[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser-build][maint-12.0-mullvad] 5 commits: Bug 40851: Integrate android apk signing in do-all-signing



Title: GitLab

richard pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build

Commits:

  • e36799bf
    by Nicolas Vigier at 2023-06-12T20:19:16+00:00
    Bug 40851: Integrate android apk signing in do-all-signing
    
  • f3e593e4
    by Nicolas Vigier at 2023-06-12T20:19:16+00:00
    Bug 40875: Update Windows signing config
    
  • f0ab4b7d
    by Nicolas Vigier at 2023-06-12T20:19:16+00:00
    Bug 40875: Re-enable Windows code signing in do-all-signing
    
  • 8a7319b1
    by Nicolas Vigier at 2023-06-12T20:19:16+00:00
    Bug 40877: Update osslsigncode to more recent version
    
  • bb16c7d2
    by Nicolas Vigier at 2023-06-12T20:19:16+00:00
    Bug 40878: Fix default permission on gpg signature files
    

20 changed files:

Changes:

  • .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
    ... ... @@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    173 173
         - `cd tor-browser-build/tools/signing/`
    
    174 174
         - `./macos-signer-proxy`
    
    175 175
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    176
    -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
    
    177 176
     - [ ] run do-all-signing script:
    
    178 177
         - `cd tor-browser-build/tools/signing/`
    
    179 178
         - `./do-all-signing.torbrowser`
    

  • .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
    ... ... @@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    178 178
         - `cd tor-browser-build/tools/signing/`
    
    179 179
         - `./macos-signer-proxy`
    
    180 180
     - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
    
    181
    -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
    
    182 181
     - [ ] run do-all-signing script:
    
    183 182
         - `cd tor-browser-build/tools/signing/`
    
    184 183
         - `./do-all-signing.sh`
    

  • projects/android-toolchain/config
    ... ... @@ -95,9 +95,8 @@ steps:
    95 95
           #!/bin/bash
    
    96 96
           set -e
    
    97 97
           mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
    
    98
    -    var:
    
    99
    -      container:
    
    100
    -        use_container: 0
    
    98
    +    container:
    
    99
    +      use_container: 0
    
    101 100
         input_files:
    
    102 101
           - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
    
    103 102
             name: build_tools
    

  • projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch deleted
    1
    -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001
    
    2
    -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@xxxxxx>
    
    3
    -Date: Sun, 12 Mar 2017 23:00:12 +0100
    
    4
    -Subject: [PATCH] Make code work with OpenSSL 1.1.
    
    5
    -
    
    6
    -Changes in consist of:
    
    7
    -- Use EVP_MD_CTX_new/free API instead of on-stack allocation
    
    8
    -- Remove some M_ prefixes like for ASN1_IA5STRING_new
    
    9
    -- Remove pagehash functionality because it is useless to me and
    
    10
    -  fixing it would be a pain. Would require declaring a few
    
    11
    -  ASN_SEQUENCES and use that to get the required i2d functions
    
    12
    -  from what I could find out.
    
    13
    -- Remove OBJ_create calls that seem to serve no purpose,
    
    14
    -  now crash because NULL pointers are no longer handled
    
    15
    -  (who changes API that way?!) and even if that was fixed
    
    16
    -  lead to errors when these objects are later created
    
    17
    -  again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think,
    
    18
    -  did not investigate further).
    
    19
    -
    
    20
    -diff --git a/osslsigncode.c b/osslsigncode.c
    
    21
    -index 2978c02..3797458 100644
    
    22
    ---- a/osslsigncode.c
    
    23
    -+++ b/osslsigncode.c
    
    24
    -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
    
    25
    - 	if (desc) {
    
    26
    - 		info->programName = SpcString_new();
    
    27
    - 		info->programName->type = 1;
    
    28
    --		info->programName->value.ascii = M_ASN1_IA5STRING_new();
    
    29
    --		ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
    
    30
    -+		info->programName->value.ascii = ASN1_IA5STRING_new();
    
    31
    -+		ASN1_STRING_set(info->programName->value.ascii,
    
    32
    - 						(const unsigned char*)desc, strlen(desc));
    
    33
    - 	}
    
    34
    - 
    
    35
    - 	if (url) {
    
    36
    - 		info->moreInfo = SpcLink_new();
    
    37
    - 		info->moreInfo->type = 0;
    
    38
    --		info->moreInfo->value.url = "">
    
    39
    --		ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
    
    40
    -+		info->moreInfo->value.url = "">
    
    41
    -+		ASN1_STRING_set(info->moreInfo->value.url,
    
    42
    - 						(const unsigned char*)url, strlen(url));
    
    43
    - 	}
    
    44
    - 
    
    45
    -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
    
    46
    - 
    
    47
    - 	if (rfc3161) {
    
    48
    - 		unsigned char mdbuf[EVP_MAX_MD_SIZE];
    
    49
    --		EVP_MD_CTX mdctx;
    
    50
    -+		EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
    
    51
    - 
    
    52
    --		EVP_MD_CTX_init(&mdctx);
    
    53
    --		EVP_DigestInit(&mdctx, md);
    
    54
    --		EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
    
    55
    --		EVP_DigestFinal(&mdctx, mdbuf, NULL);
    
    56
    -+		EVP_DigestInit(mdctx, md);
    
    57
    -+		EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
    
    58
    -+		EVP_DigestFinal(mdctx, mdbuf, NULL);
    
    59
    -+		EVP_MD_CTX_free(mdctx);
    
    60
    -+		mdctx = NULL;
    
    61
    - 
    
    62
    - 		TimeStampReq *req = TimeStampReq_new();
    
    63
    - 		ASN1_INTEGER_set(req->version, 1);
    
    64
    - 		req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
    
    65
    - 		req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new();
    
    66
    - 		req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL;
    
    67
    --		M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
    
    68
    -+		ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
    
    69
    - 		req->certReq = (void*)0x1;
    
    70
    - 
    
    71
    - 		len = i2d_TimeStampReq(req, NULL);
    
    72
    -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = {
    
    73
    - 	0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
    
    74
    - };
    
    75
    - 
    
    76
    --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus,
    
    77
    --									 unsigned int sigpos, int phtype, unsigned int *phlen);
    
    78
    --
    
    79
    --DECLARE_STACK_OF(ASN1_OCTET_STRING)
    
    80
    --#ifndef sk_ASN1_OCTET_STRING_new_null
    
    81
    --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING)
    
    82
    --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st))
    
    83
    --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val))
    
    84
    --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \
    
    85
    --	SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
    
    86
    --#endif
    
    87
    --
    
    88
    --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue)
    
    89
    --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null
    
    90
    --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue)
    
    91
    --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st))
    
    92
    --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val))
    
    93
    --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \
    
    94
    --	SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
    
    95
    --#endif
    
    96
    --
    
    97
    --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos)
    
    98
    --{
    
    99
    --	unsigned int phlen;
    
    100
    --	unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
    
    101
    --	if (!ph) {
    
    102
    --		fprintf(stderr, "Failed to calculate page hash\n");
    
    103
    --		exit(-1);
    
    104
    --	}
    
    105
    --
    
    106
    --	ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new();
    
    107
    --	M_ASN1_OCTET_STRING_set(ostr, ph, phlen);
    
    108
    --	free(ph);
    
    109
    --
    
    110
    --	STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null();
    
    111
    --	sk_ASN1_OCTET_STRING_push(oset, ostr);
    
    112
    --	unsigned char *p, *tmp;
    
    113
    --	unsigned int l;
    
    114
    --	l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING,
    
    115
    --										  V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
    
    116
    --	tmp = p = OPENSSL_malloc(l);
    
    117
    --	i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING,
    
    118
    --									  V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
    
    119
    --	ASN1_OCTET_STRING_free(ostr);
    
    120
    --	sk_ASN1_OCTET_STRING_free(oset);
    
    121
    --
    
    122
    --	SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new();
    
    123
    --	aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1);
    
    124
    --	aval->value = ASN1_TYPE_new();
    
    125
    --	aval->value->type = V_ASN1_SET;
    
    126
    --	aval->value->value.set = ASN1_STRING_new();
    
    127
    --	ASN1_STRING_set(aval->value->value.set, p, l);
    
    128
    --	OPENSSL_free(p);
    
    129
    --
    
    130
    --	STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null();
    
    131
    --	sk_SpcAttributeTypeAndOptionalValue_push(aset, aval);
    
    132
    --	l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue,
    
    133
    --											 V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
    
    134
    --	tmp = p = OPENSSL_malloc(l);
    
    135
    --	l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue,
    
    136
    --											 V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
    
    137
    --	sk_SpcAttributeTypeAndOptionalValue_free(aset);
    
    138
    --	SpcAttributeTypeAndOptionalValue_free(aval);
    
    139
    --
    
    140
    --	SpcSerializedObject *so = SpcSerializedObject_new();
    
    141
    --	M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash));
    
    142
    --	M_ASN1_OCTET_STRING_set(so->serializedData, p, l);
    
    143
    --	OPENSSL_free(p);
    
    144
    --
    
    145
    --	SpcLink *link = SpcLink_new();
    
    146
    --	link->type = 1;
    
    147
    --	link->value.moniker = so;
    
    148
    --	return link;
    
    149
    --}
    
    150
    --
    
    151
    - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type,
    
    152
    --								   int pagehash, char *indata, unsigned int peheader, int pe32plus,
    
    153
    -+								   char *indata, unsigned int peheader, int pe32plus,
    
    154
    - 								   unsigned int sigpos)
    
    155
    - {
    
    156
    - 	static const unsigned char msistr[] = {
    
    157
    -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
    
    158
    - 	} else if (type == FILE_TYPE_PE) {
    
    159
    - 		SpcPeImageData *pid = SpcPeImageData_new();
    
    160
    - 		ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0);
    
    161
    --		if (pagehash) {
    
    162
    --			int phtype = NID_sha1;
    
    163
    --			if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1()))
    
    164
    --				phtype = NID_sha256;
    
    165
    --			pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos);
    
    166
    --		} else {
    
    167
    --			pid->file = get_obsolete_link();
    
    168
    --		}
    
    169
    -+		pid->file = get_obsolete_link();
    
    170
    - 		l = i2d_SpcPeImageData(pid, NULL);
    
    171
    - 		p = OPENSSL_malloc(l);
    
    172
    - 		i2d_SpcPeImageData(pid, &p);
    
    173
    -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
    
    174
    - 		ASN1_INTEGER_set(si->d, 0);
    
    175
    - 		ASN1_INTEGER_set(si->e, 0);
    
    176
    - 		ASN1_INTEGER_set(si->f, 0);
    
    177
    --		M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
    
    178
    -+		ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
    
    179
    - 		l = i2d_SpcSipInfo(si, NULL);
    
    180
    - 		p = OPENSSL_malloc(l);
    
    181
    - 		i2d_SpcSipInfo(si, &p);
    
    182
    -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
    
    183
    - 	hashlen = EVP_MD_size(md);
    
    184
    - 	hash = OPENSSL_malloc(hashlen);
    
    185
    - 	memset(hash, 0, hashlen);
    
    186
    --	M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
    
    187
    -+	ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
    
    188
    - 	OPENSSL_free(hash);
    
    189
    - 
    
    190
    - 	*len  = i2d_SpcIndirectDataContent(idc, NULL);
    
    191
    -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
    
    192
    - 						   unsigned int peheader, int pe32plus, unsigned int fileend)
    
    193
    - {
    
    194
    - 	static unsigned char bfb[16*1024*1024];
    
    195
    --	EVP_MD_CTX mdctx;
    
    196
    -+	EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
    
    197
    - 
    
    198
    --	EVP_MD_CTX_init(&mdctx);
    
    199
    --	EVP_DigestInit(&mdctx, md);
    
    200
    -+	EVP_DigestInit(mdctx, md);
    
    201
    - 
    
    202
    - 	memset(mdbuf, 0, EVP_MAX_MD_SIZE);
    
    203
    - 
    
    204
    - 	(void)BIO_seek(bio, 0);
    
    205
    - 	BIO_read(bio, bfb, peheader + 88);
    
    206
    --	EVP_DigestUpdate(&mdctx, bfb, peheader + 88);
    
    207
    -+	EVP_DigestUpdate(mdctx, bfb, peheader + 88);
    
    208
    - 	BIO_read(bio, bfb, 4);
    
    209
    - 	BIO_read(bio, bfb, 60+pe32plus*16);
    
    210
    --	EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16);
    
    211
    -+	EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16);
    
    212
    - 	BIO_read(bio, bfb, 8);
    
    213
    - 
    
    214
    - 	unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8;
    
    215
    -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
    
    216
    - 		int l = BIO_read(bio, bfb, want);
    
    217
    - 		if (l <= 0)
    
    218
    - 			break;
    
    219
    --		EVP_DigestUpdate(&mdctx, bfb, l);
    
    220
    -+		EVP_DigestUpdate(mdctx, bfb, l);
    
    221
    - 		n += l;
    
    222
    - 	}
    
    223
    - 
    
    224
    --	EVP_DigestFinal(&mdctx, mdbuf, NULL);
    
    225
    -+	EVP_DigestFinal(mdctx, mdbuf, NULL);
    
    226
    -+	EVP_MD_CTX_free(mdctx);
    
    227
    - }
    
    228
    - 
    
    229
    - 
    
    230
    -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
    
    231
    - 	int phlen = pphlen * (3 + nsections + sigpos / pagesize);
    
    232
    - 	unsigned char *res = malloc(phlen);
    
    233
    - 	unsigned char *zeroes = calloc(pagesize, 1);
    
    234
    --	EVP_MD_CTX mdctx;
    
    235
    --
    
    236
    --	EVP_MD_CTX_init(&mdctx);
    
    237
    --	EVP_DigestInit(&mdctx, md);
    
    238
    --	EVP_DigestUpdate(&mdctx, indata, peheader + 88);
    
    239
    --	EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16);
    
    240
    --	EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
    
    241
    --	EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize);
    
    242
    -+	EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
    
    243
    -+
    
    244
    -+	EVP_DigestInit(mdctx, md);
    
    245
    -+	EVP_DigestUpdate(mdctx, indata, peheader + 88);
    
    246
    -+	EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16);
    
    247
    -+	EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
    
    248
    -+	EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize);
    
    249
    - 	memset(res, 0, 4);
    
    250
    --	EVP_DigestFinal(&mdctx, res + 4, NULL);
    
    251
    -+	EVP_DigestFinal(mdctx, res + 4, NULL);
    
    252
    - 
    
    253
    - 	unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20);
    
    254
    - 	char *sections = indata + peheader + 24 + sizeofopthdr;
    
    255
    -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
    
    256
    - 		unsigned int l;
    
    257
    - 		for (l=0; l < rs; l+=pagesize, pi++) {
    
    258
    - 			PUT_UINT32_LE(ro + l, res + pi*pphlen);
    
    259
    --			EVP_DigestInit(&mdctx, md);
    
    260
    -+			EVP_DigestInit(mdctx, md);
    
    261
    - 			if (rs - l < pagesize) {
    
    262
    --				EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l);
    
    263
    --				EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l));
    
    264
    -+				EVP_DigestUpdate(mdctx, indata + ro + l, rs - l);
    
    265
    -+				EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l));
    
    266
    - 			} else {
    
    267
    --				EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize);
    
    268
    -+				EVP_DigestUpdate(mdctx, indata + ro + l, pagesize);
    
    269
    - 			}
    
    270
    --			EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL);
    
    271
    -+			EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL);
    
    272
    - 		}
    
    273
    - 		lastpos = ro + rs;
    
    274
    - 		sections += 40;
    
    275
    - 	}
    
    276
    -+	EVP_MD_CTX_free(mdctx);
    
    277
    -+	mdctx = NULL;
    
    278
    - 	PUT_UINT32_LE(lastpos, res + pi*pphlen);
    
    279
    - 	memset(res + pi*pphlen + 4, 0, EVP_MD_size(md));
    
    280
    - 	pi++;
    
    281
    -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv)
    
    282
    - 	int nturl = 0, ntsurl = 0;
    
    283
    - 	int addBlob = 0;
    
    284
    - 	u_char *p = NULL;
    
    285
    --	int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
    
    286
    -+	int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0;
    
    287
    - 	unsigned int tmp, peheader = 0, padlen = 0;
    
    288
    - 	off_t filesize, fileend, sigfilesize, sigfileend, outdatasize;
    
    289
    - 	file_type_t type;
    
    290
    -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv)
    
    291
    - 	ERR_load_crypto_strings();
    
    292
    - 	OPENSSL_add_all_algorithms_conf();
    
    293
    - 
    
    294
    --	/* create some MS Authenticode OIDS we need later on */
    
    295
    --	if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
    
    296
    --		!OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
    
    297
    --		!OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) ||
    
    298
    --		!OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL))
    
    299
    --		DO_EXIT_0("Failed to add objects\n");
    
    300
    --
    
    301
    - 	md = EVP_sha1();
    
    302
    - 
    
    303
    - 	if (argc > 1) {
    
    304
    -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv)
    
    305
    - 			readpass = *(++argv);
    
    306
    - 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) {
    
    307
    - 			comm = 1;
    
    308
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) {
    
    309
    --			pagehash = 1;
    
    310
    - 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
    
    311
    - 			if (--argc < 1) usage(argv0);
    
    312
    - 			desc = *(++argv);
    
    313
    -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv)
    
    314
    - 		p7x = NULL;
    
    315
    - 	}
    
    316
    - 
    
    317
    --	get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend);
    
    318
    -+	get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend);
    
    319
    - 	len -= EVP_MD_size(md);
    
    320
    - 	memcpy(buf, p, len);
    
    321
    - 	OPENSSL_free(p);
    
    322
    --- 
    
    323
    -2.34.1
    
    324
    -

  • projects/osslsigncode/build
    ... ... @@ -4,11 +4,10 @@ distdir=$(pwd)/dist
    4 4
     mkdir -p $distdir/[% project %]
    
    5 5
     tar xf [% project %]-[% c('version') %].tar.gz
    
    6 6
     cd [% project %]-[% c('version') %]
    
    7
    -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch
    
    8
    -patch -p1 < ../timestamping.patch
    
    9 7
     
    
    10
    -./autogen.sh
    
    11
    -./configure --prefix=/[% project %]
    
    8
    +mkdir build
    
    9
    +cd build
    
    10
    +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S ..
    
    12 11
     make
    
    13 12
     make DESTDIR=$distdir install
    
    14 13
     
    

  • projects/osslsigncode/config
    1 1
     # vim: filetype=yaml sw=2
    
    2 2
     version: '[% c("git_hash").substr(0, 12) %]'
    
    3 3
     git_url: https://github.com/mtrojnar/osslsigncode
    
    4
    -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
    
    4
    +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed
    
    5 5
     filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
    
    6 6
     container:
    
    7 7
       use_container: 0
    
    8 8
     var:
    
    9 9
       deps:
    
    10
    -    - autoconf
    
    11
    -    - libtool
    
    12
    -    - pkg-config
    
    10
    +    - cmake
    
    13 11
         - libssl-dev
    
    14 12
         - libcurl4-openssl-dev
    
    15 13
     input_files:
    
    16
    -  - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
    
    17
    -  - filename: timestamping.patch
    
    18 14
       - filename: '[% c("var/srcfile") %]'
    
    19 15
         enable: '[% c("var/no-git") %]'
    
    20 16
     
    

  • projects/osslsigncode/timestamping.patch deleted
    1
    -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001
    
    2
    -From: Georg Koppen <gk@xxxxxxxxxxxxxx>
    
    3
    -Date: Fri, 5 Feb 2016 09:23:10 +0000
    
    4
    -Subject: [PATCH] Allow timestamping with the 'add' command
    
    5
    -
    
    6
    -
    
    7
    -diff --git a/osslsigncode.c b/osslsigncode.c
    
    8
    -index 32e37c8..2978c02 100644
    
    9
    ---- a/osslsigncode.c
    
    10
    -+++ b/osslsigncode.c
    
    11
    -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv)
    
    12
    - 			if (--argc < 1) usage(argv0);
    
    13
    - 			url = "">
    
    14
    - #ifdef ENABLE_CURL
    
    15
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) {
    
    16
    -+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) {
    
    17
    - 			if (--argc < 1) usage(argv0);
    
    18
    - 			turl[nturl++] = *(++argv);
    
    19
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) {
    
    20
    -+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) {
    
    21
    - 			if (--argc < 1) usage(argv0);
    
    22
    - 			tsurl[ntsurl++] = *(++argv);
    
    23
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) {
    
    24
    -+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
    
    25
    - 			if (--argc < 1) usage(argv0);
    
    26
    - 			proxy = *(++argv);
    
    27
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) {
    
    28
    -+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) {
    
    29
    - 			noverifypeer = 1;
    
    30
    - #endif
    
    31
    - 		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
    
    32
    ---
    
    33
    -2.7.0
    
    34
    -
    
    35
    -
    
    36
    -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001
    
    37
    -From: Georg Koppen <gk@xxxxxxxxxxxxxx>
    
    38
    -Date: Sat, 11 Apr 2020 05:50:36 +0000
    
    39
    -Subject: [PATCH] fixup! Allow timestamping with the 'add' command
    
    40
    -
    
    41
    -
    
    42
    -diff --git a/osslsigncode.c b/osslsigncode.c
    
    43
    -index 3797458..4f4b897 100644
    
    44
    ---- a/osslsigncode.c
    
    45
    -+++ b/osslsigncode.c
    
    46
    -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv)
    
    47
    - 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
    
    48
    - 			if (--argc < 1) usage(argv0);
    
    49
    - 			desc = *(++argv);
    
    50
    --		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) {
    
    51
    -+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) {
    
    52
    - 			if (--argc < 1) usage(argv0);
    
    53
    - 			++argv;
    
    54
    - 			if (!strcmp(*argv, "md5")) {
    
    55
    ---
    
    56
    -2.26.0

  • tools/signing/android-signing.mullvadbrowser deleted
    1
    -android-signing
    \ No newline at end of file

  • tools/signing/android-signing.torbrowser deleted
    1
    -android-signing
    \ No newline at end of file

  • tools/signing/authenticode-timestamping.sh
    ... ... @@ -35,7 +35,7 @@ set -e
    35 35
     script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    36 36
     source "$script_dir/functions"
    
    37 37
     
    
    38
    -osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz"
    
    38
    +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"
    
    39 39
     
    
    40 40
     test -f "$osslsigncode_file" ||
    
    41 41
       exit_error "$osslsigncode_file is missing." \
    

  • tools/signing/do-all-signing
    ... ... @@ -17,9 +17,12 @@ echo
    17 17
     test -f "$steps_dir/linux-signer-signmars.done" ||
    
    18 18
       read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
    
    19 19
     echo
    
    20
    -#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
    
    21
    -#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
    
    22
    -#echo
    
    20
    +test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
    
    21
    +  read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
    
    22
    +echo
    
    23
    +test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
    
    24
    +  read -sp "Enter windows authenticode passphrase: " YUBIPASS
    
    25
    +echo
    
    23 26
     test -f "$steps_dir/linux-signer-gpg-sign.done" ||
    
    24 27
       read -sp "Enter gpg passphrase: " GPG_PASS
    
    25 28
     echo
    
    ... ... @@ -106,6 +109,18 @@ function sync-after-signmars {
    106 109
       "$script_dir/sync-linux-signer-to-local"
    
    107 110
     }
    
    108 111
     
    
    112
    +function linux-signer-sign-android-apks {
    
    113
    +  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
    
    114
    +  export KSPASS=$KSPASS
    
    115
    +  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
    
    116
    +EOF
    
    117
    +  unset KSPASS
    
    118
    +}
    
    119
    +
    
    120
    +function sync-after-sign-android-apks {
    
    121
    +  "$script_dir/sync-linux-signer-to-local"
    
    122
    +}
    
    123
    +
    
    109 124
     function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
    
    110 125
       "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
    
    111 126
     }
    
    ... ... @@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer
    199 214
     do_step sync-before-linux-signer-signmars
    
    200 215
     do_step linux-signer-signmars
    
    201 216
     do_step sync-after-signmars
    
    202
    -#do_step linux-signer-authenticode-signing
    
    203
    -#do_step sync-after-authenticode-signing
    
    204
    -#do_step authenticode-timestamping
    
    205
    -#do_step sync-after-authenticode-timestamping
    
    217
    +is_project torbrowser && \
    
    218
    +  do_step linux-signer-sign-android-apks
    
    219
    +is_project torbrowser && \
    
    220
    +  do_step sync-after-sign-android-apks
    
    221
    +do_step linux-signer-authenticode-signing
    
    222
    +do_step sync-after-authenticode-signing
    
    223
    +do_step authenticode-timestamping
    
    224
    +do_step sync-after-authenticode-timestamping
    
    206 225
     do_step hash_signed_bundles
    
    207 226
     do_step sync-after-hash
    
    208 227
     do_step linux-signer-gpg-sign
    

  • tools/signing/linux-signer-gpg-sign
    ... ... @@ -20,4 +20,5 @@ do
    20 20
       tmpsig=$(mktemp)
    
    21 21
       echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
    
    22 22
       mv -f "$tmpsig" "${i}.asc"
    
    23
    +  chmod 644 "${i}.asc"
    
    23 24
     done

  • tools/signing/linux-signer-sign-android-apks
    1
    +#!/bin/bash
    
    2
    +
    
    3
    +set -e
    
    4
    +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    5
    +source "$script_dir/functions"
    
    6
    +source "$script_dir/set-config.generated-config"
    
    7
    +
    
    8
    +topdir="$script_dir/../.."
    
    9
    +ARCHS="armv7 aarch64 x86 x86_64"
    
    10
    +projname=$(project-name)
    
    11
    +# tbb_version_type is used in wrappers/sign-apk, so we export it
    
    12
    +export tbb_version_type
    
    13
    +
    
    14
    +check_installed_packages() {
    
    15
    +  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
    
    16
    +  for package in $packages
    
    17
    +  do
    
    18
    +    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
    
    19
    +      exit_error "package $package is missing"
    
    20
    +  done
    
    21
    +}
    
    22
    +
    
    23
    +setup_build_tools() {
    
    24
    +  build_tools_dir=/signing/android-build-tools
    
    25
    +  test -f "$build_tools_dir"/android-12/apksigner || \
    
    26
    +    exit_error "$build_tools_dir/android-12/apksigner is missing"
    
    27
    +  export PATH="$build_tools_dir/android-12:${PATH}"
    
    28
    +}
    
    29
    +
    
    30
    +sign_apk() {
    
    31
    +  sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
    
    32
    +}
    
    33
    +
    
    34
    +verify_apk() {
    
    35
    +  verified=$(apksigner verify --print-certs --verbose "$1")
    
    36
    +  scheme_v1="Verified using v1 scheme (JAR signing): true"
    
    37
    +  scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
    
    38
    +
    
    39
    +  # Verify the expected signing key was used, Alpha verses Release based on the filename.
    
    40
    +  if test "$tbb_version_type" = "alpha"; then
    
    41
    +    cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
    
    42
    +    pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
    
    43
    +  else
    
    44
    +    cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
    
    45
    +    pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
    
    46
    +  fi
    
    47
    +  for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
    
    48
    +    if ! echo "${verified}" | grep -q "${digest}"; then
    
    49
    +      echo "Expected digest not found:"
    
    50
    +      echo ${digest}
    
    51
    +      echo "in:"
    
    52
    +      echo ${verified}
    
    53
    +      exit 1
    
    54
    +    fi
    
    55
    +  done
    
    56
    +}
    
    57
    +
    
    58
    +check_installed_packages
    
    59
    +
    
    60
    +if [ -z "$KSPASS" ]; then
    
    61
    +    echo "Enter keystore passphrase"
    
    62
    +    stty -echo; read KSPASS; stty echo
    
    63
    +    export KSPASS
    
    64
    +fi
    
    65
    +
    
    66
    +setup_build_tools
    
    67
    +
    
    68
    +mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
    
    69
    +chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
    
    70
    +chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
    
    71
    +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
    
    72
    +cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
    
    73
    +
    
    74
    +# Sign all packages
    
    75
    +for arch in ${ARCHS}; do
    
    76
    +  qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
    
    77
    +  signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
    
    78
    +  sign_apk "$qa_apk" "$signed_apk"
    
    79
    +  verify_apk "$signed_apk"
    
    80
    +  cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
    
    81
    +done
    
    82
    +
    
    83
    +rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"

  • tools/signing/linux-signer-sign-android-apks.torbrowser
    1
    +linux-signer-sign-android-apks
    \ No newline at end of file

  • tools/signing/machines-setup/setup-signing-machine
    ... ... @@ -83,11 +83,12 @@ create_group signing
    83 83
     create_user signing-gpg
    
    84 84
     create_user signing-mar
    
    85 85
     create_user signing-win yubihsm
    
    86
    -
    
    86
    +create_user signing-apk signing
    
    87 87
     
    
    88 88
     sudoers_file sign-gpg
    
    89 89
     sudoers_file sign-mar
    
    90 90
     sudoers_file sign-exe
    
    91
    +sudoers_file sign-apk
    
    91 92
     
    
    92 93
     authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
    
    93 94
     create_user richard signing
    
    ... ... @@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl
    111 112
     # Install deps for building yubihsm-shell
    
    112 113
     install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
    
    113 114
     
    
    115
    +# Install deps for android/apk signing
    
    116
    +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
    
    117
    +
    
    114 118
     # Build and install yubihsm-pkcs11 package
    
    115 119
     create_user build-pkgs
    
    116 120
     if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
    
    ... ... @@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then
    132 136
       chmod go+rX "$tmpdir/mar-tools"/*
    
    133 137
       mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
    
    134 138
     fi
    
    139
    +
    
    140
    +for rel in release alpha; do
    
    141
    +  keypath=/home/signing-apk/keys/tba_$rel.p12
    
    142
    +  if ! test -f "$keypath"; then
    
    143
    +    echo "$rel key for android should be put in $keypath"
    
    144
    +  else
    
    145
    +    chown signing-apk "$keypath"
    
    146
    +    chmod 700 "$keypath"
    
    147
    +  fi
    
    148
    +done

  • tools/signing/machines-setup/sudoers.d/sign-apk
    1
    +Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
    
    2
    +%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk

  • tools/signing/machines-setup/upload-tbb-to-signing-machine
    ... ... @@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
    36 36
       echo "Fetched $yubihsm_filename"
    
    37 37
     fi
    
    38 38
     
    
    39
    +android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
    
    40
    +if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
    
    41
    +  ./rbm/rbm build --step get_build_tools android-toolchain
    
    42
    +  echo "Fetched $android_build_tools_filename"
    
    43
    +fi
    
    44
    +
    
    39 45
     signing_machine='linux-signer'
    
    40 46
     setup_user='setup'
    
    41 47
     signing_dir='/signing'
    
    ... ... @@ -43,14 +49,26 @@ signing_dir='/signing'
    43 49
     echo "Uploading $osslsigncodefile to $signing_machine"
    
    44 50
     chmod go+r "./out/osslsigncode/$osslsigncodefile"
    
    45 51
     rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
    
    52
    +
    
    46 53
     echo "Uploading rbm.tar to $signing_machine"
    
    47 54
     rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
    
    55
    +
    
    48 56
     echo "Uploading $martools_filename"
    
    49 57
     chmod go+r "./out/mar-tools/$martools_filename"
    
    50 58
     rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
    
    59
    +
    
    51 60
     echo "Uploading $yubihsm_filename"
    
    52 61
     chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
    
    53 62
     rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
    
    63
    +
    
    64
    +echo "Uploading $android_build_tools_filename"
    
    65
    +chmod go+r "./out/android-toolchain/$android_build_tools_filename"
    
    66
    +rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
    
    67
    +echo "Extracting $android_build_tools_filename"
    
    68
    +ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
    
    69
    +ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
    
    70
    +ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
    
    71
    +
    
    54 72
     echo "Uploading tor-browser-build.tar to $signing_machine"
    
    55 73
     scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
    
    56 74
     echo "Extracting tor-browser-build.tar on $signing_machine"
    

  • tools/signing/set-config.android-signing deleted
    1
    -# The following line should be uncommented and updated:
    
    2
    -
    
    3
    -#ssh_host_pkgstage=tbbuild
    
    4
    -#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
    
    5
    -#android_signing_key_dir=/path/to/signing/key/dir
    
    6
    -
    
    7
    -var_is_defined ssh_host_pkgstage android_signing_key_dir

  • tools/signing/android-signingtools/signing/wrappers/sign-apk
    1 1
     #!/bin/bash
    
    2
    -
    
    3
    -# Sign apk for each target architecture.
    
    4
    -# This script does not require command line argument, but it needs 
    
    5
    -# some configuration options to be set in set-config.android-signing:
    
    6
    -#  - ssh_host_pkgstage is the host which you use for staging packages
    
    7
    -#    during signing. The script will download the unsigned .apk files
    
    8
    -#    from this host, and upload the signed .apk there
    
    9
    -#  - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
    
    10
    -#    on pkgstage
    
    11
    -#  - android_signing_key_dir: the local path where the android signing
    
    12
    -#    keys are located. That directory should contains files tba_alpha.p12
    
    13
    -#    and tba_release.p12 for alpha and release signing keys.
    
    14
    -# The Tor Browser version is taken from set-config.tbb-version
    
    15
    -
    
    16 2
     set -e
    
    17
    -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
    
    18
    -source "$script_dir/functions"
    
    19
    -source "$script_dir/set-config.android-signing"
    
    20 3
     
    
    21
    -topdir="$script_dir/../.."
    
    22
    -ARCHS="armv7 aarch64 x86 x86_64"
    
    23
    -projname=$(project-name)
    
    24
    -
    
    25
    -android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
    
    26
    -test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
    
    27
    -
    
    28
    -check_installed_packages() {
    
    29
    -  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
    
    30
    -  for package in $packages
    
    4
    +function exit_error {
    
    5
    +  for msg in "$@"
    
    31 6
       do
    
    32
    -    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
    
    33
    -      exit_error "package $package is missing"
    
    7
    +    echo "$msg" >&2
    
    34 8
       done
    
    9
    +  exit 1
    
    35 10
     }
    
    36 11
     
    
    12
    +if test "$tbb_version_type" != 'release' \
    
    13
    +  && test "$tbb_version_type" != 'alpha'; then
    
    14
    +  exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
    
    15
    +fi
    
    16
    +
    
    17
    +android_signing_key_dir=/home/signing-apk/keys
    
    18
    +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
    
    19
    +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
    
    20
    +
    
    37 21
     setup_build_tools() {
    
    38
    -  local rbm="$topdir/rbm/rbm"
    
    39
    -  local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
    
    40
    -  if ! test -f "$build_tools_zipfile"; then
    
    41
    -    "$rbm" build --step get_build_tools android-toolchain
    
    42
    -    test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
    
    43
    -  fi
    
    44
    -  local build_tools_dir=$(mktemp -d)
    
    45
    -  trap "rm -Rf $build_tools_dir" EXIT
    
    46
    -  unzip -d "$build_tools_dir" "$build_tools_zipfile"
    
    22
    +  build_tools_dir=/signing/android-build-tools
    
    47 23
       test -f "$build_tools_dir"/android-12/apksigner || \
    
    48 24
         exit_error "$build_tools_dir/android-12/apksigner is missing"
    
    49 25
       export PATH="$build_tools_dir/android-12:${PATH}"
    
    50 26
     }
    
    51 27
     
    
    52
    -download_unsigned_apks() {
    
    53
    -  apks_dir=$(mktemp -d)
    
    54
    -  trap "rm -Rf $apks_dir" EXIT
    
    55
    -  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
    
    56
    -}
    
    57
    -
    
    58
    -upload_signed_apks() {
    
    59
    -  rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
    
    60
    -    --exclude="*-unsigned.apk" "$apks_dir/" \
    
    61
    -    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
    
    62
    -}
    
    63
    -
    
    64 28
     # Sign individual apk
    
    65 29
     sign_apk() {
    
    66 30
         INPUTAPK="$1"
    
    31
    +    OUTPUTAPK="$2"
    
    67 32
     
    
    68 33
         # https://developer.android.com/studio/publish/app-signing#sign-manually
    
    69 34
         # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
    
    ... ... @@ -75,10 +40,11 @@ sign_apk() {
    75 40
         echo Aligning and signing ${INPUTAPK}
    
    76 41
     
    
    77 42
         # Append the different stages of signing
    
    78
    -    UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
    
    43
    +    UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
    
    79 44
         UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
    
    80 45
         SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
    
    81 46
     
    
    47
    +    # ${INPUTAPK} is full path. We copy to local tmp directory.
    
    82 48
         cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
    
    83 49
     
    
    84 50
         # Step 1: Align
    
    ... ... @@ -117,67 +83,16 @@ sign_apk() {
    117 83
             exit 1
    
    118 84
         fi
    
    119 85
     
    
    86
    +    mv -f "${SIGNED_APK}" "$OUTPUTAPK"
    
    120 87
         echo apksigner verify succeeded
    
    121 88
     }
    
    122 89
     
    
    123
    -# Rename and verify signing certificate
    
    124
    -finalize() {
    
    125
    -  for arch in ${ARCHS}; do
    
    126
    -      mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
    
    127
    -  done
    
    128
    -
    
    129
    -  for arch in ${ARCHS}; do
    
    130
    -      verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
    
    131
    -      scheme_v1=
    
    132
    -      scheme_v2=
    
    133
    -      cert_digest=
    
    134
    -      pubkey_digest=
    
    135
    -
    
    136
    -      # Verify the expected signing key was used, Alpha verses Release based on the filename.
    
    137
    -      if test "$tbb_version_type" = "alpha"; then
    
    138
    -          scheme_v1="Verified using v1 scheme (JAR signing): true"
    
    139
    -          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
    
    140
    -          cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
    
    141
    -          pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
    
    142
    -      else
    
    143
    -          scheme_v1="Verified using v1 scheme (JAR signing): true"
    
    144
    -          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
    
    145
    -          cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
    
    146
    -          pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
    
    147
    -      fi
    
    148
    -      for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
    
    149
    -          if ! `echo "${verified}" | grep -q "${digest}"`; then
    
    150
    -              echo "Expected digest not found:"
    
    151
    -              echo ${digest}
    
    152
    -              echo "in:"
    
    153
    -              echo ${verified}
    
    154
    -              exit 1
    
    155
    -          fi
    
    156
    -      done
    
    157
    -  done
    
    158
    -
    
    159
    -  echo Done.
    
    160
    -}
    
    161
    -
    
    162
    -check_installed_packages
    
    163
    -
    
    164
    -if [ -z "$KSPASS" ]; then
    
    165
    -    echo "Enter keystore passphrase"
    
    166
    -    stty -echo; read KSPASS; stty echo
    
    167
    -    export KSPASS
    
    168
    -fi
    
    169
    -
    
    170 90
     setup_build_tools
    
    171 91
     
    
    172
    -download_unsigned_apks
    
    173
    -
    
    174
    -cd $apks_dir
    
    175
    -
    
    176
    -# Sign all packages
    
    177
    -for arch in ${ARCHS}; do
    
    178
    -    sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
    
    179
    -done
    
    92
    +tmpdir=$(mktemp -d)
    
    93
    +cd "$tmpdir"
    
    180 94
     
    
    181
    -finalize
    
    95
    +sign_apk "$1" "$2"
    
    182 96
     
    
    183
    -upload_signed_apks
    97
    +cd -
    
    98
    +rm -Rf "$tmpdir"

  • tools/signing/wrappers/sign-exe
    ... ... @@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then
    11 11
       exit 2
    
    12 12
     fi
    
    13 13
     
    
    14
    -yubipass="$1"
    
    14
    +pass="$1"
    
    15 15
     to_sign_exe="$2"
    
    16 16
     
    
    17
    -tpo_cert=/home/signing-win/tpo-cert.crt
    
    17
    +key_dir=/home/signing-win/keys/key-1
    
    18
    +tpo_cert=$key_dir/the_tor_project_inc.crt
    
    19
    +tpo_key=$key_dir/private.pem
    
    18 20
     
    
    19 21
     if ! test -f "$tpo_cert"; then
    
    20 22
       echo "File $tpo_cert is missing" >&2
    
    ... ... @@ -26,12 +28,10 @@ rm -f "$output_signed_exe"
    26 28
     
    
    27 29
     export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
    
    28 30
     /home/signing-win/osslsigncode/bin/osslsigncode \
    
    29
    -  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
    
    30
    -  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
    
    31
    -  -pass "$yubipass" \
    
    31
    +  -pass "$pass" \
    
    32 32
       -h sha256 \
    
    33 33
       -certs "$tpo_cert" \
    
    34
    -  -key 1c40 \
    
    34
    +  -key "$tpo_key" \
    
    35 35
       "$to_sign_exe" "$output_signed_exe"
    
    36 36
     
    
    37 37
     chmod 644 "$output_signed_exe"

  • _______________________________________________
    tor-commits mailing list
    tor-commits@xxxxxxxxxxxxxxxxxxxx
    https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits