richard pushed to branch maint-12.0-mullvad at The Tor Project / Applications / tor-browser-build
Commits:
-
e36799bf
by Nicolas Vigier at 2023-06-12T20:19:16+00:00
-
f3e593e4
by Nicolas Vigier at 2023-06-12T20:19:16+00:00
-
f0ab4b7d
by Nicolas Vigier at 2023-06-12T20:19:16+00:00
-
8a7319b1
by Nicolas Vigier at 2023-06-12T20:19:16+00:00
-
bb16c7d2
by Nicolas Vigier at 2023-06-12T20:19:16+00:00
20 changed files:
- .gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
- .gitlab/issue_templates/Release Prep - Tor Browser Stable.md
- projects/android-toolchain/config
- − projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch
- projects/osslsigncode/build
- projects/osslsigncode/config
- − projects/osslsigncode/timestamping.patch
- − tools/signing/android-signing.mullvadbrowser
- − tools/signing/android-signing.torbrowser
- tools/signing/authenticode-timestamping.sh
- tools/signing/do-all-signing
- tools/signing/linux-signer-gpg-sign
- + tools/signing/linux-signer-sign-android-apks
- + tools/signing/linux-signer-sign-android-apks.torbrowser
- tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/sudoers.d/sign-apk
- tools/signing/machines-setup/upload-tbb-to-signing-machine
- − tools/signing/set-config.android-signing
- tools/signing/android-signing → tools/signing/wrappers/sign-apk
- tools/signing/wrappers/sign-exe
Changes:
... | ... | @@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch |
173 | 173 | - `cd tor-browser-build/tools/signing/`
|
174 | 174 | - `./macos-signer-proxy`
|
175 | 175 | - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
176 | -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
|
|
177 | 176 | - [ ] run do-all-signing script:
|
178 | 177 | - `cd tor-browser-build/tools/signing/`
|
179 | 178 | - `./do-all-signing.torbrowser`
|
... | ... | @@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE |
178 | 178 | - `cd tor-browser-build/tools/signing/`
|
179 | 179 | - `./macos-signer-proxy`
|
180 | 180 | - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
|
181 | -- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
|
|
182 | 181 | - [ ] run do-all-signing script:
|
183 | 182 | - `cd tor-browser-build/tools/signing/`
|
184 | 183 | - `./do-all-signing.sh`
|
... | ... | @@ -95,9 +95,8 @@ steps: |
95 | 95 | #!/bin/bash
|
96 | 96 | set -e
|
97 | 97 | mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
|
98 | - var:
|
|
99 | - container:
|
|
100 | - use_container: 0
|
|
98 | + container:
|
|
99 | + use_container: 0
|
|
101 | 100 | input_files:
|
102 | 101 | - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
|
103 | 102 | name: build_tools
|
1 | -From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001
|
|
2 | -From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@xxxxxx>
|
|
3 | -Date: Sun, 12 Mar 2017 23:00:12 +0100
|
|
4 | -Subject: [PATCH] Make code work with OpenSSL 1.1.
|
|
5 | - |
|
6 | -Changes in consist of:
|
|
7 | -- Use EVP_MD_CTX_new/free API instead of on-stack allocation
|
|
8 | -- Remove some M_ prefixes like for ASN1_IA5STRING_new
|
|
9 | -- Remove pagehash functionality because it is useless to me and
|
|
10 | - fixing it would be a pain. Would require declaring a few
|
|
11 | - ASN_SEQUENCES and use that to get the required i2d functions
|
|
12 | - from what I could find out.
|
|
13 | -- Remove OBJ_create calls that seem to serve no purpose,
|
|
14 | - now crash because NULL pointers are no longer handled
|
|
15 | - (who changes API that way?!) and even if that was fixed
|
|
16 | - lead to errors when these objects are later created
|
|
17 | - again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think,
|
|
18 | - did not investigate further).
|
|
19 | - |
|
20 | -diff --git a/osslsigncode.c b/osslsigncode.c
|
|
21 | -index 2978c02..3797458 100644
|
|
22 | ---- a/osslsigncode.c
|
|
23 | -+++ b/osslsigncode.c
|
|
24 | -@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
|
|
25 | - if (desc) {
|
|
26 | - info->programName = SpcString_new();
|
|
27 | - info->programName->type = 1;
|
|
28 | -- info->programName->value.ascii = M_ASN1_IA5STRING_new();
|
|
29 | -- ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
|
|
30 | -+ info->programName->value.ascii = ASN1_IA5STRING_new();
|
|
31 | -+ ASN1_STRING_set(info->programName->value.ascii,
|
|
32 | - (const unsigned char*)desc, strlen(desc));
|
|
33 | - }
|
|
34 | -
|
|
35 | - if (url) {
|
|
36 | - info->moreInfo = SpcLink_new();
|
|
37 | - info->moreInfo->type = 0;
|
|
38 | -- info->moreInfo->value.url = "">
|
|
39 | -- ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
|
|
40 | -+ info->moreInfo->value.url = "">
|
|
41 | -+ ASN1_STRING_set(info->moreInfo->value.url,
|
|
42 | - (const unsigned char*)url, strlen(url));
|
|
43 | - }
|
|
44 | -
|
|
45 | -@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
|
|
46 | -
|
|
47 | - if (rfc3161) {
|
|
48 | - unsigned char mdbuf[EVP_MAX_MD_SIZE];
|
|
49 | -- EVP_MD_CTX mdctx;
|
|
50 | -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
|
|
51 | -
|
|
52 | -- EVP_MD_CTX_init(&mdctx);
|
|
53 | -- EVP_DigestInit(&mdctx, md);
|
|
54 | -- EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
|
|
55 | -- EVP_DigestFinal(&mdctx, mdbuf, NULL);
|
|
56 | -+ EVP_DigestInit(mdctx, md);
|
|
57 | -+ EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
|
|
58 | -+ EVP_DigestFinal(mdctx, mdbuf, NULL);
|
|
59 | -+ EVP_MD_CTX_free(mdctx);
|
|
60 | -+ mdctx = NULL;
|
|
61 | -
|
|
62 | - TimeStampReq *req = TimeStampReq_new();
|
|
63 | - ASN1_INTEGER_set(req->version, 1);
|
|
64 | - req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
|
|
65 | - req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new();
|
|
66 | - req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL;
|
|
67 | -- M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
|
|
68 | -+ ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
|
|
69 | - req->certReq = (void*)0x1;
|
|
70 | -
|
|
71 | - len = i2d_TimeStampReq(req, NULL);
|
|
72 | -@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = {
|
|
73 | - 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
|
|
74 | - };
|
|
75 | -
|
|
76 | --static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus,
|
|
77 | -- unsigned int sigpos, int phtype, unsigned int *phlen);
|
|
78 | --
|
|
79 | --DECLARE_STACK_OF(ASN1_OCTET_STRING)
|
|
80 | --#ifndef sk_ASN1_OCTET_STRING_new_null
|
|
81 | --#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING)
|
|
82 | --#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st))
|
|
83 | --#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val))
|
|
84 | --#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \
|
|
85 | -- SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
|
|
86 | --#endif
|
|
87 | --
|
|
88 | --DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue)
|
|
89 | --#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null
|
|
90 | --#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue)
|
|
91 | --#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st))
|
|
92 | --#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val))
|
|
93 | --#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \
|
|
94 | -- SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
|
|
95 | --#endif
|
|
96 | --
|
|
97 | --static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos)
|
|
98 | --{
|
|
99 | -- unsigned int phlen;
|
|
100 | -- unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
|
|
101 | -- if (!ph) {
|
|
102 | -- fprintf(stderr, "Failed to calculate page hash\n");
|
|
103 | -- exit(-1);
|
|
104 | -- }
|
|
105 | --
|
|
106 | -- ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new();
|
|
107 | -- M_ASN1_OCTET_STRING_set(ostr, ph, phlen);
|
|
108 | -- free(ph);
|
|
109 | --
|
|
110 | -- STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null();
|
|
111 | -- sk_ASN1_OCTET_STRING_push(oset, ostr);
|
|
112 | -- unsigned char *p, *tmp;
|
|
113 | -- unsigned int l;
|
|
114 | -- l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING,
|
|
115 | -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
|
|
116 | -- tmp = p = OPENSSL_malloc(l);
|
|
117 | -- i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING,
|
|
118 | -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
|
|
119 | -- ASN1_OCTET_STRING_free(ostr);
|
|
120 | -- sk_ASN1_OCTET_STRING_free(oset);
|
|
121 | --
|
|
122 | -- SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new();
|
|
123 | -- aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1);
|
|
124 | -- aval->value = ASN1_TYPE_new();
|
|
125 | -- aval->value->type = V_ASN1_SET;
|
|
126 | -- aval->value->value.set = ASN1_STRING_new();
|
|
127 | -- ASN1_STRING_set(aval->value->value.set, p, l);
|
|
128 | -- OPENSSL_free(p);
|
|
129 | --
|
|
130 | -- STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null();
|
|
131 | -- sk_SpcAttributeTypeAndOptionalValue_push(aset, aval);
|
|
132 | -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue,
|
|
133 | -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
|
|
134 | -- tmp = p = OPENSSL_malloc(l);
|
|
135 | -- l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue,
|
|
136 | -- V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
|
|
137 | -- sk_SpcAttributeTypeAndOptionalValue_free(aset);
|
|
138 | -- SpcAttributeTypeAndOptionalValue_free(aval);
|
|
139 | --
|
|
140 | -- SpcSerializedObject *so = SpcSerializedObject_new();
|
|
141 | -- M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash));
|
|
142 | -- M_ASN1_OCTET_STRING_set(so->serializedData, p, l);
|
|
143 | -- OPENSSL_free(p);
|
|
144 | --
|
|
145 | -- SpcLink *link = SpcLink_new();
|
|
146 | -- link->type = 1;
|
|
147 | -- link->value.moniker = so;
|
|
148 | -- return link;
|
|
149 | --}
|
|
150 | --
|
|
151 | - static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type,
|
|
152 | -- int pagehash, char *indata, unsigned int peheader, int pe32plus,
|
|
153 | -+ char *indata, unsigned int peheader, int pe32plus,
|
|
154 | - unsigned int sigpos)
|
|
155 | - {
|
|
156 | - static const unsigned char msistr[] = {
|
|
157 | -@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
|
|
158 | - } else if (type == FILE_TYPE_PE) {
|
|
159 | - SpcPeImageData *pid = SpcPeImageData_new();
|
|
160 | - ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0);
|
|
161 | -- if (pagehash) {
|
|
162 | -- int phtype = NID_sha1;
|
|
163 | -- if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1()))
|
|
164 | -- phtype = NID_sha256;
|
|
165 | -- pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos);
|
|
166 | -- } else {
|
|
167 | -- pid->file = get_obsolete_link();
|
|
168 | -- }
|
|
169 | -+ pid->file = get_obsolete_link();
|
|
170 | - l = i2d_SpcPeImageData(pid, NULL);
|
|
171 | - p = OPENSSL_malloc(l);
|
|
172 | - i2d_SpcPeImageData(pid, &p);
|
|
173 | -@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
|
|
174 | - ASN1_INTEGER_set(si->d, 0);
|
|
175 | - ASN1_INTEGER_set(si->e, 0);
|
|
176 | - ASN1_INTEGER_set(si->f, 0);
|
|
177 | -- M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
|
|
178 | -+ ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
|
|
179 | - l = i2d_SpcSipInfo(si, NULL);
|
|
180 | - p = OPENSSL_malloc(l);
|
|
181 | - i2d_SpcSipInfo(si, &p);
|
|
182 | -@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
|
|
183 | - hashlen = EVP_MD_size(md);
|
|
184 | - hash = OPENSSL_malloc(hashlen);
|
|
185 | - memset(hash, 0, hashlen);
|
|
186 | -- M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
|
|
187 | -+ ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
|
|
188 | - OPENSSL_free(hash);
|
|
189 | -
|
|
190 | - *len = i2d_SpcIndirectDataContent(idc, NULL);
|
|
191 | -@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
|
|
192 | - unsigned int peheader, int pe32plus, unsigned int fileend)
|
|
193 | - {
|
|
194 | - static unsigned char bfb[16*1024*1024];
|
|
195 | -- EVP_MD_CTX mdctx;
|
|
196 | -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
|
|
197 | -
|
|
198 | -- EVP_MD_CTX_init(&mdctx);
|
|
199 | -- EVP_DigestInit(&mdctx, md);
|
|
200 | -+ EVP_DigestInit(mdctx, md);
|
|
201 | -
|
|
202 | - memset(mdbuf, 0, EVP_MAX_MD_SIZE);
|
|
203 | -
|
|
204 | - (void)BIO_seek(bio, 0);
|
|
205 | - BIO_read(bio, bfb, peheader + 88);
|
|
206 | -- EVP_DigestUpdate(&mdctx, bfb, peheader + 88);
|
|
207 | -+ EVP_DigestUpdate(mdctx, bfb, peheader + 88);
|
|
208 | - BIO_read(bio, bfb, 4);
|
|
209 | - BIO_read(bio, bfb, 60+pe32plus*16);
|
|
210 | -- EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16);
|
|
211 | -+ EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16);
|
|
212 | - BIO_read(bio, bfb, 8);
|
|
213 | -
|
|
214 | - unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8;
|
|
215 | -@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
|
|
216 | - int l = BIO_read(bio, bfb, want);
|
|
217 | - if (l <= 0)
|
|
218 | - break;
|
|
219 | -- EVP_DigestUpdate(&mdctx, bfb, l);
|
|
220 | -+ EVP_DigestUpdate(mdctx, bfb, l);
|
|
221 | - n += l;
|
|
222 | - }
|
|
223 | -
|
|
224 | -- EVP_DigestFinal(&mdctx, mdbuf, NULL);
|
|
225 | -+ EVP_DigestFinal(mdctx, mdbuf, NULL);
|
|
226 | -+ EVP_MD_CTX_free(mdctx);
|
|
227 | - }
|
|
228 | -
|
|
229 | -
|
|
230 | -@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
|
|
231 | - int phlen = pphlen * (3 + nsections + sigpos / pagesize);
|
|
232 | - unsigned char *res = malloc(phlen);
|
|
233 | - unsigned char *zeroes = calloc(pagesize, 1);
|
|
234 | -- EVP_MD_CTX mdctx;
|
|
235 | --
|
|
236 | -- EVP_MD_CTX_init(&mdctx);
|
|
237 | -- EVP_DigestInit(&mdctx, md);
|
|
238 | -- EVP_DigestUpdate(&mdctx, indata, peheader + 88);
|
|
239 | -- EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16);
|
|
240 | -- EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
|
|
241 | -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize);
|
|
242 | -+ EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
|
|
243 | -+
|
|
244 | -+ EVP_DigestInit(mdctx, md);
|
|
245 | -+ EVP_DigestUpdate(mdctx, indata, peheader + 88);
|
|
246 | -+ EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16);
|
|
247 | -+ EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
|
|
248 | -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize);
|
|
249 | - memset(res, 0, 4);
|
|
250 | -- EVP_DigestFinal(&mdctx, res + 4, NULL);
|
|
251 | -+ EVP_DigestFinal(mdctx, res + 4, NULL);
|
|
252 | -
|
|
253 | - unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20);
|
|
254 | - char *sections = indata + peheader + 24 + sizeofopthdr;
|
|
255 | -@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
|
|
256 | - unsigned int l;
|
|
257 | - for (l=0; l < rs; l+=pagesize, pi++) {
|
|
258 | - PUT_UINT32_LE(ro + l, res + pi*pphlen);
|
|
259 | -- EVP_DigestInit(&mdctx, md);
|
|
260 | -+ EVP_DigestInit(mdctx, md);
|
|
261 | - if (rs - l < pagesize) {
|
|
262 | -- EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l);
|
|
263 | -- EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l));
|
|
264 | -+ EVP_DigestUpdate(mdctx, indata + ro + l, rs - l);
|
|
265 | -+ EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l));
|
|
266 | - } else {
|
|
267 | -- EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize);
|
|
268 | -+ EVP_DigestUpdate(mdctx, indata + ro + l, pagesize);
|
|
269 | - }
|
|
270 | -- EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL);
|
|
271 | -+ EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL);
|
|
272 | - }
|
|
273 | - lastpos = ro + rs;
|
|
274 | - sections += 40;
|
|
275 | - }
|
|
276 | -+ EVP_MD_CTX_free(mdctx);
|
|
277 | -+ mdctx = NULL;
|
|
278 | - PUT_UINT32_LE(lastpos, res + pi*pphlen);
|
|
279 | - memset(res + pi*pphlen + 4, 0, EVP_MD_size(md));
|
|
280 | - pi++;
|
|
281 | -@@ -2413,7 +2333,7 @@ int main(int argc, char **argv)
|
|
282 | - int nturl = 0, ntsurl = 0;
|
|
283 | - int addBlob = 0;
|
|
284 | - u_char *p = NULL;
|
|
285 | -- int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
|
|
286 | -+ int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0;
|
|
287 | - unsigned int tmp, peheader = 0, padlen = 0;
|
|
288 | - off_t filesize, fileend, sigfilesize, sigfileend, outdatasize;
|
|
289 | - file_type_t type;
|
|
290 | -@@ -2448,13 +2368,6 @@ int main(int argc, char **argv)
|
|
291 | - ERR_load_crypto_strings();
|
|
292 | - OPENSSL_add_all_algorithms_conf();
|
|
293 | -
|
|
294 | -- /* create some MS Authenticode OIDS we need later on */
|
|
295 | -- if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
|
|
296 | -- !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
|
|
297 | -- !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) ||
|
|
298 | -- !OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL))
|
|
299 | -- DO_EXIT_0("Failed to add objects\n");
|
|
300 | --
|
|
301 | - md = EVP_sha1();
|
|
302 | -
|
|
303 | - if (argc > 1) {
|
|
304 | -@@ -2531,8 +2444,6 @@ int main(int argc, char **argv)
|
|
305 | - readpass = *(++argv);
|
|
306 | - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) {
|
|
307 | - comm = 1;
|
|
308 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) {
|
|
309 | -- pagehash = 1;
|
|
310 | - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
|
|
311 | - if (--argc < 1) usage(argv0);
|
|
312 | - desc = *(++argv);
|
|
313 | -@@ -3243,7 +3154,7 @@ int main(int argc, char **argv)
|
|
314 | - p7x = NULL;
|
|
315 | - }
|
|
316 | -
|
|
317 | -- get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend);
|
|
318 | -+ get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend);
|
|
319 | - len -= EVP_MD_size(md);
|
|
320 | - memcpy(buf, p, len);
|
|
321 | - OPENSSL_free(p);
|
|
322 | ---
|
|
323 | -2.34.1
|
|
324 | - |
... | ... | @@ -4,11 +4,10 @@ distdir=$(pwd)/dist |
4 | 4 | mkdir -p $distdir/[% project %]
|
5 | 5 | tar xf [% project %]-[% c('version') %].tar.gz
|
6 | 6 | cd [% project %]-[% c('version') %]
|
7 | -patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch
|
|
8 | -patch -p1 < ../timestamping.patch
|
|
9 | 7 | |
10 | -./autogen.sh
|
|
11 | -./configure --prefix=/[% project %]
|
|
8 | +mkdir build
|
|
9 | +cd build
|
|
10 | +cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S ..
|
|
12 | 11 | make
|
13 | 12 | make DESTDIR=$distdir install
|
14 | 13 |
1 | 1 | # vim: filetype=yaml sw=2
|
2 | 2 | version: '[% c("git_hash").substr(0, 12) %]'
|
3 | 3 | git_url: https://github.com/mtrojnar/osslsigncode
|
4 | -git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
|
|
4 | +git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed
|
|
5 | 5 | filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
|
6 | 6 | container:
|
7 | 7 | use_container: 0
|
8 | 8 | var:
|
9 | 9 | deps:
|
10 | - - autoconf
|
|
11 | - - libtool
|
|
12 | - - pkg-config
|
|
10 | + - cmake
|
|
13 | 11 | - libssl-dev
|
14 | 12 | - libcurl4-openssl-dev
|
15 | 13 | input_files:
|
16 | - - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
|
|
17 | - - filename: timestamping.patch
|
|
18 | 14 | - filename: '[% c("var/srcfile") %]'
|
19 | 15 | enable: '[% c("var/no-git") %]'
|
20 | 16 |
1 | -From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001
|
|
2 | -From: Georg Koppen <gk@xxxxxxxxxxxxxx>
|
|
3 | -Date: Fri, 5 Feb 2016 09:23:10 +0000
|
|
4 | -Subject: [PATCH] Allow timestamping with the 'add' command
|
|
5 | - |
|
6 | - |
|
7 | -diff --git a/osslsigncode.c b/osslsigncode.c
|
|
8 | -index 32e37c8..2978c02 100644
|
|
9 | ---- a/osslsigncode.c
|
|
10 | -+++ b/osslsigncode.c
|
|
11 | -@@ -2556,16 +2556,16 @@ int main(int argc, char **argv)
|
|
12 | - if (--argc < 1) usage(argv0);
|
|
13 | - url = "">
|
|
14 | - #ifdef ENABLE_CURL
|
|
15 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) {
|
|
16 | -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) {
|
|
17 | - if (--argc < 1) usage(argv0);
|
|
18 | - turl[nturl++] = *(++argv);
|
|
19 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) {
|
|
20 | -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) {
|
|
21 | - if (--argc < 1) usage(argv0);
|
|
22 | - tsurl[ntsurl++] = *(++argv);
|
|
23 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) {
|
|
24 | -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
|
|
25 | - if (--argc < 1) usage(argv0);
|
|
26 | - proxy = *(++argv);
|
|
27 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) {
|
|
28 | -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) {
|
|
29 | - noverifypeer = 1;
|
|
30 | - #endif
|
|
31 | - } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
|
|
32 | ---
|
|
33 | -2.7.0
|
|
34 | - |
|
35 | - |
|
36 | -From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001
|
|
37 | -From: Georg Koppen <gk@xxxxxxxxxxxxxx>
|
|
38 | -Date: Sat, 11 Apr 2020 05:50:36 +0000
|
|
39 | -Subject: [PATCH] fixup! Allow timestamping with the 'add' command
|
|
40 | - |
|
41 | - |
|
42 | -diff --git a/osslsigncode.c b/osslsigncode.c
|
|
43 | -index 3797458..4f4b897 100644
|
|
44 | ---- a/osslsigncode.c
|
|
45 | -+++ b/osslsigncode.c
|
|
46 | -@@ -2447,7 +2447,7 @@ int main(int argc, char **argv)
|
|
47 | - } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
|
|
48 | - if (--argc < 1) usage(argv0);
|
|
49 | - desc = *(++argv);
|
|
50 | -- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) {
|
|
51 | -+ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) {
|
|
52 | - if (--argc < 1) usage(argv0);
|
|
53 | - ++argv;
|
|
54 | - if (!strcmp(*argv, "md5")) {
|
|
55 | ---
|
|
56 | -2.26.0 |
1 | -android-signing |
|
\ No newline at end of file |
1 | -android-signing |
|
\ No newline at end of file |
... | ... | @@ -35,7 +35,7 @@ set -e |
35 | 35 | script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
36 | 36 | source "$script_dir/functions"
|
37 | 37 | |
38 | -osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz"
|
|
38 | +osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"
|
|
39 | 39 | |
40 | 40 | test -f "$osslsigncode_file" ||
|
41 | 41 | exit_error "$osslsigncode_file is missing." \
|
... | ... | @@ -17,9 +17,12 @@ echo |
17 | 17 | test -f "$steps_dir/linux-signer-signmars.done" ||
|
18 | 18 | read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
|
19 | 19 | echo
|
20 | -#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
|
|
21 | -# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
|
|
22 | -#echo
|
|
20 | +test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
|
|
21 | + read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
|
|
22 | +echo
|
|
23 | +test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
|
|
24 | + read -sp "Enter windows authenticode passphrase: " YUBIPASS
|
|
25 | +echo
|
|
23 | 26 | test -f "$steps_dir/linux-signer-gpg-sign.done" ||
|
24 | 27 | read -sp "Enter gpg passphrase: " GPG_PASS
|
25 | 28 | echo
|
... | ... | @@ -106,6 +109,18 @@ function sync-after-signmars { |
106 | 109 | "$script_dir/sync-linux-signer-to-local"
|
107 | 110 | }
|
108 | 111 | |
112 | +function linux-signer-sign-android-apks {
|
|
113 | + ssh "$ssh_host_linux_signer" 'bash -s' << EOF
|
|
114 | + export KSPASS=$KSPASS
|
|
115 | + ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
|
|
116 | +EOF
|
|
117 | + unset KSPASS
|
|
118 | +}
|
|
119 | + |
|
120 | +function sync-after-sign-android-apks {
|
|
121 | + "$script_dir/sync-linux-signer-to-local"
|
|
122 | +}
|
|
123 | + |
|
109 | 124 | function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
|
110 | 125 | "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
|
111 | 126 | }
|
... | ... | @@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer |
199 | 214 | do_step sync-before-linux-signer-signmars
|
200 | 215 | do_step linux-signer-signmars
|
201 | 216 | do_step sync-after-signmars
|
202 | -#do_step linux-signer-authenticode-signing
|
|
203 | -#do_step sync-after-authenticode-signing
|
|
204 | -#do_step authenticode-timestamping
|
|
205 | -#do_step sync-after-authenticode-timestamping
|
|
217 | +is_project torbrowser && \
|
|
218 | + do_step linux-signer-sign-android-apks
|
|
219 | +is_project torbrowser && \
|
|
220 | + do_step sync-after-sign-android-apks
|
|
221 | +do_step linux-signer-authenticode-signing
|
|
222 | +do_step sync-after-authenticode-signing
|
|
223 | +do_step authenticode-timestamping
|
|
224 | +do_step sync-after-authenticode-timestamping
|
|
206 | 225 | do_step hash_signed_bundles
|
207 | 226 | do_step sync-after-hash
|
208 | 227 | do_step linux-signer-gpg-sign
|
... | ... | @@ -20,4 +20,5 @@ do |
20 | 20 | tmpsig=$(mktemp)
|
21 | 21 | echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
|
22 | 22 | mv -f "$tmpsig" "${i}.asc"
|
23 | + chmod 644 "${i}.asc"
|
|
23 | 24 | done |
1 | +#!/bin/bash
|
|
2 | + |
|
3 | +set -e
|
|
4 | +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
5 | +source "$script_dir/functions"
|
|
6 | +source "$script_dir/set-config.generated-config"
|
|
7 | + |
|
8 | +topdir="$script_dir/../.."
|
|
9 | +ARCHS="armv7 aarch64 x86 x86_64"
|
|
10 | +projname=$(project-name)
|
|
11 | +# tbb_version_type is used in wrappers/sign-apk, so we export it
|
|
12 | +export tbb_version_type
|
|
13 | + |
|
14 | +check_installed_packages() {
|
|
15 | + local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
|
|
16 | + for package in $packages
|
|
17 | + do
|
|
18 | + dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
|
|
19 | + exit_error "package $package is missing"
|
|
20 | + done
|
|
21 | +}
|
|
22 | + |
|
23 | +setup_build_tools() {
|
|
24 | + build_tools_dir=/signing/android-build-tools
|
|
25 | + test -f "$build_tools_dir"/android-12/apksigner || \
|
|
26 | + exit_error "$build_tools_dir/android-12/apksigner is missing"
|
|
27 | + export PATH="$build_tools_dir/android-12:${PATH}"
|
|
28 | +}
|
|
29 | + |
|
30 | +sign_apk() {
|
|
31 | + sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
|
|
32 | +}
|
|
33 | + |
|
34 | +verify_apk() {
|
|
35 | + verified=$(apksigner verify --print-certs --verbose "$1")
|
|
36 | + scheme_v1="Verified using v1 scheme (JAR signing): true"
|
|
37 | + scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
|
|
38 | + |
|
39 | + # Verify the expected signing key was used, Alpha verses Release based on the filename.
|
|
40 | + if test "$tbb_version_type" = "alpha"; then
|
|
41 | + cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
|
|
42 | + pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
|
|
43 | + else
|
|
44 | + cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
|
|
45 | + pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
|
|
46 | + fi
|
|
47 | + for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
|
|
48 | + if ! echo "${verified}" | grep -q "${digest}"; then
|
|
49 | + echo "Expected digest not found:"
|
|
50 | + echo ${digest}
|
|
51 | + echo "in:"
|
|
52 | + echo ${verified}
|
|
53 | + exit 1
|
|
54 | + fi
|
|
55 | + done
|
|
56 | +}
|
|
57 | + |
|
58 | +check_installed_packages
|
|
59 | + |
|
60 | +if [ -z "$KSPASS" ]; then
|
|
61 | + echo "Enter keystore passphrase"
|
|
62 | + stty -echo; read KSPASS; stty echo
|
|
63 | + export KSPASS
|
|
64 | +fi
|
|
65 | + |
|
66 | +setup_build_tools
|
|
67 | + |
|
68 | +mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
|
|
69 | +chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
|
|
70 | +chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
|
|
71 | +cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
|
|
72 | +cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
|
|
73 | + |
|
74 | +# Sign all packages
|
|
75 | +for arch in ${ARCHS}; do
|
|
76 | + qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
|
|
77 | + signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
|
|
78 | + sign_apk "$qa_apk" "$signed_apk"
|
|
79 | + verify_apk "$signed_apk"
|
|
80 | + cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
|
|
81 | +done
|
|
82 | + |
|
83 | +rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks" |
1 | +linux-signer-sign-android-apks |
|
\ No newline at end of file |
... | ... | @@ -83,11 +83,12 @@ create_group signing |
83 | 83 | create_user signing-gpg
|
84 | 84 | create_user signing-mar
|
85 | 85 | create_user signing-win yubihsm
|
86 | - |
|
86 | +create_user signing-apk signing
|
|
87 | 87 | |
88 | 88 | sudoers_file sign-gpg
|
89 | 89 | sudoers_file sign-mar
|
90 | 90 | sudoers_file sign-exe
|
91 | +sudoers_file sign-apk
|
|
91 | 92 | |
92 | 93 | authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
|
93 | 94 | create_user richard signing
|
... | ... | @@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl |
111 | 112 | # Install deps for building yubihsm-shell
|
112 | 113 | install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
|
113 | 114 | |
115 | +# Install deps for android/apk signing
|
|
116 | +install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
|
|
117 | + |
|
114 | 118 | # Build and install yubihsm-pkcs11 package
|
115 | 119 | create_user build-pkgs
|
116 | 120 | if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
|
... | ... | @@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then |
132 | 136 | chmod go+rX "$tmpdir/mar-tools"/*
|
133 | 137 | mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
|
134 | 138 | fi
|
139 | + |
|
140 | +for rel in release alpha; do
|
|
141 | + keypath=/home/signing-apk/keys/tba_$rel.p12
|
|
142 | + if ! test -f "$keypath"; then
|
|
143 | + echo "$rel key for android should be put in $keypath"
|
|
144 | + else
|
|
145 | + chown signing-apk "$keypath"
|
|
146 | + chmod 700 "$keypath"
|
|
147 | + fi
|
|
148 | +done |
1 | +Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
|
|
2 | +%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk |
... | ... | @@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then |
36 | 36 | echo "Fetched $yubihsm_filename"
|
37 | 37 | fi
|
38 | 38 | |
39 | +android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
|
|
40 | +if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
|
|
41 | + ./rbm/rbm build --step get_build_tools android-toolchain
|
|
42 | + echo "Fetched $android_build_tools_filename"
|
|
43 | +fi
|
|
44 | + |
|
39 | 45 | signing_machine='linux-signer'
|
40 | 46 | setup_user='setup'
|
41 | 47 | signing_dir='/signing'
|
... | ... | @@ -43,14 +49,26 @@ signing_dir='/signing' |
43 | 49 | echo "Uploading $osslsigncodefile to $signing_machine"
|
44 | 50 | chmod go+r "./out/osslsigncode/$osslsigncodefile"
|
45 | 51 | rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
|
52 | + |
|
46 | 53 | echo "Uploading rbm.tar to $signing_machine"
|
47 | 54 | rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
|
55 | + |
|
48 | 56 | echo "Uploading $martools_filename"
|
49 | 57 | chmod go+r "./out/mar-tools/$martools_filename"
|
50 | 58 | rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
|
59 | + |
|
51 | 60 | echo "Uploading $yubihsm_filename"
|
52 | 61 | chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
|
53 | 62 | rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
|
63 | + |
|
64 | +echo "Uploading $android_build_tools_filename"
|
|
65 | +chmod go+r "./out/android-toolchain/$android_build_tools_filename"
|
|
66 | +rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
|
|
67 | +echo "Extracting $android_build_tools_filename"
|
|
68 | +ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
|
|
69 | +ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
|
|
70 | +ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
|
|
71 | + |
|
54 | 72 | echo "Uploading tor-browser-build.tar to $signing_machine"
|
55 | 73 | scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
|
56 | 74 | echo "Extracting tor-browser-build.tar on $signing_machine"
|
1 | -# The following line should be uncommented and updated:
|
|
2 | - |
|
3 | -#ssh_host_pkgstage=tbbuild
|
|
4 | -#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
|
|
5 | -#android_signing_key_dir=/path/to/signing/key/dir
|
|
6 | - |
|
7 | -var_is_defined ssh_host_pkgstage android_signing_key_dir |
1 | 1 | #!/bin/bash
|
2 | - |
|
3 | -# Sign apk for each target architecture.
|
|
4 | -# This script does not require command line argument, but it needs
|
|
5 | -# some configuration options to be set in set-config.android-signing:
|
|
6 | -# - ssh_host_pkgstage is the host which you use for staging packages
|
|
7 | -# during signing. The script will download the unsigned .apk files
|
|
8 | -# from this host, and upload the signed .apk there
|
|
9 | -# - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
|
|
10 | -# on pkgstage
|
|
11 | -# - android_signing_key_dir: the local path where the android signing
|
|
12 | -# keys are located. That directory should contains files tba_alpha.p12
|
|
13 | -# and tba_release.p12 for alpha and release signing keys.
|
|
14 | -# The Tor Browser version is taken from set-config.tbb-version
|
|
15 | - |
|
16 | 2 | set -e
|
17 | -script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
18 | -source "$script_dir/functions"
|
|
19 | -source "$script_dir/set-config.android-signing"
|
|
20 | 3 | |
21 | -topdir="$script_dir/../.."
|
|
22 | -ARCHS="armv7 aarch64 x86 x86_64"
|
|
23 | -projname=$(project-name)
|
|
24 | - |
|
25 | -android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
|
|
26 | -test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
|
|
27 | - |
|
28 | -check_installed_packages() {
|
|
29 | - local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
|
|
30 | - for package in $packages
|
|
4 | +function exit_error {
|
|
5 | + for msg in "$@"
|
|
31 | 6 | do
|
32 | - dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
|
|
33 | - exit_error "package $package is missing"
|
|
7 | + echo "$msg" >&2
|
|
34 | 8 | done
|
9 | + exit 1
|
|
35 | 10 | }
|
36 | 11 | |
12 | +if test "$tbb_version_type" != 'release' \
|
|
13 | + && test "$tbb_version_type" != 'alpha'; then
|
|
14 | + exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
|
|
15 | +fi
|
|
16 | + |
|
17 | +android_signing_key_dir=/home/signing-apk/keys
|
|
18 | +android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
|
|
19 | +test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
|
|
20 | + |
|
37 | 21 | setup_build_tools() {
|
38 | - local rbm="$topdir/rbm/rbm"
|
|
39 | - local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
|
|
40 | - if ! test -f "$build_tools_zipfile"; then
|
|
41 | - "$rbm" build --step get_build_tools android-toolchain
|
|
42 | - test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
|
|
43 | - fi
|
|
44 | - local build_tools_dir=$(mktemp -d)
|
|
45 | - trap "rm -Rf $build_tools_dir" EXIT
|
|
46 | - unzip -d "$build_tools_dir" "$build_tools_zipfile"
|
|
22 | + build_tools_dir=/signing/android-build-tools
|
|
47 | 23 | test -f "$build_tools_dir"/android-12/apksigner || \
|
48 | 24 | exit_error "$build_tools_dir/android-12/apksigner is missing"
|
49 | 25 | export PATH="$build_tools_dir/android-12:${PATH}"
|
50 | 26 | }
|
51 | 27 | |
52 | -download_unsigned_apks() {
|
|
53 | - apks_dir=$(mktemp -d)
|
|
54 | - trap "rm -Rf $apks_dir" EXIT
|
|
55 | - rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
|
|
56 | -}
|
|
57 | - |
|
58 | -upload_signed_apks() {
|
|
59 | - rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
|
|
60 | - --exclude="*-unsigned.apk" "$apks_dir/" \
|
|
61 | - "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
|
|
62 | -}
|
|
63 | - |
|
64 | 28 | # Sign individual apk
|
65 | 29 | sign_apk() {
|
66 | 30 | INPUTAPK="$1"
|
31 | + OUTPUTAPK="$2"
|
|
67 | 32 | |
68 | 33 | # https://developer.android.com/studio/publish/app-signing#sign-manually
|
69 | 34 | # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
|
... | ... | @@ -75,10 +40,11 @@ sign_apk() { |
75 | 40 | echo Aligning and signing ${INPUTAPK}
|
76 | 41 | |
77 | 42 | # Append the different stages of signing
|
78 | - UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
|
|
43 | + UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
|
|
79 | 44 | UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
|
80 | 45 | SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
|
81 | 46 | |
47 | + # ${INPUTAPK} is full path. We copy to local tmp directory.
|
|
82 | 48 | cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
|
83 | 49 | |
84 | 50 | # Step 1: Align
|
... | ... | @@ -117,67 +83,16 @@ sign_apk() { |
117 | 83 | exit 1
|
118 | 84 | fi
|
119 | 85 | |
86 | + mv -f "${SIGNED_APK}" "$OUTPUTAPK"
|
|
120 | 87 | echo apksigner verify succeeded
|
121 | 88 | }
|
122 | 89 | |
123 | -# Rename and verify signing certificate
|
|
124 | -finalize() {
|
|
125 | - for arch in ${ARCHS}; do
|
|
126 | - mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
|
|
127 | - done
|
|
128 | - |
|
129 | - for arch in ${ARCHS}; do
|
|
130 | - verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
|
|
131 | - scheme_v1=
|
|
132 | - scheme_v2=
|
|
133 | - cert_digest=
|
|
134 | - pubkey_digest=
|
|
135 | - |
|
136 | - # Verify the expected signing key was used, Alpha verses Release based on the filename.
|
|
137 | - if test "$tbb_version_type" = "alpha"; then
|
|
138 | - scheme_v1="Verified using v1 scheme (JAR signing): true"
|
|
139 | - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
|
|
140 | - cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
|
|
141 | - pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
|
|
142 | - else
|
|
143 | - scheme_v1="Verified using v1 scheme (JAR signing): true"
|
|
144 | - scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
|
|
145 | - cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
|
|
146 | - pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
|
|
147 | - fi
|
|
148 | - for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
|
|
149 | - if ! `echo "${verified}" | grep -q "${digest}"`; then
|
|
150 | - echo "Expected digest not found:"
|
|
151 | - echo ${digest}
|
|
152 | - echo "in:"
|
|
153 | - echo ${verified}
|
|
154 | - exit 1
|
|
155 | - fi
|
|
156 | - done
|
|
157 | - done
|
|
158 | - |
|
159 | - echo Done.
|
|
160 | -}
|
|
161 | - |
|
162 | -check_installed_packages
|
|
163 | - |
|
164 | -if [ -z "$KSPASS" ]; then
|
|
165 | - echo "Enter keystore passphrase"
|
|
166 | - stty -echo; read KSPASS; stty echo
|
|
167 | - export KSPASS
|
|
168 | -fi
|
|
169 | - |
|
170 | 90 | setup_build_tools
|
171 | 91 | |
172 | -download_unsigned_apks
|
|
173 | - |
|
174 | -cd $apks_dir
|
|
175 | - |
|
176 | -# Sign all packages
|
|
177 | -for arch in ${ARCHS}; do
|
|
178 | - sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
|
|
179 | -done
|
|
92 | +tmpdir=$(mktemp -d)
|
|
93 | +cd "$tmpdir"
|
|
180 | 94 | |
181 | -finalize
|
|
95 | +sign_apk "$1" "$2"
|
|
182 | 96 | |
183 | -upload_signed_apks |
|
97 | +cd -
|
|
98 | +rm -Rf "$tmpdir" |
... | ... | @@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then |
11 | 11 | exit 2
|
12 | 12 | fi
|
13 | 13 | |
14 | -yubipass="$1"
|
|
14 | +pass="$1"
|
|
15 | 15 | to_sign_exe="$2"
|
16 | 16 | |
17 | -tpo_cert=/home/signing-win/tpo-cert.crt
|
|
17 | +key_dir=/home/signing-win/keys/key-1
|
|
18 | +tpo_cert=$key_dir/the_tor_project_inc.crt
|
|
19 | +tpo_key=$key_dir/private.pem
|
|
18 | 20 | |
19 | 21 | if ! test -f "$tpo_cert"; then
|
20 | 22 | echo "File $tpo_cert is missing" >&2
|
... | ... | @@ -26,12 +28,10 @@ rm -f "$output_signed_exe" |
26 | 28 | |
27 | 29 | export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
|
28 | 30 | /home/signing-win/osslsigncode/bin/osslsigncode \
|
29 | - -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
|
|
30 | - -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
|
|
31 | - -pass "$yubipass" \
|
|
31 | + -pass "$pass" \
|
|
32 | 32 | -h sha256 \
|
33 | 33 | -certs "$tpo_cert" \
|
34 | - -key 1c40 \
|
|
34 | + -key "$tpo_key" \
|
|
35 | 35 | "$to_sign_exe" "$output_signed_exe"
|
36 | 36 | |
37 | 37 | chmod 644 "$output_signed_exe" |