[tor-commits] [builders/tor-browser-build] branch main updated: Bug 40574: Improve tools/signing/android-signing

[gitolite role <git@xxxxxxxxxxxxxxxxxxxxx>]

This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch main
in repository builders/tor-browser-build.

The following commit(s) were added to refs/heads/main by this push:
     new 751756c  Bug 40574: Improve tools/signing/android-signing
751756c is described below

commit 751756c2e7d7239df0636bf5ac8cc22d4781cbc6
Author: Nicolas Vigier <boklm@xxxxxxxxxxxxxx>
AuthorDate: Tue Jul 12 16:48:51 2022 +0200

    Bug 40574: Improve tools/signing/android-signing
    
    * use projects/android-toolchain/config to download android build-tools
    * download unsigned apk files for pkgstage and upload them to pkgstage
      when signed
    * use set-config.android-signing
---
 projects/android-toolchain/config        | 21 +++++++-
 tools/signing/android-signing            | 93 +++++++++++++++++++++++---------
 tools/signing/set-config.android-signing |  7 +++
 3 files changed, 93 insertions(+), 28 deletions(-)

diff --git a/projects/android-toolchain/config b/projects/android-toolchain/config
index 57c38c1..a2f34ae 100644
--- a/projects/android-toolchain/config
+++ b/projects/android-toolchain/config
@@ -47,11 +47,13 @@ var:
   sdk_tools_version: 4333796
   commandlinetools_version: 7583922
   commandlinetools_version_string: 5.0
+  build_tools_filename: build-tools_r31-linux.zip
+  build_tools_sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8
 input_files:
   - project: container-image
-  - URL: '[% c("var/google_repo") %]/build-tools_r31-linux.zip'
+  - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
     name: build_tools
-    sha256sum: f90c22f5562638a2e00762e1711eebd55e7f0a05232b65200d387307d057bfe8
+    sha256sum: '[% c("var/build_tools_sha256sum") %]'
   - URL: '[% c("var/google_repo") %]/build-tools_r[% c("var/version_30") %]-linux.zip'
     name: build_tools_30
     sha256sum: 565af786dc0cc1941002174fb945122eabd080b222cd4c7c3d9a2ae0fabf5dc4
@@ -85,3 +87,18 @@ input_files:
   - URL: '[% c("var/google_repo") %]/android-ndk-r[% c("var/android_ndk_version") %][% c("var/android_ndk_revision") %]-linux-x86_64.zip'
     name: android_ndk_compiler
     sha256sum: dd6dc090b6e2580206c64bcee499bc16509a5d017c6952dcd2bed9072af67cbd
+steps:
+  # The get_build_tools step is used by tools/signing/android-signing
+  get_build_tools:
+    filename: 'android-[% c("var/build_tools_filename") %]'
+    get_build_tools: |
+      #!/bin/bash
+      set -e
+      mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
+    var:
+      container:
+        use_container: 0
+    input_files:
+      - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
+        name: build_tools
+        sha256sum: '[% c("var/build_tools_sha256sum") %]'
diff --git a/tools/signing/android-signing b/tools/signing/android-signing
index 7c2ee50..16610e7 100755
--- a/tools/signing/android-signing
+++ b/tools/signing/android-signing
@@ -1,23 +1,64 @@
 #!/bin/bash
 
 # Sign apk for each target architecture.
-# This script requires two command line arguments.
-# Usage: android-signing <version> <path/to/signing/key>
+# This script does not require command line argument, but it needs 
+# some configuration options to be set in set-config.android-signing:
+#  - ssh_host_pkgstage is the host which you use for staging packages
+#    during signing. The script will download the unsigned .apk files
+#    from this host, and upload the signed .apk there
+#  - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
+#    on pkgstage
+#  - android_signing_key_dir: the local path where the android signing
+#    keys are located. That directory should contains files tba_alpha.p12
+#    and tba_release.p12 for alpha and release signing keys.
+# The Tor Browser version is taken from set-config.tbb-version
 
-# In addition, hard-coding the path to an Android SDK build-tools version, as
-# BUILD_TOOLS, is required.
-
-set -x
 set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.android-signing"
 
-VERSION=$1
-SIGNING_KEY_PATH=$2
+topdir="$script_dir/../.."
+ARCHS="armv7 aarch64 x86 x86_64"
 
-# TODO set correctly.
-BUILD_TOOLS=/path/to/build-tools/version
-export PATH="${BUILD_TOOLS}:${PATH}"
+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
 
-ARCHS="armv7 aarch64 x86 x86_64"
+check_installed_packages() {
+  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+  for package in $packages
+  do
+    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+      exit_error "package $package is missing"
+  done
+}
+
+setup_build_tools() {
+  local rbm="$topdir/rbm/rbm"
+  local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
+  if ! test -f "$build_tools_zipfile"; then
+    "$rbm" build --step get_build_tools android-toolchain
+    test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
+  fi
+  local build_tools_dir=$(mktemp -d)
+  trap "rm -Rf $build_tools_dir" EXIT
+  unzip -d "$build_tools_dir" "$build_tools_zipfile"
+  test -f "$build_tools_dir"/android-12/apksigner || \
+    exit_error "$build_tools_dir/android-12/apksigner is missing"
+  export PATH="$build_tools_dir/android-12:${PATH}"
+}
+
+download_unsigned_apks() {
+  apks_dir=$(mktemp -d)
+  trap "rm -Rf $apks_dir" EXIT
+  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
+}
+
+upload_signed_apks() {
+  rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
+    --exclude="*-unsigned.apk" "$apks_dir/" \
+    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$tbb_version_type/signed/$tbb_version/"
+}
 
 # Sign individual apk
 sign_apk() {
@@ -57,7 +98,7 @@ sign_apk() {
 
     # Step 3: Sign
     # Use this command if reading key from file
-    apksigner sign --verbose -ks ${SIGNING_KEY_PATH} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
+    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
 
     # Or, use below command if using a hardware token
     # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
@@ -81,18 +122,18 @@ sign_apk() {
 # Rename and verify signing certificate
 finalize() {
   for arch in ${ARCHS}; do
-      mv tor-browser-${VERSION}-android-${arch}-multi{-qa,}.apk
+      mv tor-browser-${tbb_version}-android-${arch}-multi{-qa,}.apk
   done
 
   for arch in ${ARCHS}; do
-      verified=`apksigner verify --print-certs --verbose tor-browser-${VERSION}-android-${arch}-multi.apk`
+      verified=`apksigner verify --print-certs --verbose tor-browser-${tbb_version}-android-${arch}-multi.apk`
       scheme_v1=
       scheme_v2=
       cert_digest=
       pubkey_digest=
 
       # Verify the expected signing key was used, Alpha verses Release based on the filename.
-      if `echo ${VERSION} | grep -q a`; then
+      if test "$tbb_version_type" = "alpha"; then
           scheme_v1="Verified using v1 scheme (JAR signing): true"
           scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
           cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
@@ -117,15 +158,7 @@ finalize() {
   echo Done.
 }
 
-if [ -z "$VERSION" ]; then
-    echo Provide version number
-    exit
-fi
-
-if [ -z "${SIGNING_KEY_PATH}" ]; then
-    echo Provide the path to the signing key: release or alpha
-    exit
-fi
+check_installed_packages
 
 if [ -z "$KSPASS" ]; then
     echo "Enter keystore passphrase"
@@ -133,9 +166,17 @@ if [ -z "$KSPASS" ]; then
     export KSPASS
 fi
 
+setup_build_tools
+
+download_unsigned_apks
+
+cd $apks_dir
+
 # Sign all packages
 for arch in ${ARCHS}; do
-    sign_apk tor-browser-${VERSION}-android-${arch}-multi-qa.apk
+    sign_apk tor-browser-${tbb_version}-android-${arch}-multi-qa.apk
 done
 
 finalize
+
+upload_signed_apks
diff --git a/tools/signing/set-config.android-signing b/tools/signing/set-config.android-signing
new file mode 100644
index 0000000..1731efc
--- /dev/null
+++ b/tools/signing/set-config.android-signing
@@ -0,0 +1,7 @@
+# The following line should be uncommented and updated:
+
+#ssh_host_pkgstage=tbbuild
+#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
+#android_signing_key_dir=/path/to/signing/key/dir
+
+var_is_defined ssh_host_pkgstage android_signing_key_dir

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits