("var/srcfile") %]'
19	15	enable: '[% c("var/no-git") %]'
20	16

projects/osslsigncode/timestamping.patch deleted

---

1		-From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001
2		-From: Georg Koppen <gk@xxxxxxxxxxxxxx>
3		-Date: Fri, 5 Feb 2016 09:23:10 +0000
4		-Subject: [PATCH] Allow timestamping with the 'add' command
5		-
6		-
7		-diff --git a/osslsigncode.c b/osslsigncode.c
8		-index 32e37c8..2978c02 100644
9		---- a/osslsigncode.c
10		-+++ b/osslsigncode.c
11		-@@ -2556,16 +2556,16 @@ int main(int argc, char **argv)
12		- if (--argc < 1) usage(argv0);
13		- url = "">
14		- #ifdef ENABLE_CURL
15		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) {
16		-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) {
17		- if (--argc < 1) usage(argv0);
18		- turl[nturl++] = *(++argv);
19		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) {
20		-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) {
21		- if (--argc < 1) usage(argv0);
22		- tsurl[ntsurl++] = *(++argv);
23		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) {
24		-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
25		- if (--argc < 1) usage(argv0);
26		- proxy = *(++argv);
27		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) {
28		-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) {
29		- noverifypeer = 1;
30		- #endif
31		- } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
32		---
33		-2.7.0
34		-
35		-
36		-From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001
37		-From: Georg Koppen <gk@xxxxxxxxxxxxxx>
38		-Date: Sat, 11 Apr 2020 05:50:36 +0000
39		-Subject: [PATCH] fixup! Allow timestamping with the 'add' command
40		-
41		-
42		-diff --git a/osslsigncode.c b/osslsigncode.c
43		-index 3797458..4f4b897 100644
44		---- a/osslsigncode.c
45		-+++ b/osslsigncode.c
46		-@@ -2447,7 +2447,7 @@ int main(int argc, char **argv)
47		- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
48		- if (--argc < 1) usage(argv0);
49		- desc = *(++argv);
50		-- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) {
51		-+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) {
52		- if (--argc < 1) usage(argv0);
53		- ++argv;
54		- if (!strcmp(*argv, "md5")) {
55		---
56		-2.26.0

tools/signing/android-signing.mullvadbrowser deleted

---

1		-android-signing
		\ No newline at end of file

tools/signing/android-signing.torbrowser deleted

---

1		-android-signing
		\ No newline at end of file

tools/signing/authenticode-timestamping.sh

---

...	...	@@ -35,7 +35,7 @@ set -e
35	35	script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
36	36	source "$script_dir/functions"
37	37
38		-osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz"
	38	+osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"
39	39
40	40	test -f "$osslsigncode_file" ||
41	41	exit_error "$osslsigncode_file is missing." \

tools/signing/do-all-signing

---

...	...	@@ -17,9 +17,12 @@ echo
17	17	test -f "$steps_dir/linux-signer-signmars.done" ||
18	18	read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
19	19	echo
20		-#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
21		-# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
22		-#echo
	20	+test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
	21	+ read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
	22	+echo
	23	+test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
	24	+ read -sp "Enter windows authenticode passphrase: " YUBIPASS
	25	+echo
23	26	test -f "$steps_dir/linux-signer-gpg-sign.done" ||
24	27	read -sp "Enter gpg passphrase: " GPG_PASS
25	28	echo
...	...	@@ -106,6 +109,18 @@ function sync-after-signmars {
106	109	"$script_dir/sync-linux-signer-to-local"
107	110	}
108	111
	112	+function linux-signer-sign-android-apks {
	113	+ ssh "$ssh_host_linux_signer" 'bash -s' << EOF
	114	+ export KSPASS=$KSPASS
	115	+ ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
	116	+EOF
	117	+ unset KSPASS
	118	+}
	119	+
	120	+function sync-after-sign-android-apks {
	121	+ "$script_dir/sync-linux-signer-to-local"
	122	+}
	123	+
109	124	function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
110	125	"$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
111	126	}
...	...	@@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer
199	214	do_step sync-before-linux-signer-signmars
200	215	do_step linux-signer-signmars
201	216	do_step sync-after-signmars
202		-#do_step linux-signer-authenticode-signing
203		-#do_step sync-after-authenticode-signing
204		-#do_step authenticode-timestamping
205		-#do_step sync-after-authenticode-timestamping
	217	+is_project torbrowser && \
	218	+ do_step linux-signer-sign-android-apks
	219	+is_project torbrowser && \
	220	+ do_step sync-after-sign-android-apks
	221	+do_step linux-signer-authenticode-signing
	222	+do_step sync-after-authenticode-signing
	223	+do_step authenticode-timestamping
	224	+do_step sync-after-authenticode-timestamping
206	225	do_step hash_signed_bundles
207	226	do_step sync-after-hash
208	227	do_step linux-signer-gpg-sign

tools/signing/linux-signer-gpg-sign

---

...	...	@@ -20,4 +20,5 @@ do
20	20	tmpsig=$(mktemp)
21	21	echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
22	22	mv -f "$tmpsig" "${i}.asc"
	23	+ chmod 644 "${i}.asc"
23	24	done

tools/signing/linux-signer-sign-android-apks

---

	1	+#!/bin/bash
	2	+
	3	+set -e
	4	+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
	5	+source "$script_dir/functions"
	6	+source "$script_dir/set-config.generated-config"
	7	+
	8	+topdir="$script_dir/../.."
	9	+ARCHS="armv7 aarch64 x86 x86_64"
	10	+projname=$(project-name)
	11	+# tbb_version_type is used in wrappers/sign-apk, so we export it
	12	+export tbb_version_type
	13	+
	14	+check_installed_packages() {
	15	+ local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
	16	+ for package in $packages
	17	+ do
	18	+ dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
	19	+ exit_error "package $package is missing"
	20	+ done
	21	+}
	22	+
	23	+setup_build_tools() {
	24	+ build_tools_dir=/signing/android-build-tools
	25	+ test -f "$build_tools_dir"/android-12/apksigner || \
	26	+ exit_error "$build_tools_dir/android-12/apksigner is missing"
	27	+ export PATH="$build_tools_dir/android-12:${PATH}"
	28	+}
	29	+
	30	+sign_apk() {
	31	+ sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
	32	+}
	33	+
	34	+verify_apk() {
	35	+ verified=$(apksigner verify --print-certs --verbose "$1")
	36	+ scheme_v1="Verified using v1 scheme (JAR signing): true"
	37	+ scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
	38	+
	39	+ # Verify the expected signing key was used, Alpha verses Release based on the filename.
	40	+ if test "$tbb_version_type" = "alpha"; then
	41	+ cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
	42	+ pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
	43	+ else
	44	+ cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
	45	+ pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
	46	+ fi
	47	+ for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
	48	+ if ! echo "${verified}" | grep -q "${digest}"; then
	49	+ echo "Expected digest not found:"
	50	+ echo ${digest}
	51	+ echo "in:"
	52	+ echo ${verified}
	53	+ exit 1
	54	+ fi
	55	+ done
	56	+}
	57	+
	58	+check_installed_packages
	59	+
	60	+if [ -z "$KSPASS" ]; then
	61	+ echo "Enter keystore passphrase"
	62	+ stty -echo; read KSPASS; stty echo
	63	+ export KSPASS
	64	+fi
	65	+
	66	+setup_build_tools
	67	+
	68	+mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
	69	+chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
	70	+chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
	71	+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
	72	+cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
	73	+
	74	+# Sign all packages
	75	+for arch in ${ARCHS}; do
	76	+ qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
	77	+ signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
	78	+ sign_apk "$qa_apk" "$signed_apk"
	79	+ verify_apk "$signed_apk"
	80	+ cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
	81	+done
	82	+
	83	+rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

tools/signing/linux-signer-sign-android-apks.torbrowser

---

	1	+linux-signer-sign-android-apks
		\ No newline at end of file

tools/signing/machines-setup/setup-signing-machine

---

...	...	@@ -83,11 +83,12 @@ create_group signing
83	83	create_user signing-gpg
84	84	create_user signing-mar
85	85	create_user signing-win yubihsm
86		-
	86	+create_user signing-apk signing
87	87
88	88	sudoers_file sign-gpg
89	89	sudoers_file sign-mar
90	90	sudoers_file sign-exe
	91	+sudoers_file sign-apk
91	92
92	93	authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
93	94	create_user richard signing
...	...	@@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl
111	112	# Install deps for building yubihsm-shell
112	113	install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
113	114
	115	+# Install deps for android/apk signing
	116	+install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
	117	+
114	118	# Build and install yubihsm-pkcs11 package
115	119	create_user build-pkgs
116	120	if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
...	...	@@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then
132	136	chmod go+rX "$tmpdir/mar-tools"/*
133	137	mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
134	138	fi
	139	+
	140	+for rel in release alpha; do
	141	+ keypath=/home/signing-apk/keys/tba_$rel.p12
	142	+ if ! test -f "$keypath"; then
	143	+ echo "$rel key for android should be put in $keypath"
	144	+ else
	145	+ chown signing-apk "$keypath"
	146	+ chmod 700 "$keypath"
	147	+ fi
	148	+done

tools/signing/machines-setup/sudoers.d/sign-apk

---

	1	+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
	2	+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk

tools/signing/machines-setup/upload-tbb-to-signing-machine

---

...	...	@@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
36	36	echo "Fetched $yubihsm_filename"
37	37	fi
38	38
	39	+android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
	40	+if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
	41	+ ./rbm/rbm build --step get_build_tools android-toolchain
	42	+ echo "Fetched $android_build_tools_filename"
	43	+fi
	44	+
39	45	signing_machine='linux-signer'
40	46	setup_user='setup'
41	47	signing_dir='/signing'
...	...	@@ -43,14 +49,26 @@ signing_dir='/signing'
43	49	echo "Uploading $osslsigncodefile to $signing_machine"
44	50	chmod go+r "./out/osslsigncode/$osslsigncodefile"
45	51	rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
	52	+
46	53	echo "Uploading rbm.tar to $signing_machine"
47	54	rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
	55	+
48	56	echo "Uploading $martools_filename"
49	57	chmod go+r "./out/mar-tools/$martools_filename"
50	58	rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
	59	+
51	60	echo "Uploading $yubihsm_filename"
52	61	chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
53	62	rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
	63	+
	64	+echo "Uploading $android_build_tools_filename"
	65	+chmod go+r "./out/android-toolchain/$android_build_tools_filename"
	66	+rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
	67	+echo "Extracting $android_build_tools_filename"
	68	+ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
	69	+ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
	70	+ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
	71	+
54	72	echo "Uploading tor-browser-build.tar to $signing_machine"
55	73	scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
56	74	echo "Extracting tor-browser-build.tar on $signing_machine"

tools/signing/set-config.android-signing deleted

---

1		-# The following line should be uncommented and updated:
2		-
3		-#ssh_host_pkgstage=tbbuild
4		-#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
5		-#android_signing_key_dir=/path/to/signing/key/dir
6		-
7		-var_is_defined ssh_host_pkgstage android_signing_key_dir

tools/signing/android-signing → tools/signing/wrappers/sign-apk

---

1	1	#!/bin/bash
2		-
3		-# Sign apk for each target architecture.
4		-# This script does not require command line argument, but it needs
5		-# some configuration options to be set in set-config.android-signing:
6		-# - ssh_host_pkgstage is the host which you use for staging packages
7		-# during signing. The script will download the unsigned .apk files
8		-# from this host, and upload the signed .apk there
9		-# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
10		-# on pkgstage
11		-# - android_signing_key_dir: the local path where the android signing
12		-# keys are located. That directory should contains files tba_alpha.p12
13		-# and tba_release.p12 for alpha and release signing keys.
14		-# The Tor Browser version is taken from set-config.tbb-version
15		-
16	2	set -e
17		-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
18		-source "$script_dir/functions"
19		-source "$script_dir/set-config.android-signing"
20	3
21		-topdir="$script_dir/../.."
22		-ARCHS="armv7 aarch64 x86 x86_64"
23		-projname=$(project-name)
24		-
25		-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
26		-test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
27		-
28		-check_installed_packages() {
29		- local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
30		- for package in $packages
	4	+function exit_error {
	5	+ for msg in "$@"
31	6	do
32		- dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
33		- exit_error "package $package is missing"
	7	+ echo "$msg" >&2
34	8	done
	9	+ exit 1
35	10	}
36	11
	12	+if test "$tbb_version_type" != 'release' \
	13	+ && test "$tbb_version_type" != 'alpha'; then
	14	+ exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
	15	+fi
	16	+
	17	+android_signing_key_dir=/home/signing-apk/keys
	18	+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
	19	+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
	20	+
37	21	setup_build_tools() {
38		- local rbm="$topdir/rbm/rbm"
39		- local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
40		- if ! test -f "$build_tools_zipfile"; then
41		- "$rbm" build --step get_build_tools android-toolchain
42		- test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
43		- fi
44		- local build_tools_dir=$(mktemp -d)
45		- trap "rm -Rf $build_tools_dir" EXIT
46		- unzip -d "$build_tools_dir" "$build_tools_zipfile"
	22	+ build_tools_dir=/signing/android-build-tools
47	23	test -f "$build_tools_dir"/android-12/apksigner || \
48	24	exit_error "$build_tools_dir/android-12/apksigner is missing"
49	25	export PATH="$build_tools_dir/android-12:${PATH}"
50	26	}
51	27
52		-download_unsigned_apks() {
53		- apks_dir=$(mktemp -d)
54		- trap "rm -Rf $apks_dir" EXIT
55		- rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
56		-}
57		-
58		-upload_signed_apks() {
59		- rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
60		- --exclude="*-unsigned.apk" "$apks_dir/" \
61		- "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
62		-}
63		-
64	28	# Sign individual apk
65	29	sign_apk() {
66	30	INPUTAPK="$1"
	31	+ OUTPUTAPK="$2"
67	32
68	33	# https://developer.android.com/studio/publish/app-signing#sign-manually
69	34	# After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
...	...	@@ -75,10 +40,11 @@ sign_apk() {
75	40	echo Aligning and signing ${INPUTAPK}
76	41
77	42	# Append the different stages of signing
78		- UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
	43	+ UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
79	44	UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
80	45	SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
81	46
	47	+ # ${INPUTAPK} is full path. We copy to local tmp directory.
82	48	cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
83	49
84	50	# Step 1: Align
...	...	@@ -117,67 +83,16 @@ sign_apk() {
117	83	exit 1
118	84	fi
119	85
	86	+ mv -f "${SIGNED_APK}" "$OUTPUTAPK"
120	87	echo apksigner verify succeeded
121	88	}
122	89
123		-# Rename and verify signing certificate
124		-finalize() {
125		- for arch in ${ARCHS}; do
126		- mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
127		- done
128		-
129		- for arch in ${ARCHS}; do
130		- verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
131		- scheme_v1=
132		- scheme_v2=
133		- cert_digest=
134		- pubkey_digest=
135		-
136		- # Verify the expected signing key was used, Alpha verses Release based on the filename.
137		- if test "$tbb_version_type" = "alpha"; then
138		- scheme_v1="Verified using v1 scheme (JAR signing): true"
139		- scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
140		- cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
141		- pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
142		- else
143		- scheme_v1="Verified using v1 scheme (JAR signing): true"
144		- scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
145		- cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
146		- pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
147		- fi
148		- for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
149		- if ! `echo "${verified}" | grep -q "${digest}"`; then
150		- echo "Expected digest not found:"
151		- echo ${digest}
152		- echo "in:"
153		- echo ${verified}
154		- exit 1
155		- fi
156		- done
157		- done
158		-
159		- echo Done.
160		-}
161		-
162		-check_installed_packages
163		-
164		-if [ -z "$KSPASS" ]; then
165		- echo "Enter keystore passphrase"
166		- stty -echo; read KSPASS; stty echo
167		- export KSPASS
168		-fi
169		-
170	90	setup_build_tools
171	91
172		-download_unsigned_apks
173		-
174		-cd $apks_dir
175		-
176		-# Sign all packages
177		-for arch in ${ARCHS}; do
178		- sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
179		-done
	92	+tmpdir=$(mktemp -d)
	93	+cd "$tmpdir"
180	94
181		-finalize
	95	+sign_apk "$1" "$2"
182	96
183		-upload_signed_apks
	97	+cd -
	98	+rm -Rf "$tmpdir"

tools/signing/wrappers/sign-exe

---

...	...	@@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then
11	11	exit 2
12	12	fi
13	13
14		-yubipass="$1"
	14	+pass="$1"
15	15	to_sign_exe="$2"
16	16
17		-tpo_cert=/home/signing-win/tpo-cert.crt
	17	+key_dir=/home/signing-win/keys/key-1
	18	+tpo_cert=$key_dir/the_tor_project_inc.crt
	19	+tpo_key=$key_dir/private.pem
18	20
19	21	if ! test -f "$tpo_cert"; then
20	22	echo "File $tpo_cert is missing" >&2
...	...	@@ -26,12 +28,10 @@ rm -f "$output_signed_exe"
26	28
27	29	export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
28	30	/home/signing-win/osslsigncode/bin/osslsigncode \
29		- -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
30		- -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
31		- -pass "$yubipass" \
	31	+ -pass "$pass" \
32	32	-h sha256 \
33	33	-certs "$tpo_cert" \
34		- -key 1c40 \
	34	+ -key "$tpo_key" \
35	35	"$to_sign_exe" "$output_signed_exe"
36	36
37	37	chmod 644 "$output_signed_exe"

—
View it on GitLab.
You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits