[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 40763: Add support for signing multiple browsers in tools/signing/nightly

Title: GitLab

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

  • 38099794
    by Nicolas Vigier at 2023-03-20T17:29:45+01:00 
    Bug 40763: Add support for signing multiple browsers in tools/signing/nightly
  • 3f0b4c83
    by Nicolas Vigier at 2023-03-20T17:29:46+01:00 
    Bug 40807: Add config for basebrowser nightly signing

3 changed files:

Changes:

  • tools/signing/nightly/config.yml
    ... ... @@ -3,15 +3,22 @@ martools_version: 9.0.2
    3 3 
     martools_url: https://archive.torproject.org/tor-package-archive/torbrowser/
    4 4 
     martools_gpg_keyring: keyring/torbrowser.gpg
    5 5 
     builds_url: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-builds/tor-browser-builds
    6 
    -builds_url_auth_basic_username: tor-guest
    7 
    -builds_url_auth_basic_password: tor-guest
    8 
    -publish_dirs:
    6 
    +torbrowser:
    7 
    +  publish_dirs:
    9 8 
         - nightly-linux-x86_64
    10 9 
         - nightly-linux-i686
    11 10 
         - nightly-windows-x86_64
    12 11 
         - nightly-windows-i686
    13 12 
         - nightly-macos
    14 
    -nss_db_dir: nssdb
    13 
    +  nss_db_dir: nssdb
    14 
    +basebrowser:
    15 
    +  publish_dirs:
    16 
    +    - basebrowser-nightly-linux-x86_64
    17 
    +    - basebrowser-nightly-linux-i686
    18 
    +    - basebrowser-nightly-windows-x86_64
    19 
    +    - basebrowser-nightly-windows-i686
    20 
    +    - basebrowser-nightly-macos
    21 
    +  nss_db_dir: nssdb-basebrowser-1
    15 22 
     nss_certname: nightly-marsigner
    16 23 
     gpg_keyring: keyring/torbrowser-nightly.gpg
    17 24 
     rsync_dest: /srv/tbb-nightlies-master.torproject.org/htdocs/nightly-updates/

  • tools/signing/nightly/create-nightly-mar-signing-key
    1 1 
     #!/bin/bash
    2 2 
     set -e
    3 
    -nssdb="$(dirname "$0")/nssdb"
    3 
    +if test "$#" -ne 2; then
    4 
    +  echo "Usage: $0 <nssdb-dir> <Browser Name>" >&2
    5 
    +  echo >&2
    6 
    +  echo "Example: $0 nssdb-basebrowser 'Base Browser'" >&2
    7 
    +  exit 1
    8 
    +fi
    9 
    +nssdb="$(dirname "$0")/$1"
    10 
    +BrowserName="$2"
    4 11 
     if test -d $nssdb
    5 12 
     then
    6 13 
         echo "Error: $nssdb already exists" >&2
    ... ... @@ -9,5 +16,5 @@ fi
    9 16 
     mkdir -p $nssdb
    10 17 
     chmod 700 $nssdb
    11 18 
     certutil -d $nssdb -N --empty-password
    12 
    -certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=Tor Browser Nightly MAR signing key" -t,,
    19 
    +certutil -d $nssdb -S -x -g 4096 -Z SHA384 -n nightly-marsigner -s "CN=$BrowserName Nightly MAR signing key" -t,,
    13 20 
     certutil -d $nssdb -L -r -n nightly-marsigner -o $nssdb/nightly-marsigner.der

  • tools/signing/nightly/sign-nightly
    ... ... @@ -33,13 +33,22 @@ exit_error "Missing config file: $FindBin::Bin/config.yml"
    33 33 
     my $config = LoadFile("$FindBin::Bin/config.yml");
    34 34 
     my $topdir = "$FindBin::Bin/../../..";
    35 35
    36 
    +exit_error "Usage: sign-nightly <project>" unless @ARGV == 1;
    37 
    +my $project = $ARGV[0];
    38 
    +
    39 
    +sub get_config {
    40 
    +  my ($name) = @_;
    41 
    +  return $config->{$project}{$name} if defined $config->{$project}{$name};
    42 
    +  return $config->{$name};
    43 
    +}
    44 
    +
    36 45 
     {
    37 46 
         no warnings 'redefine';
    38 47 
         sub LWP::UserAgent::get_basic_credentials {
    39 
    -        if ($config->{builds_url_auth_basic_username}
    40 
    -            && $config->{builds_url_auth_basic_password}) {
    41 
    -            return ( $config->{builds_url_auth_basic_username},
    42 
    -                     $config->{builds_url_auth_basic_password} );
    48 
    +        if (get_config('builds_url_auth_basic_username')
    49 
    +            && get_config('builds_url_auth_basic_password')) {
    50 
    +            return ( get_config('builds_url_auth_basic_username'),
    51 
    +                     get_config('builds_url_auth_basic_password') );
    43 52 
             }
    44 53 
             return ();
    45 54 
         }
    ... ... @@ -51,7 +60,7 @@ sub print_time {
    51 60 
     }
    52 61
    53 62 
     END {
    54 
    -    print_time "Exiting sign-nightly (pid: $$)\n";
    63 
    +    print_time "Exiting sign-nightly (pid: $$, project: $project)\n" if $project;
    55 64 
     }
    56 65
    57 66 
     sub run_alone {
    ... ... @@ -71,10 +80,8 @@ END {
    71 80 
     }
    72 81
    73 82 
     sub get_tmpdir {
    74 
    -    my ($config) = @_;
    75 
    -    return File::Temp->newdir($config->{tmp_dir} ?
    76 
    -                                (DIR => $config->{tmp_dir})
    77 
    -                                : ());
    83 
    +    my $tmp_dir = get_config('tmp_dir');
    84 
    +    return File::Temp->newdir($tmp_dir ? (DIR => $tmp_dir) : ());
    78 85 
     }
    79 86
    80 87 
     sub basedir_path {
    ... ... @@ -83,15 +90,16 @@ sub basedir_path {
    83 90 
     }
    84 91
    85 92 
     sub get_last_build_version {
    86 
    -    my ($config, $publish_dir) = @_;
    93 
    +    my ($publish_dir) = @_;
    87 94 
         my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
    88 95 
         my @last_days;
    89 96 
         for my $i (1..5) {
    90 97 
           my $dt = DateTime->now - DateTime::Duration->new(days => $i);
    91 98 
           push @last_days, 'tbb-nightly.' . $dt->ymd('.');
    92 99 
         }
    100 
    +    my $builds_url = get_config('builds_url');
    93 101 
         for my $version ($today, @last_days) {
    94 
    -        my $url = "$config->{builds_url}/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
    102 
    +        my $url = "$builds_url/$version/$publish_dir/sha256sums-unsigned-build.incrementals.txt";
    95 103 
             if ($url =~ m|^/|) {
    96 104 
                 return $version if -f $url;
    97 105 
             } else {
    ... ... @@ -115,10 +123,10 @@ sub set_current_version {
    115 123 
     }
    116 124
    117 125 
     sub get_new_version {
    118 
    -    my ($config, $publish_dir) = @_;
    126 
    +    my ($publish_dir) = @_;
    119 127 
         my $today = 'tbb-nightly.' . DateTime->now->ymd('.');
    120 128 
         my $current_ver = get_current_version($publish_dir);
    121 
    -    my $last_ver = get_last_build_version($config, $publish_dir);
    129 
    +    my $last_ver = get_last_build_version($publish_dir);
    122 130 
         return $last_ver unless defined($current_ver);
    123 131 
         return undef if $current_ver eq $today;
    124 132 
         return undef unless defined($last_ver);
    ... ... @@ -147,13 +155,13 @@ sub get_file_sha256sum {
    147 155 
     }
    148 156
    149 157 
     sub fetch_version {
    150 
    -    my ($config, $publish_dir, $version) = @_;
    151 
    -    my $tmpdir = get_tmpdir($config);
    152 
    -    my $urldir = "$config->{builds_url}/$version/$publish_dir";
    158 
    +    my ($publish_dir, $version) = @_;
    159 
    +    my $tmpdir = get_tmpdir();
    160 
    +    my $urldir = get_config('builds_url') . "/$version/$publish_dir";
    153 161 
         my $destdir = "$topdir/nightly/$publish_dir/$version";
    154 162
    155 163 
         return if -d $destdir;
    156 
    -    my $gpg_keyring = basedir_path($config->{gpg_keyring}, $topdir);
    164 
    +    my $gpg_keyring = basedir_path(get_config('gpg_keyring'), $topdir);
    157 165 
         for my $file (qw/sha256sums-unsigned-build.txt sha256sums-unsigned-build.incrementals.txt/) {
    158 166 
             my $url = "$urldir/$file";
    159 167 
             exit_error "Error getting $url"
    ... ... @@ -184,17 +192,17 @@ sub fetch_version {
    184 192 
     }
    185 193
    186 194 
     sub setup_martools {
    187 
    -    my ($config) = @_;
    188 
    -    my $martools_dir = "$FindBin::Bin/mar-tools-$config->{martools_version}";
    195 
    +    my $martools_dir = "$FindBin::Bin/mar-tools-" . get_config('martools_version');
    189 196 
         if (! -d $martools_dir) {
    190 197 
             my $file = "mar-tools-linux64.zip";
    191 
    -        my $url = "$config->{martools_url}/$config->{martools_version}/$file";
    192 
    -        my $tmpdir = get_tmpdir($config);
    198 
    +        my $url = join('/', get_config('martools_url'),
    199 
    +                            get_config('martools_version'), $file);
    200 
    +        my $tmpdir = get_tmpdir();
    193 201 
             exit_error "Error downloading $url"
    194 202 
                     unless getstore($url, "$tmpdir/$file") == 200;
    195 203 
             exit_error "Error downloading $url.asc"
    196 204 
                     unless getstore("$url.asc", "$tmpdir/$file.asc") == 200;
    197 
    -        my $gpg_keyring = basedir_path($config->{martools_gpg_keyring}, $topdir);
    205 
    +        my $gpg_keyring = basedir_path(get_config('martools_gpg_keyring'), $topdir);
    198 206 
             exit_error "Error checking gpg signature for $url"
    199 207 
                     if system('gpg', '--no-default-keyring', '--keyring', $gpg_keyring,
    200 208 
                               '--verify', "$tmpdir/$file.asc",
    ... ... @@ -212,14 +220,14 @@ sub setup_martools {
    212 220 
     }
    213 221
    214 222 
     sub sign_version {
    215 
    -    my ($config, $publish_dir, $version) = @_;
    216 
    -    setup_martools($config);
    217 
    -    my $nss_db_dir = basedir_path($config->{nss_db_dir}, $FindBin::Bin);
    223 
    +    my ($publish_dir, $version) = @_;
    224 
    +    setup_martools();
    225 
    +    my $nss_db_dir = basedir_path(get_config('nss_db_dir'), $FindBin::Bin);
    218 226 
         for my $marfile (path("$topdir/nightly/$publish_dir/$version")->children(qr/\.mar$/)) {
    219 227 
             print "Signing $marfile\n";
    220 228 
             exit_error "Error signing $marfile"
    221 229 
               unless system('signmar', '-d', $nss_db_dir, '-n',
    222 
    -                        $config->{nss_certname}, '-s', $marfile,
    230 
    +                        get_config('nss_certname'), '-s', $marfile,
    223 231 
                             "$marfile-signed") == 0;
    224 232 
             move("$marfile-signed", $marfile);
    225 233 
         }
    ... ... @@ -232,7 +240,7 @@ sub get_buildinfos {
    232 240 
     }
    233 241
    234 242 
     sub update_responses {
    235 
    -    my ($config, $publish_dir, $version) = @_;
    243 
    +    my ($publish_dir, $version) = @_;
    236 244 
         my $ur_config = LoadFile("$FindBin::Bin/update-responses-base-config.yml");
    237 245 
         $ur_config->{download}{mars_url} .= "/$publish_dir";
    238 246 
         $ur_config->{releases_dir} = "$topdir/nightly/$publish_dir";
    ... ... @@ -253,7 +261,7 @@ sub update_responses {
    253 261 
     }
    254 262
    255 263 
     sub remove_oldversions {
    256 
    -    my ($config, $publish_dir, $version) = @_;
    264 
    +    my ($publish_dir, $version) = @_;
    257 265 
         for my $dir (path("$topdir/nightly/$publish_dir")->children) {
    258 266 
             my ($filename) = fileparse($dir);
    259 267 
             next if $filename eq $version;
    ... ... @@ -262,27 +270,27 @@ sub remove_oldversions {
    262 270 
     }
    263 271
    264 272 
     sub sync_dest {
    265 
    -    my ($config) = @_;
    266 273 
         exit_error "Error running rsync"
    267 274 
             if system('rsync', '-aH', '--delete-after',
    268 
    -                  "$topdir/nightly/", "$config->{rsync_dest}/");
    269 
    -    if ($config->{post_rsync_cmd}) {
    270 
    -        exit_error "Error running $config->{post_rsync_cmd}"
    271 
    -                if system($config->{post_rsync_cmd});
    275 
    +                  "$topdir/nightly/", get_config('rsync_dest') . '/');
    276 
    +    my $post_rsync_cmd = get_config('post_rsync_cmd');
    277 
    +    if ($post_rsync_cmd) {
    278 
    +        exit_error "Error running $post_rsync_cmd"
    279 
    +                if system($post_rsync_cmd);
    272 280 
         }
    273 281 
     }
    274 282
    275 
    -print_time "Starting sign-nightly (pid: $$)\n";
    283 
    +print_time "Starting sign-nightly (pid: $$, project: $project)\n";
    276 284 
     run_alone;
    277 285 
     my $some_updates = 0;
    278 
    -foreach my $publish_dir (@{$config->{publish_dirs}}) {
    279 
    -    my $new_version = get_new_version($config, $publish_dir);
    286 
    +foreach my $publish_dir (@{get_config('publish_dirs')}) {
    287 
    +    my $new_version = get_new_version($publish_dir);
    280 288 
         next unless $new_version;
    281 
    -    fetch_version($config, $publish_dir, $new_version);
    282 
    -    sign_version($config, $publish_dir, $new_version);
    283 
    -    update_responses($config, $publish_dir, $new_version);
    289 
    +    fetch_version($publish_dir, $new_version);
    290 
    +    sign_version($publish_dir, $new_version);
    291 
    +    update_responses($publish_dir, $new_version);
    284 292 
         set_current_version($publish_dir, $new_version);
    285 
    -    remove_oldversions($config, $publish_dir, $new_version);
    293 
    +    remove_oldversions($publish_dir, $new_version);
    286 294 
         $some_updates = 1;
    287 295 
     }
    288 
    -sync_dest($config) if $some_updates;
    296 
    +sync_dest() if $some_updates;


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits