[tor-commits] [Git][tpo/applications/tor-browser-build][main] 7 commits: Bug 41759: Remove var/torbrowser_legacy

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

f11c6a41

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41759: Remove var/torbrowser_legacy_version from rbm.conf

And var/torbrowser_legacy_platform_version.

8d52f71d

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41759: Remove legacy channel from gitlab templates

00735068

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Revert "Bug 41373: Add support for old from mar filenames (with `_ALL`)"

This reverts commit 98191f1547eff98955ea53a294e458e68033f72f.

f8e22809

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41759: Remove legacy channel support from tools/signing/do-all-signing

2b885eeb

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41759: Remove legacy channel support from tools/browser

3e7a89e1

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41759: Remove legacy channel support from projects/release/update_responses_config.yml

a9325827

by Nicolas Vigier at 2026-04-02T16:02:11+02:00

Bug 41476: Remove tools/signing/wrappers/sign-rcodesign

And related files.

This was used to sign 13.5 releases.

14 changed files:

.gitlab/issue_templates/010 Backport.md
.gitlab/issue_templates/041 Release Prep - Tor Browser Stable.md
.gitlab/merge_request_templates/relprep.md
projects/release/update_responses_config.yml
rbm.conf
tools/browser/README.md
tools/browser/sign-tag
− tools/signing/alpha.entitlements.xml
tools/signing/do-all-signing
tools/signing/machines-setup/setup-signing-machine
− tools/signing/machines-setup/sudoers.d/sign-rcodesign
− tools/signing/release.entitlements.xml
− tools/signing/wrappers/sign-rcodesign
tools/update-responses/update_responses

Changes:

.gitlab/issue_templates/010 Backport.md

@@ -20,7 +20,6 @@ This is an issue for tracking back-porting a patch-set (e.g. from main to maint-
  ### Target Channels
  - [ ] maint-15.0
 -- [ ] maint-13.5
  ## Notes

.gitlab/issue_templates/041 Release Prep - Tor Browser Stable.md

@@ -68,8 +68,6 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b
      - [ ] ***(Desktop Only)*** `var/torbrowser_incremental_from`: updated to previous Desktop version
        - **NOTE**: We try to build incrementals for the previous 3 desktop versions
        - **⚠️ WARNING**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
 -    - [ ] `var/torbrowser_legacy_version`: updated to latest legacy Tor Browser version
 -    - [ ] `var/torbrowser_legacy_platform_version`: updated to latest legacy Tor Browser ESR version
    - [ ] `projects/firefox/config`
        - [ ] `var/browser_build`: updated to match `tor-browser` tag
        - [ ] ***(Optional)*** `var/firefox_platform_version`: updated to latest `${ESR_VERSION}` if rebased
@@ -211,9 +209,6 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b
      Changelog:
      # paste changelog as quote here
      ```
 -- [ ] Verify the associated legacy `maint-13.5` release has been signed and deployed
 -  - **⚠️ WARNING**: Do not continue if the legacy channel has not been fully signed and published yet; it is needed for update-response generation!
 -  - **NOTE** Stable releases without a corresponding legacy release may ignore this
  - [ ] On `${STAGING_SERVER}`, ensure updated:
    - **NOTE** Having a local git branch with `maint-15.0` as the upstream branch with these values saved means you only need to periodically `git pull --rebase`
    - [ ] `tor-browser-build` is on the right commit: `git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}`

.gitlab/merge_request_templates/relprep.md

@@ -20,8 +20,6 @@
    - [ ] `var/torbrowser_build`: should be `build1`, unless bumping a previous release preparation
    - [ ] `var/browser_release_date`: must not be in the future when we start building
    - [ ] `var/torbrowser_incremental_from` (not needed for Android-only releases)
 -  - [ ] `var/torbrowser_legacy_version` (For Tor Browser 14.0.x stable releases only)
 -  - [ ] `var/torbrowser_legacy_platform_version` (For Tor Browser 14.0.x stable releases only)
  - [ ] Tag updates:
    - [ ] [Firefox](https://gitlab.torproject.org/tpo/applications/tor-browser/-/tags)
    - [ ] Geckoview - should match Firefox

projects/release/update_responses_config.yml

@@ -32,9 +32,6 @@ build_targets:
  channels:
      [% c('var/channel') %]:
        - [% c("var/torbrowser_version") %]
 -[% IF c("var/tor-browser") && c("var/torbrowser_legacy_version") -%]
 -      - [% c("var/torbrowser_legacy_version") %]
 -[% END -%]
  versions:
      [% c("var/torbrowser_version") %]:
  [% IF c("var/create_unsigned_incrementals") -%]
@@ -70,25 +67,6 @@ versions:
              minSupportedOSVersion: 10.0
          linux-x86_64:
              minSupportedInstructionSet: SSE2
 -[% IF c("var/tor-browser") && c("var/torbrowser_legacy_version") -%]
 -    [% c("var/torbrowser_legacy_version") %]:
 -        mar_channel_id: [% c('var/mar_channel_id') %]
 -        platformVersion: [% c('var/torbrowser_legacy_platform_version') %]
 -        detailsURL: https://blog.torproject.org/new[% IF c("var/alpha") %]-alpha[% END %]-release-tor-browser-[% c("var/torbrowser_legacy_version") FILTER remove('\.') %]
 -        # minSupportedOsVersion on macOS corresponds to the Darwin version ( https://en.wikipedia.org/wiki/Darwin_(operating_system) )
 -        macos:
 -            # macOS v10.12.0
 -            minSupportedOSVersion: 16.0.0
 -        # minSupportedOsVersion on Windows corresponds to the operating system version ( https://docs.microsoft.com/en-us/windows/win32/sysinfo/operating-system-version )
 -        windows-i686:
 -            # Windows 7
 -            minSupportedOSVersion: 6.1
 -            minSupportedInstructionSet: SSE2
 -        windows-x86_64:
 -            # Windows 7
 -            minSupportedOSVersion: 6.1
 -            minSupportedInstructionSet: SSE2
 -[% END -%]
  mar_compression: xz
  [% IF c("var/tor-browser") -%]
  tag: 'tbb-[% c("var/torbrowser_version") %]-[% c("var/torbrowser_build") %]'

rbm.conf

@@ -136,9 +136,6 @@ var:
      - 16.0a2
    mar_channel_id: '[% c("var/projectname") %]-torproject-[% c("var/channel") %]'
 -#  torbrowser_legacy_version: 13.5.22
 -#  torbrowser_legacy_platform_version: 115.28.0
+-
    # By default, we sort the list of installed packages. This allows sharing
    # containers with identical list of packages, even if they are not listed
    # in the same order. In the cases where the installation order is

tools/browser/README.md

@@ -50,8 +50,7 @@ This script gpg signs a git tag associated with a particular browser commit in t
  usage: ./tools/browser/sign-tag.<browser> <channel> <build-number> [commit]
  browser         one of basebrowser, torbrowser, or mullvadbrowser
 -channel         the release channel of the commit to sign (e.g. alpha, stable,
 -                or legacy)
 +channel         the release channel of the commit to sign (e.g. alpha, or stable)
  build-number    the build number portion of a browser build tag (e.g. build2)
  commit          optional git commit, HEAD is used if argument not present
  ```
@@ -71,18 +70,6 @@ Invoke the relevant soft-link'd version of this script to sign a particular brow
       message: Tagging build1 for 128.4.0esr-based alpha
      ```
 -  - ##### `tor-browser-115.17.0esr-13.5-1-build2`
 -    After checking out `tor-browser-115.17.0esr-13.5-1` branch in linked tor-browser.git
 -    ```bash
 -    ./sign-tag.torbrowser legacy build2 8e9e58fe400291f20be5712d057ad0b5fc4d70c1
 -    ```
 -    **output**:
 -    ```
 -    Tag commit 8e9e58fe4002 in tor-browser-115.17.0esr-13.5-1
 -     tag:     tor-browser-115.17.0esr-13.5-1-build2
 -     message: Tagging build2 for 115.17.0esr-based legacy
 -    ```
+-
    - ##### `mullvad-browser-128.4.0esr-14.0-1-build2`
      After checking out `mullvad-browser-128.4.0esr-14.0-1` branch in linked mullvad-browser.git
      ```bash

tools/browser/sign-tag

@@ -80,11 +80,10 @@ commit=$(git rev-parse --short ${3:-HEAD})
  # channel validation
  if [[ "${project}" == "mullvad-browser" ]]; then
      repo="$project"
 -    valid_channels=("rapid" "alpha" "stable")
  else
      repo="tor-browser"
 -    valid_channels=("rapid" "alpha" "stable" "legacy")
  fi
 +valid_channels=("alpha" "stable")
  channel_valid=false
  for value in "${valid_channels[@]}"; do
      if [[ "${channel}" == "${value}" ]]; then

tools/signing/alpha.entitlements.xml deleted

 -<?xml version="1.0" encoding="UTF-8"?>
 -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 -<!--
 -     Entitlements to apply during codesigning of production builds.
 --->
 -<plist version="1.0">
 -  <dict>
 -    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
 -    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+-
 -    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
 -    <key>com.apple.security.cs.disable-library-validation</key><true/>
+-
 -    <!-- Firefox needs to access the microphone on sites the user allows -->
 -    <key>com.apple.security.device.audio-input</key><true/>
+-
 -    <!-- Firefox needs to access the camera on sites the user allows -->
 -    <key>com.apple.security.device.camera</key><true/>
+-
 -    <!-- Firefox needs to access the location on sites the user allows -->
 -    <key>com.apple.security.personal-information.location</key><true/>
+-
 -    <!-- For SmartCardServices(7) -->
 -    <key>com.apple.security.smartcard</key><true/>
 -  </dict>
 -</plist>

tools/signing/do-all-signing

@@ -19,21 +19,10 @@ if [[ $1 = "-p" ]]; then
    shift
  fi
 -function is_legacy {
 -  [[ "$tbb_version" = 13.* ]]
 -}
+-
 -if is_legacy; then
 -  platform_android=
 -  platform_desktop=1
 -  platform_macos=1
 -  platform_windows=1
 -else
 -  platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android)
 -  platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop)
 -  platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos)
 -  platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows)
 -fi
 +platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android)
 +platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop)
 +platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos)
 +platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows)
  is_project torbrowser && nssdb=torbrowser-nssdb7
  is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1
@@ -293,6 +282,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
  do_step sync-local-to-staticiforme
  do_step sync-scripts-to-staticiforme
  do_step staticiforme-prepare-cdn-dist-upload
 -[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && ! is_legacy && \
 +[ "$SIGNING_PROJECTNAME" != 'torvpn' ] && \
    do_step upload-update_responses-to-staticiforme
  do_step finished-signing-clean-linux-signer

tools/signing/machines-setup/setup-signing-machine

@@ -41,6 +41,12 @@ function authorized_keys {
    chmod 600 "$authkeysfile"
+ }
 +function remove_sudoers_file {
 +  # Remove a sudoers file that previously existed but is no longer used
 +  sfile="$1"
 +  rm -f "/etc/sudoers.d/$sfile"
 +}
++
  function sudoers_file {
    sfile="$1"
    cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
@@ -91,7 +97,8 @@ sudoers_file sign-mar
  sudoers_file sign-exe
  sudoers_file sign-apk
  sudoers_file sign-aab
 -sudoers_file sign-rcodesign
 +# sign-rcodesign is removed - tor-browser-build#41476
 +remove_sudoers_file sign-rcodesign
  sudoers_file sign-rcodesign-128
  sudoers_file sign-rcodesign-146
  sudoers_file set-date

tools/signing/machines-setup/sudoers.d/sign-rcodesign deleted

1		-Defaults>signing-macos env_keep += "SIGNING_PROJECTNAME tbb_version_type RCODESIGN_PW"
2		-%signing ALL = (signing-macos) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-rcodesign

tools/signing/release.entitlements.xml deleted

 -<?xml version="1.0" encoding="UTF-8"?>
 -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 -<!--
 -     Entitlements to apply during codesigning of production builds.
 --->
 -<plist version="1.0">
 -  <dict>
 -    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
 -    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+-
 -    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
 -    <key>com.apple.security.cs.disable-library-validation</key><true/>
+-
 -    <!-- Firefox needs to access the microphone on sites the user allows -->
 -    <key>com.apple.security.device.audio-input</key><true/>
+-
 -    <!-- Firefox needs to access the camera on sites the user allows -->
 -    <key>com.apple.security.device.camera</key><true/>
+-
 -    <!-- Firefox needs to access the location on sites the user allows -->
 -    <key>com.apple.security.personal-information.location</key><true/>
+-
 -    <!-- For SmartCardServices(7) -->
 -    <key>com.apple.security.smartcard</key><true/>
 -  </dict>
 -</plist>

tools/signing/wrappers/sign-rcodesign deleted

 -#!/bin/bash
 -set -e
+-
 -function exit_error {
 -  for msg in "$@"
 -  do
 -    echo "$msg" >&2
 -  done
 -  exit 1
 -}
+-
 -test $# -eq 2 || exit_error "Wrong number of arguments"
 -dmg_file="$1"
 -display_name="$2"
+-
 -output_file="/home/signing-macos/last-signed-$display_name.tar.zst"
 -rm -f "$output_file"
+-
 -rcodesign_signing_p12_file=/home/signing-macos/keys/key-1.p12
 -test -f "$rcodesign_signing_p12_file" || exit_error "$rcodesign_signing_p12_file is missing"
+-
 -tmpdir=$(mktemp -d)
 -trap "rm -Rf $tmpdir" EXIT
 -cd "$tmpdir"
 -7z x "$dmg_file"
+-
 -# Fix permission on files:
 -# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2957050
 -# FIXME: Maybe we should extract the .mar file instead of the .dmg to
 -# preserve permissions
 -chmod ugo+x "$display_name/$display_name.app/Contents/MacOS"/* \
 -            "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/MacOS"/* \
 -            "$display_name/$display_name.app/Contents/MacOS/plugin-container.app/Contents/MacOS"/*
 -test -d "$display_name/$display_name.app/Contents/MacOS/Tor" && \
 -  chmod -R ugo+x "$display_name/$display_name.app/Contents/MacOS/Tor"
+-
 -pwdir=/run/lock/rcodesign-pw
 -trap "rm -Rf $pwdir" EXIT
 -rm -Rf "$pwdir"
 -mkdir "$pwdir"
 -chmod 700 "$pwdir"
 -cat > "$pwdir/rcodesign-pw-2" << EOF
 -$RCODESIGN_PW
 -EOF
 -tr -d '\n' < "$pwdir/rcodesign-pw-2" > "$pwdir/rcodesign-pw"
 -rm "$pwdir/rcodesign-pw-2"
+-
 -rcodesign_opts="
 -  --code-signature-flags runtime
 -  --timestamp-url http://timestamp.apple.com:8080/ts01
 -  --p12-file $rcodesign_signing_p12_file
 -  --p12-password-file $pwdir/rcodesign-pw
 -  "
+-
 -# sign updater.app and plugin-container.app separately
 -echo '**** Signing updater.app ****'
 -/signing/rcodesign/rcodesign sign \
 -  $rcodesign_opts \
 -  --info-plist-path "$display_name/$display_name.app/Contents/MacOS/updater.app/Contents/Info.plist" \
 -  -- \
 -  "$display_name/$display_name.app/Contents/MacOS/updater.app"
 -echo '**** Signing plugin-container.app ****'
 -/signing/rcodesign/rcodesign sign \
 -  $rcodesign_opts \
 -  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
 -  -- \
 -  "$display_name/$display_name.app/Contents/MacOS/plugin-container.app"
+-
 -# Setting binary-identifier on some files, to avoid signature errors. See:
 -# https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815#note_2956149
 -pushd "$display_name/$display_name.app/Contents/MacOS/"
 -for lib in *.dylib
 -do
 -  binident=$(echo $lib | sed 's/\.dylib$//')
 -  binident="--binary-identifier Contents/MacOS/$lib:$binident"
 -  echo "Adding option $binident"
 -  rcodesign_opts="$rcodesign_opts $binident"
 -done
 -popd
+-
 -if test -d "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
 -then
 -  pushd "$display_name/$display_name.app/Contents/MacOS/Tor/PluggableTransports/"
 -  for file in echo *
 -  do
 -    binident="--binary-identifier Contents/MacOS/Tor/PluggableTransports/$file:$file"
 -    echo "Adding option $binident"
 -    rcodesign_opts="$rcodesign_opts $binident"
 -  done
 -  popd
 -fi
+-
 -echo "**** Signing main bundle ($display_name.app) ****"
 -# We use `--exclude '**'` to avoid re-signing nested bundles
 -/signing/rcodesign/rcodesign sign \
 -  $rcodesign_opts \
 -  --entitlements-xml-path /signing/tor-browser-build/tools/signing/${tbb_version_type}.entitlements.xml \
 -  --exclude '**' \
 -  -- \
 -  "$display_name/$display_name.app"
+-
 -rm -f "$pwdir/rcodesign-pw"
 -rmdir "$pwdir"
 -tar -C "$display_name" -caf "$output_file" "$display_name.app"
 -cd -
 -rm -Rf "$tmpdir"

tools/update-responses/update_responses

@@ -87,33 +87,6 @@ sub get_sha512_hex_of_file {
      return $sha->hexdigest;
+ }
 -# With release 15.0 _ALL is being removed from mar file names.
 -# However we need to be able to generate incrementals from versions
 -# using the old filenames. As a workaround, if the old filename is
 -# found we create a symlink to the new file name.
 -# The symlinks are used in `create_incremental_mar` and `get_buildinfos`,
 -# where supporting both file names would complexify things. The symlinks
 -# are ignored in `get_version_files` where the regexp used support both
 -# old and new filenames.
 -# We can remove this once we don't need to generate incrementals from
 -# versions with the old file names.
 -sub symlink_ALL {
 -    my ($config, $version) = @_;
 -    my $vdir = version_dir($config, $version);
 -    opendir(my $d, $vdir) or exit_error "Error opening directory $vdir";
 -    foreach my $file (readdir $d) {
 -        next unless -f "$vdir/$file";
 -        if ($file =~ m/^(.+)_ALL\.mar$/) {
 -            next if -f "$vdir/$1.mar";
 -            symlink $file, "$vdir/$1.mar";
 -        }
 -        if ($file =~ m/^(.+)_ALL\.incremental\.mar$/) {
 -            next if -f "$vdir/$1.incremental.mar";
 -            symlink $file, "$vdir/$1.incremental.mar";
 -        }
 -    }
 -}
+-
  sub get_version_files {
      my ($config, $version) = @_;
      return if $config->{versions}{$version}{files};
@@ -124,13 +97,8 @@ sub get_version_files {
      opendir(my $d, $vdir) or exit_error "Error opening directory $vdir";
      foreach my $file (readdir $d) {
          next unless -f "$vdir/$file";
 -        # Ignore the symlinks created by `symlink_ALL` to avoid adding the files
 -        # twice.
 -        # We can remove this line once we don't need to support the legacy channel with
 -        # with the old file names.
 -        next if -l "$vdir/$file";
          if ($file !~ m/incremental\.mar$/ &&
 -            $file =~ m/^$appname-(.+)-${version}(_ALL)?\.mar$/) {
 +            $file =~ m/^$appname-(.+)-${version}\.mar$/) {
              my $os = $1;
              $files->{$os}{complete} = {
                  type => 'complete',
@@ -143,7 +111,7 @@ sub get_version_files {
              };
              next;
+         }
 -        if ($file =~ m/^$appname-(.+)--(.+)-${version}(_ALL)?\.incremental\.mar$/) {
 +        if ($file =~ m/^$appname-(.+)--(.+)-${version}\.incremental\.mar$/) {
              my ($os, $from_version) = ($1, $2);
              $files->{$os}{partial}{$from_version} = {
                  type => 'partial',
@@ -320,7 +288,6 @@ sub create_incremental_mars_for_version {
      my $v = $config->{versions}{$version};
      foreach my $from_version (@{$v->{incremental_from}}) {
          $config->{versions}{$from_version} //= {};
 -        symlink_ALL($config, $from_version);
          get_version_files($config, $from_version);
          my $from_v = $config->{versions}{$from_version};
          foreach my $os (keys %{$v->{files}}) {
@@ -430,7 +397,6 @@ sub write_responses {
      my (%oses, %from_versions);
      foreach my $version (@$versions) {
          get_version_files($config, $version);
 -        symlink_ALL($config, $version);
          get_buildinfos($config, $version);
          my $files = $config->{versions}{$version}{files};
          foreach my $os (keys %$files) {

[tor-commits] [Git][tpo/applications/tor-browser-build][main] 7 commits: Bug 41759: Remove var/torbrowser_legacy_version from rbm.conf

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

14 changed files:

Changes: