richard pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build
Commits:
-
0f610931
by Nicolas Vigier at 2023-11-30T12:47:22+00:00
-
4dc9c81f
by Nicolas Vigier at 2023-11-30T12:48:19+00:00
6 changed files:
- Makefile
- doc/MAKEFILE.txt
- + projects/release/compare_windows_signed_unsigned_exe
- projects/release/config
- + tools/download-mullvadbrowser
- + tools/download-torbrowser
Changes:
| ... | ... | @@ -233,6 +233,12 @@ torbrowser-dmg2mar-alpha: submodule-update |
| 233 | 233 | $(rbm) build release --step link_old_mar_filenames --target alpha --target torbrowser
|
| 234 | 234 | CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
|
| 235 | 235 | |
| 236 | +torbrowser-compare-windows-signed-unsigned-release: submodule-update
|
|
| 237 | + $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser
|
|
| 238 | + |
|
| 239 | +torbrowser-compare-windows-signed-unsigned-alpha: submodule-update
|
|
| 240 | + $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser
|
|
| 241 | + |
|
| 236 | 242 | |
| 237 | 243 | ########################
|
| 238 | 244 | # Base Browser Targets #
|
| ... | ... | @@ -565,6 +571,12 @@ mullvadbrowser-dmg2mar-alpha: submodule-update |
| 565 | 571 | $(rbm) build release --step link_old_mar_filenames --target alpha --target mullvadbrowser
|
| 566 | 572 | CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
|
| 567 | 573 | |
| 574 | +mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update
|
|
| 575 | + $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser
|
|
| 576 | + |
|
| 577 | +mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update
|
|
| 578 | + $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser
|
|
| 579 | + |
|
| 568 | 580 | |
| 569 | 581 | ############################
|
| 570 | 582 | # Toolchain Update Targets #
|
| ... | ... | @@ -136,3 +136,8 @@ Create update responses xml files for a signed build in the release or |
| 136 | 136 | alpha channel. The files can be found in a tar in the directory
|
| 137 | 137 | torbrowser/{release,alpha}/update-responses.
|
| 138 | 138 | |
| 139 | +torbrowser-compare-windows-signed-unsigned-{release,alpha}
|
|
| 140 | +----------------------------------------------------------
|
|
| 141 | +Unsign exe files from directory torbrowser/{release,alpha}/signed/$version
|
|
| 142 | +and compare them with the checksum from sha256sums-unsigned-build.txt.
|
|
| 143 | + |
| 1 | +#!/bin/bash
|
|
| 2 | +[% c("var/set_default_env") -%]
|
|
| 3 | +[% IF c("var/nightly") -%]
|
|
| 4 | + build_dir=[% shell_quote(path(dest_dir)) %]/[% c("version") %]
|
|
| 5 | +[% ELSE -%]
|
|
| 6 | + build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
|
|
| 7 | +[% END -%]
|
|
| 8 | + |
|
| 9 | +if ! test -d "$build_dir"
|
|
| 10 | +then
|
|
| 11 | + echo "Error: Directory $build_dir does not exist" 1>&2
|
|
| 12 | + echo "You can download it with this command:" 1>&2
|
|
| 13 | + echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2
|
|
| 14 | + exit 1
|
|
| 15 | +fi
|
|
| 16 | + |
|
| 17 | +cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt .
|
|
| 18 | + |
|
| 19 | +tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %]
|
|
| 20 | + |
|
| 21 | +for file in *.exe
|
|
| 22 | +do
|
|
| 23 | + ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null
|
|
| 24 | + mv -f "unsigned-$file" "$file"
|
|
| 25 | + echo "Unsigned $file"
|
|
| 26 | +done
|
|
| 27 | + |
|
| 28 | +grep '\.exe$' sha256sums-unsigned-build.txt | sha256sum -c
|
|
| 29 | + |
|
| 30 | +echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt" |
| ... | ... | @@ -263,3 +263,11 @@ steps: |
| 263 | 263 | debug: 0
|
| 264 | 264 | input_files: []
|
| 265 | 265 | dmg2mar: '[% INCLUDE dmg2mar %]'
|
| 266 | + compare_windows_signed_unsigned_exe:
|
|
| 267 | + build_log: '-'
|
|
| 268 | + debug: 0
|
|
| 269 | + input_files:
|
|
| 270 | + - project: osslsigncode
|
|
| 271 | + name: osslsigncode
|
|
| 272 | + pkg_type: build
|
|
| 273 | + compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]' |
| 1 | +download-torbrowser |
|
| \ No newline at end of file |
| 1 | +#!/usr/bin/perl -w
|
|
| 2 | + |
|
| 3 | +# This script downloads a torbrowser or mullvadbrowser release, checking
|
|
| 4 | +# its signature
|
|
| 5 | + |
|
| 6 | +use strict;
|
|
| 7 | +use English;
|
|
| 8 | +use LWP::Simple;
|
|
| 9 | +use IO::CaptureOutput qw(capture_exec);
|
|
| 10 | +use File::Temp;
|
|
| 11 | +use File::Basename qw(fileparse);
|
|
| 12 | +use FindBin;
|
|
| 13 | +use File::Path qw(make_path);
|
|
| 14 | +use File::Copy;
|
|
| 15 | +use Path::Tiny;
|
|
| 16 | +use Digest::SHA qw(sha256_hex);
|
|
| 17 | + |
|
| 18 | + |
|
| 19 | +sub exit_error {
|
|
| 20 | + print STDERR "Error: ", $_[0], "\n";
|
|
| 21 | + chdir '/';
|
|
| 22 | + exit (exists $_[1] ? $_[1] : 1);
|
|
| 23 | +}
|
|
| 24 | + |
|
| 25 | +sub gpg_verify_file {
|
|
| 26 | + my ($file) = @_;
|
|
| 27 | + if (system('gpg', '--no-default-keyring', '--keyring',
|
|
| 28 | + "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify',
|
|
| 29 | + "$file.asc",
|
|
| 30 | + $file)) {
|
|
| 31 | + exit_error "Error checking gpg signature for file $file";
|
|
| 32 | + }
|
|
| 33 | +}
|
|
| 34 | + |
|
| 35 | +my $progname = fileparse($PROGRAM_NAME);
|
|
| 36 | +my ($projectname) = $progname =~ m/^download-(.+)$/;
|
|
| 37 | +if (@ARGV != 1) {
|
|
| 38 | + print STDERR "usage: $progname <version>\n";
|
|
| 39 | + exit 1;
|
|
| 40 | +}
|
|
| 41 | + |
|
| 42 | +my $version = $ARGV[0];
|
|
| 43 | +my $version_type = $version =~ m/a/ ? 'alpha' : 'release';
|
|
| 44 | +my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version";
|
|
| 45 | +my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version";
|
|
| 46 | + |
|
| 47 | +make_path($destdir);
|
|
| 48 | +my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp");
|
|
| 49 | + |
|
| 50 | +foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc
|
|
| 51 | + sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) {
|
|
| 52 | + if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
|
|
| 53 | + exit_error "Error downloading $urldir/$file";
|
|
| 54 | + }
|
|
| 55 | +}
|
|
| 56 | +gpg_verify_file("$tmpdir/sha256sums-signed-build.txt");
|
|
| 57 | +move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc";
|
|
| 58 | +move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt";
|
|
| 59 | +gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt");
|
|
| 60 | +move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc";
|
|
| 61 | +move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt";
|
|
| 62 | + |
|
| 63 | +foreach my $file (qw(sha256sums-signed-build.incrementals.txt
|
|
| 64 | + sha256sums-signed-build.incrementals.txt.asc
|
|
| 65 | + sha256sums-unsigned-build.incrementals.txt
|
|
| 66 | + sha256sums-unsigned-build.incrementals.txt.asc)) {
|
|
| 67 | + if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
|
|
| 68 | + last;
|
|
| 69 | + }
|
|
| 70 | +}
|
|
| 71 | +if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") {
|
|
| 72 | + gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt");
|
|
| 73 | + move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc";
|
|
| 74 | + move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt";
|
|
| 75 | +}
|
|
| 76 | +if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") {
|
|
| 77 | + gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt");
|
|
| 78 | + move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc";
|
|
| 79 | + move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt";
|
|
| 80 | +}
|
|
| 81 | + |
|
| 82 | +my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines;
|
|
| 83 | +push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines
|
|
| 84 | + if -f "$destdir/sha256sums-signed-build.incrementals.txt";
|
|
| 85 | +my %sums = map { chomp; reverse split ' ', $_ } @sha256_lines;
|
|
| 86 | + |
|
| 87 | +foreach my $file (sort keys %sums) {
|
|
| 88 | + if (-f "$destdir/$file") {
|
|
| 89 | + print "Not downloading $file (already there)\n";
|
|
| 90 | + next;
|
|
| 91 | + }
|
|
| 92 | + print "Downloading $file\n";
|
|
| 93 | + exit_error "Error downloading $urldir/$file\n"
|
|
| 94 | + unless getstore("$urldir/$file", "$tmpdir/$file") == 200;
|
|
| 95 | + exit_error "Wrong checksum for $file"
|
|
| 96 | + unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp);
|
|
| 97 | + move "$tmpdir/$file", "$destdir/$file";
|
|
| 98 | +}
|
|
| 99 | + |
|
| 100 | +print "Finished downloading $projectname $version in $destdir\n"; |