[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [builders/tor-browser-build] 13/32: Bug 40414: Add linux-signer-signmars

To: tor-commits@xxxxxxxxxxxxxxxxxxxx, tbb-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [builders/tor-browser-build] 13/32: Bug 40414: Add linux-signer-signmars
From: gitolite role <git@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2022 09:38:50 +0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Apr 2022 05:39:52 -0400
In-reply-to: <165044751751.26731.9146111203372510876@cupani.torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
References: <165044751751.26731.9146111203372510876@cupani.torproject.org>
Reply-to: Nicolas Vigier <boklm@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQAAEjRWutXgu4vUQoWQnmVg+b69nQ==

This is an automated email from the git hooks/post-receive script.

boklm pushed a commit to branch master
in repository builders/tor-browser-build.

commit 0447c30c7926710cfb0d32110e7f9be08332dd2e
Author: Nicolas Vigier <boklm@xxxxxxxxxxxxxx>
AuthorDate: Mon Feb 14 19:41:23 2022 +0100

    Bug 40414: Add linux-signer-signmars
    
    This is a copy from tor-browser-bundle/gitian/signmars.sh that we
    currently use for mar signing.
---
 tools/signing/linux-signer-signmars | 133 ++++++++++++++++++++++++++++++++++++
 1 file changed, 133 insertions(+)

diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars
new file mode 100755
index 0000000..269610f
--- /dev/null
+++ b/tools/signing/linux-signer-signmars
@@ -0,0 +1,133 @@
+#!/bin/bash
+#
+#
+# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script.
+
+set -e
+set -u
+
+WRAPPER_DIR=$(dirname "$0")
+WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR")
+
+if [ -z "${NSS_DB_DIR+x}" ]; then
+  NSS_DB_DIR=$WRAPPER_DIR/nssdb
+fi
+
+if [ -z "${NSS_CERTNAME+x}" ]; then
+  NSS_CERTNAME=marsigner
+fi
+
+# Incorporate definitions from the versions file.
+if [ -z "$1" ]; then
+  VERSIONS_FILE=$WRAPPER_DIR/versions
+else
+  VERSIONS_FILE=$1
+fi
+
+if ! [ -e $VERSIONS_FILE ]; then
+  echo >&2 "Error: $VERSIONS_FILE file does not exist"
+  exit 1
+fi
+
+. $VERSIONS_FILE
+#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE)
+
+export LC_ALL=C
+
+# Check some prerequisites.
+if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
+  >&2 echo "Please create and populate the $NSS_DB_DIR directory"
+  exit 2
+fi
+
+OSNAME=""
+ARCH="$(uname -s)-$(uname -m)"
+case $ARCH in
+  Linux-x86_64)
+    OSNAME="linux64"
+    ;;
+  Linux-i*86)
+    OSNAME="linux32"
+    ;;
+  *)
+    >&2 echo "Unsupported architecture $ARCH"
+    exit 2
+esac
+
+# Extract the MAR tools so we can use the signmar program.
+MARTOOLS_TMP_DIR=$(mktemp -d)
+trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
+MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip"
+cd $MARTOOLS_TMP_DIR
+unzip -q "$MARTOOLS_ZIP"
+cd $WRAPPER_DIR
+export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
+if [ -z "${LD_LIBRARY_PATH+x}" ]; then
+  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
+else
+  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
+fi
+
+# Prompt for the NSS password.
+# TODO: Test that the entered NSS password is correct.  But how?  Unfortunately,
+# both certutil and signmar keep trying to read a new password when they are
+# given an incorrect one.
+read -s -p "NSS password:" NSSPASS
+echo ""
+
+# Sign each MAR file.
+#
+# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION
+# directory into a TORBROWSER_VERSION-unsigned/ directory.  Details:
+#   If a file has not been signed, we move it to the -unsigned/ directory.
+#   If a file has already been signed and a file with the same name exists in
+#     the -unsigned/ directory, we just delete the signed file.
+#   If a file has already been signed but no corresponding file exists in
+#     the -unsigned/ directory, we report an error and exit.
+#
+# Once the above is done,  the -unsigned/ directory contains a set of .mar
+# files that need to be signed, so we go ahead and sign them one-by-one.
+SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION"
+UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned"
+mkdir -p "$UNSIGNED_DIR"
+cd "$SIGNED_DIR"
+for marfile in *.mar; do
+  if [ ! -f "$marfile" ]; then
+    continue;
+  fi
+
+  # First, we check for an existing signature.  The signmar -T output will
+  # include a line like "Signature block found with N signatures".
+  SIGINFO_PREFIX="Signature block found with "
+  SIGINFO=$(signmar -T "$marfile" | grep "^${SIGINFO_PREFIX}")
+  SIGCOUNT=0
+  if [ ! -z "$SIGINFO" ]; then
+    SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/\([0-9]*\).*$/\1/')
+  fi
+  if [ $SIGCOUNT -eq 0 ]; then
+    # No signature; move this .mar file to the -unsigned/ directory.
+    mv "$marfile" "$UNSIGNED_DIR/"
+  else
+    echo "Skipping $marfile (already signed)"
+  fi
+done
+
+# Use signmar to sign each .mar file that is now in the -unsigned directory.
+TMPMAR="$SIGNED_DIR/tmp.mar"
+trap "rm -f $TMPMAR" EXIT
+cd "$UNSIGNED_DIR"
+echo "Starting the signing..."
+COUNT=0
+for marfile in *.mar; do
+  if [ ! -f "$marfile" ]; then
+    continue;
+  fi
+  echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
+      "$marfile" "$TMPMAR"
+  mv "$TMPMAR" "$SIGNED_DIR/$marfile"
+  COUNT=$((COUNT + 1))
+  echo "Signed MAR file $COUNT"
+  rm "$marfile"
+done
+
+echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed."

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

References:
- [tor-commits] [builders/tor-browser-build] branch master updated (e485133 -> da516e6)
  - From: gitolite role

Prev by Author: [tor-commits] [tor-browser] 33/68: Bug 21830: Copying large text from web console leaks to /tmp
Next by Author: [tor-commits] [tor-browser] annotated tag tor-browser-91.8.0esr-11.5-1-build2 created (now 9536e3aa62619)
Previous by thread: [tor-commits] [builders/tor-browser-build] 12/32: Bug 40414: Add download-unsigned-sha256sums-gpg-signatures-from-people-tpo script
Next by thread: [tor-commits] [builders/tor-browser-build] 14/32: Bug 40414: Improve linux-signer-signmars
Index(es):
- Author
- Thread