[tor-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts

Richard Pospesel pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

deb60089

by Nicolas Vigier at 2023-05-09T20:40:31+00:00

Bug 40841: Add signing machine setup scripts and adapt signing scripts

Use separate accounts to store the different keys.

5adcbf38
by Nicolas Vigier at 2023-05-09T20:40:31+00:00
```
Bug 40846: Temporarily disable Windows signing
```

25 changed files:

+ projects/mar-tools/config
projects/osslsigncode/config
+ projects/yubihsm-shell/build
+ projects/yubihsm-shell/config
rbm.conf
tools/signing/do-all-signing
tools/signing/linux-signer-authenticode-signing
tools/signing/linux-signer-gpg-sign
tools/signing/linux-signer-signmars
+ tools/signing/machines-setup/build-yubihsm-shell-pkg
+ tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
+ tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
+ tools/signing/machines-setup/setup-osslsigncode
+ tools/signing/machines-setup/setup-signing-machine
+ tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
+ tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
+ tools/signing/machines-setup/ssh-keys/richard.pub
+ tools/signing/machines-setup/sudoers.d/sign-exe
+ tools/signing/machines-setup/sudoers.d/sign-gpg
+ tools/signing/machines-setup/sudoers.d/sign-mar
+ tools/signing/machines-setup/upload-tbb-to-signing-machine
tools/signing/set-config
+ tools/signing/wrappers/sign-exe
+ tools/signing/wrappers/sign-gpg
+ tools/signing/wrappers/sign-mar

Changes:

projects/mar-tools/config

 +# vim: filetype=yaml sw=2
 +#
 +# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine
 +# to fetch mar-tools for signing machine setup
 +#
 +version: 12.0.4
 +filename: 'mar-tools-linux64.zip'
 +container:
 +  use_container: 0
 +gpg_keyring: torbrowser.gpg
 +tag_gpg_id: 1
 +input_files:
 +  - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'
 +    sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584
++
 +steps:
 +  fetch_martools:
 +    fetch_martools: |
 +      #!/bin/bash
 +      echo ok

projects/osslsigncode/config

  # vim: filetype=yaml sw=2
 -version: '[% c("abbrev") %]'
 +version: '[% c("git_hash").substr(0, 12) %]'
  git_url: https://github.com/mtrojnar/osslsigncode
  git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
  filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
@@ -15,3 +15,12 @@ var:
  input_files:
    - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
    - filename: timestamping.patch
 +  - filename: '[% c("var/srcfile") %]'
 +    enable: '[% c("var/no-git") %]'
++
 +targets:
 +  no-git:
 +    git_url: ''
 +    var:
 +      no-git: 1
 +      srcfile: '[% project %]-[% c("version") %].tar.gz'

projects/yubihsm-shell/build

 +#!/bin/bash
 +[% c("var/set_default_env") -%]
 +distdir=$(pwd)/dist
 +tar xf [% project %]-[% c('version') %].tar.gz
 +cd [% project %]-[% c('version') %]
 +dpkg-buildpackage -us -uc
 +mkdir -p "$distdir"
 +mv ../*.deb "$distdir"
 +dest=[% dest_dir _ '/' _ c('filename') %]
 +rm -Rf "$dest"
 +mv "$distdir" "$dest"

projects/yubihsm-shell/config

 +# vim: filetype=yaml sw=2
 +version: 2.4.0
 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'
 +container:
 +  use_container: 0
 +var:
 +  src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'
 +input_files:
 +  - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'
 +    sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0
++
 +steps:
 +  fetch_src:
 +    fetch_src: |
 +      #!/bin/bash
 +      echo ok

rbm.conf

@@ -87,7 +87,7 @@ var:
    build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]'
    build_id_txt: |
      [% c("version") %]
 -    [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
 +    [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]
      [% IF c("container/use_container") && ! c("container/global_disable") -%]
      [% c("var/container/suite") %]
      [% c("var/container/arch") %]

tools/signing/do-all-signing

@@ -17,9 +17,9 @@ echo
  test -f "$steps_dir/linux-signer-signmars.done" ||
    read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
  echo
 -test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
 -  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
 -echo
 +#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
 +#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
 +#echo
  test -f "$steps_dir/linux-signer-gpg-sign.done" ||
    read -sp "Enter gpg passphrase: " GPG_PASS
  echo
@@ -199,10 +199,10 @@ do_step sync-scripts-to-linux-signer
  do_step sync-before-linux-signer-signmars
  do_step linux-signer-signmars
  do_step sync-after-signmars
 -do_step linux-signer-authenticode-signing
 -do_step sync-after-authenticode-signing
 -do_step authenticode-timestamping
 -do_step sync-after-authenticode-timestamping
 +#do_step linux-signer-authenticode-signing
 +#do_step sync-after-authenticode-signing
 +#do_step authenticode-timestamping
 +#do_step sync-after-authenticode-timestamping
  do_step hash_signed_bundles
  do_step sync-after-hash
  do_step linux-signer-gpg-sign

tools/signing/linux-signer-authenticode-signing

@@ -9,26 +9,14 @@ cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
  test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
  echo
 -tmpdir=$(mktemp -d)
 -chgrp yubihsm "$tmpdir"
 -chmod g+rwx "$tmpdir"
+-
  cwd=$(pwd)
  for i in `find . -name "*.exe" -print`
  do
    echo "Signing $i"
 -  echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
 -       /home/yubihsm/osslsigncode/osslsigncode \
 -                 -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
 -                 -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
 -                 -pass "'$YUBIPASS'" \
 -                 -h sha256 \
 -                 -certs /home/yubihsm/tpo-cert.crt \
 -                 -key 1c40 \
 -                 "$cwd/$i" "$tmpdir/$i" \
 -                 | sudo su - yubihsm
 -  mv -vf "$tmpdir/$i" "$cwd/$i"
 +  sudo -u signing-win -- "$wrappers_dir/sign-exe" \
 +                 "$YUBIPASS" \
 +                 "$cwd/$i"
 +  cp /home/signing-win/last-signed-file.exe "$cwd/$i"
  done
  unset YUBIPASS
 -rmdir "$tmpdir"

tools/signing/linux-signer-gpg-sign

@@ -7,6 +7,7 @@ source "$script_dir/functions"
  cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
  test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
 +currentdir=$(pwd)
  for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`
  do
    if test -f "$i.asc"
@@ -15,5 +16,8 @@ do
      rm -f "$i.asc"
    fi
    echo "Signing $i"
 -  echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i
 +  i="$currentdir/$i"
 +  tmpsig=$(mktemp)
 +  echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
 +  mv -f "$tmpsig" "${i}.asc"
  done

tools/signing/linux-signer-signmars

  #!/bin/bash
 -#
 -#
 -# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
 -# (if you don't want to use the default values).
  set -e
  set -u
@@ -10,38 +6,15 @@ set -u
  script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
  source "$script_dir/functions"
 -if [ -z "${NSS_DB_DIR+x}" ]; then
 -  if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then
 -    NSS_DB_DIR=/home/boklm/marsigning/nssdb7
 -  fi
 -  if test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then
 -    NSS_DB_DIR=/home/boklm/marsigning/mullvad-browser-nssdb-1
 -  fi
 -fi
+-
 -if [ -z "${NSS_CERTNAME+x}" ]; then
 -  NSS_CERTNAME=marsigner
 -fi
+-
  export LC_ALL=C
 -# Check some prerequisites.
 -if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
 -  >&2 echo "Please create and populate the $NSS_DB_DIR directory"
 -  exit 2
 -fi
+-
 -# Extract the MAR tools so we can use the signmar program.
 -MARTOOLS_TMP_DIR=$(mktemp -d)
 -trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
 -MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
 -unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
 -export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
 -if [ -z "${LD_LIBRARY_PATH+x}" ]; then
 -  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
 -else
 -  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
 +martools_dir=/home/signing-mar/mar-tools
 +if ! test -d "$martools_dir"; then
 +  >&2 echo "Please create $martools_dir"
 +  exit 3
  fi
 +export LD_LIBRARY_PATH="$martools_dir"
 +export PATH="$martools_dir:$PATH"
  # Prompt for the NSS password.
  # TODO: Test that the entered NSS password is correct.  But how?  Unfortunately,
@@ -70,9 +43,8 @@ for marfile in *.mar; do
      continue;
    fi
 -  echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
 -    "$marfile" tmp.mar
 -  mv -f tmp.mar "$marfile"
 +  echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"
 +  cp /home/signing-mar/last-signed-mar.mar "$marfile"
    COUNT=$((COUNT + 1))
    echo "Signed MAR file $COUNT ($marfile)"
  done

tools/signing/machines-setup/build-yubihsm-shell-pkg

 +#!/bin/bash
 +set -e
++
 +if test $(whoami) != 'build-pkgs'; then
 +  echo 'This script should be run as the build-pkgs user' >&2
 +  exit 1
 +fi
++
 +destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs
 +if test -d "$destdir"; then
 +  echo "$destdir already exists. Doing nothing."
 +  exit 0
 +fi
++
 +cd /home/build-pkgs
 +tar xf /signing/tor-browser-build.tar
 +cd tor-browser-build
 +tar xf /signing/rbm.tar
 +yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
 +mkdir -p out/yubihsm-shell
 +cp "/signing/$yubihsm_src_filename" out/yubihsm-shell
 +./rbm/rbm build yubihsm-shell
 +yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)
 +rm -Rf "$destdir"
 +mkdir -p $(dirname $destdir)
 +mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"

tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules

+ACTION="" SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"

+ACTION="" SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"

tools/signing/machines-setup/etc/yubihsm_pkcs11.conf

 +connector = yhusb://
 +#debug
 +#dinout
 +#libdebug
 +#debug-file = /tmp/yubihsm_pkcs11_debug

tools/signing/machines-setup/setup-osslsigncode

 +#!/bin/bash
 +set -e
++
 +if test $(whoami) != 'signing-win'; then
 +  echo 'This script should be run as the signing-win user' >&2
 +  exit 1
 +fi
++
 +destdir=/home/signing-win/osslsigncode
 +if test -d "$destdir"; then
 +  echo "$destdir already exists. Doing nothing."
 +  exit 0
 +fi
++
 +cd /home/signing-win
 +tar xf /signing/tor-browser-build.tar
 +cd tor-browser-build
 +tar xf /signing/rbm.tar
 +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
 +mkdir -p out/osslsigncode
 +cp "/signing/$osslsigncodefile" out/osslsigncode
 +./rbm/rbm build osslsigncode --target no-git
 +osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)
 +cd /home/signing-win
 +tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"
 +chmod -R 755 /home/signing-win/osslsigncode
 +echo "Extracted osslsigncode to /home/signing-win/osslsigncode"

tools/signing/machines-setup/setup-signing-machine

 +#!/bin/bash
 +set -e
++
 +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
++
 +function create_user {
 +  user="$1"
 +  groups="$2"
 +  id "$user" > /dev/null 2>&1 && return 0
 +  test -n "$groups" && groups="--groups $groups"
 +  useradd -s /bin/bash -m "$user" $groups
 +}
++
 +function create_group {
 +  group="$1"
 +  getent group "$group" > /dev/null 2>&1 && return 0
 +  groupadd "$group"
 +}
++
 +function authorized_keys {
 +  user="$1"
 +  shift
 +  tmpfile=$(mktemp)
 +  for file in "$@"; do
 +    cat "$script_dir/ssh-keys/$file" >> "$tmpfile"
 +  done
 +  sshdir="/home/$user/.ssh"
 +  authkeysfile="$sshdir/authorized_keys"
 +  if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then
 +    rm "$tmpfile"
 +    return 0
 +  fi
 +  echo "Update authorized_keys for user $user"
 +  if ! test -d "$sshdir"; then
 +    mkdir "$sshdir"
 +    chmod 700 "$sshdir"
 +    chown $user:$user "$sshdir"
 +  fi
 +  mv "$tmpfile" "$authkeysfile"
 +  chown $user:$user "$authkeysfile"
 +  chmod 600 "$authkeysfile"
 +}
++
 +function sudoers_file {
 +  sfile="$1"
 +  cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
 +  chown root:root "/etc/sudoers.d/$sfile"
 +  chmod 0440 "/etc/sudoers.d/$sfile"
 +}
++
 +function udev_rule {
 +  udevrule="$1"
 +  rulepath="/etc/udev/rules.d/$udevrule"
 +  if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then
 +    cp "$script_dir$rulepath" "$rulepath"
 +    udevadm control --reload-rules
 +  fi
 +}
++
 +function install_packages {
 +  for pkg in "$@"
 +  do
 +    dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue
 +    apt-get install -y "$pkg"
 +  done
 +}
++
 +install_packages build-essential rsync unzip
 +install_packages sudo vim tmux gnupg
++
 +create_user setup
 +authorized_keys setup boklm-yk1.pub
 +mkdir -p /signing
 +chmod 0755 /signing
 +chown setup /signing
++
 +create_user yubihsm
 +create_group yubihsm
 +udev_rule 70-yubikey.rules
++
 +create_user signing
 +create_group signing
 +create_user signing-gpg
 +create_user signing-mar
 +create_user signing-win yubihsm
++
++
 +sudoers_file sign-gpg
 +sudoers_file sign-mar
 +sudoers_file sign-exe
++
 +authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
 +create_user richard signing
 +authorized_keys richard richard.pub
++
 +# Install rbm deps
 +install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
 +                 libio-handle-util-perl libio-all-perl \
 +                 libio-captureoutput-perl libjson-perl libpath-tiny-perl \
 +                 libstring-shellquote-perl libsort-versions-perl \
 +                 libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
 +                 libfile-copy-recursive-perl libfile-slurp-perl
++
 +# Install deps for building osslsigncode
 +install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev
 +sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode
++
 +# Packages needed for windows signing
 +install_packages opensc libengine-pkcs11-openssl
++
 +# Install deps for building yubihsm-shell
 +install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
++
 +# Build and install yubihsm-pkcs11 package
 +create_user build-pkgs
 +if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
 +  yubishm_version=2.4.0
 +  sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg
 +  pushd /home/build-pkgs/packages/yubihsm-shell-pkgs
 +  apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \
 +    ./libyubihsm1_${yubishm_version}_amd64.deb \
 +    ./libyubihsm-http1_${yubishm_version}_amd64.deb \
 +    ./libyubihsm-usb1_${yubishm_version}_amd64.deb
 +  popd
 +fi
++
 +# install mar-tools
 +if ! test -d /home/signing-mar/mar-tools; then
 +  tmpdir=$(mktemp -d)
 +  unzip -d "$tmpdir" /signing/mar-tools-linux64.zip
 +  chown -R signing-mar:signing-mar "$tmpdir/mar-tools"
 +  chmod go+rX "$tmpdir/mar-tools"/*
 +  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
 +fi

tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release

tools/signing/machines-setup/ssh-keys/boklm-yk1.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1

tools/signing/machines-setup/ssh-keys/richard.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a

tools/signing/machines-setup/sudoers.d/sign-exe

	1	+Defaults>signing-win env_keep += SIGNING_PROJECTNAME
	2	+%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe

tools/signing/machines-setup/sudoers.d/sign-gpg

	1	+Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME
	2	+%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg

tools/signing/machines-setup/sudoers.d/sign-mar

	1	+Defaults>signing-mar env_keep += SIGNING_PROJECTNAME
	2	+%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar

tools/signing/machines-setup/upload-tbb-to-signing-machine

 +#!/bin/bash
 +# Upload tor-browser-build directory from current HEAD commit and other
 +# dependencies to signing machine
 +set -e
++
 +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
++
 +cd "$script_dir/../../.."
 +tmpdir=$(mktemp -d)
 +tbbtar=$tmpdir/tor-browser-build.tar
 +git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .
++
 +echo "Created $tbbtar"
++
 +make submodule-update
 +osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
 +if ! test -f "./out/osslsigncode/$osslsigncodefile"; then
 +  ./rbm/rbm tar osslsigncode
 +  echo "Created $osslsigncodefile"
 +fi
++
 +cd rbm
 +git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .
 +echo "Created rbm.tar"
 +cd ..
++
 +martools_filename=mar-tools-linux64.zip
 +if ! test -f "./out/mar-tools/$martools_filename"; then
 +  ./rbm/rbm build --step fetch_martools mar-tools
 +  echo "Downloaded $martools_filename"
 +fi
++
 +yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
 +if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
 +  ./rbm/rbm build yubihsm-shell --step fetch_src
 +  echo "Fetched $yubihsm_filename"
 +fi
++
 +signing_machine='linux-signer'
 +setup_user='setup'
 +signing_dir='/signing'
++
 +echo "Uploading $osslsigncodefile to $signing_machine"
 +chmod go+r "./out/osslsigncode/$osslsigncodefile"
 +rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
 +echo "Uploading rbm.tar to $signing_machine"
 +rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
 +echo "Uploading $martools_filename"
 +chmod go+r "./out/mar-tools/$martools_filename"
 +rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
 +echo "Uploading $yubihsm_filename"
 +chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
 +rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
 +echo "Uploading tor-browser-build.tar to $signing_machine"
 +scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
 +echo "Extracting tor-browser-build.tar on $signing_machine"
 +ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar
 +echo "You can now run this command on $signing_machine to update signing machine setup:"
 +echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"

tools/signing/set-config

@@ -18,6 +18,8 @@ test "$SIGNING_PROJECTNAME" = 'torbrowser' \
    || test "$SIGNING_PROJECTNAME" = 'mullvadbrowser' \
    || exit_error "Unknown SIGNING_PROJECTNAME $SIGNING_PROJECTNAME"
 +export SIGNING_PROJECTNAME
++
  test -z "${rbm_not_available+x}" && rbm="$script_dir/../../rbm/rbm"
  . "$script_dir/set-config.tbb-version"
@@ -36,3 +38,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress"
  rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
  tb_builders='boklm dan henry ma1 pierov richard'
 +wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers

tools/signing/wrappers/sign-exe

 +#!/bin/bash
 +set -e
++
 +if test "$#" -ne 2; then
 +  echo "Wrong number of arguments" >&2
 +  exit 1
 +fi
++
 +if test $(whoami) != 'signing-win'; then
 +  echo 'This script should be run as the signing-win user' >&2
 +  exit 2
 +fi
++
 +yubipass="$1"
 +to_sign_exe="$2"
++
 +tpo_cert=/home/signing-win/tpo-cert.crt
++
 +if ! test -f "$tpo_cert"; then
 +  echo "File $tpo_cert is missing" >&2
 +  exit 2
 +fi
++
 +output_signed_exe=/home/signing-win/last-signed-file.exe
 +rm -f "$output_signed_exe"
++
 +export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
 +/home/signing-win/osslsigncode/bin/osslsigncode \
 +  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
 +  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
 +  -pass "$yubipass" \
 +  -h sha256 \
 +  -certs "$tpo_cert" \
 +  -key 1c40 \
 +  "$to_sign_exe" "$output_signed_exe"
++
 +chmod 644 "$output_signed_exe"

tools/signing/wrappers/sign-gpg

 +#!/bin/bash
 +set -e
++
 +if test "$#" -ne 1; then
 +  echo "Wrong number of arguments" >&2
 +  exit 2
 +fi
++
 +if test $(whoami) != 'signing-gpg'; then
 +  echo 'This script should be run as the signing-gpg user' >&2
 +  exit 1
 +fi
++
 +exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"

tools/signing/wrappers/sign-mar

 +#!/bin/bash
 +set -e
++
 +if test "$#" -ne 1; then
 +  echo "Wrong number of arguments" >&2
 +  exit 1
 +fi
++
 +if test $(whoami) != 'signing-mar'; then
 +  echo 'This script should be run as the signing-mar user' >&2
 +  exit 2
 +fi
++
 +output_signed_mar=/home/signing-mar/last-signed-mar.mar
 +rm -f "$output_signed_mar"
++
 +if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then
 +  NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7
 +elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then
 +  NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1
 +else
 +  echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
 +  exit 3
 +fi
 +NSS_CERTNAME=marsigner
++
 +if ! test -d "$NSS_DB_DIR"; then
 +  echo "$NSS_DB_DIR is missing" >&2
 +  exit 3
 +fi
++
 +martools_dir=/home/signing-mar/mar-tools
 +if ! test -d "$martools_dir"; then
 +  >&2 echo "Please create $martools_dir"
 +  exit 4
 +fi
 +export LD_LIBRARY_PATH="$martools_dir"
 +export PATH="$martools_dir:$PATH"
++
 +"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar"
 +chmod 644 "$output_signed_mar"