[tbb-commits] [builders/tor-browser-build] 14/32: Bug 40414: Improve linux-signer-signmars

gitolite role git at cupani.torproject.org
Wed Apr 20 09:38:51 UTC 2022


This is an automated email from the git hooks/post-receive script.

boklm pushed a commit to branch master
in repository builders/tor-browser-build.

commit da9a132a75356b76954debbda095369e8490f027
Author: Nicolas Vigier <boklm at torproject.org>
AuthorDate: Mon Feb 14 20:01:38 2022 +0100

    Bug 40414: Improve linux-signer-signmars
    
    - automatically change to bundle directory
    - allow setting password with an environment variable (useful for
      tor-browser-build#40476)
    - some cleaning
---
 tools/signing/linux-signer-signmars | 90 +++++++------------------------------
 1 file changed, 16 insertions(+), 74 deletions(-)

diff --git a/tools/signing/linux-signer-signmars b/tools/signing/linux-signer-signmars
index 269610f..23b400d 100755
--- a/tools/signing/linux-signer-signmars
+++ b/tools/signing/linux-signer-signmars
@@ -1,37 +1,23 @@
 #!/bin/bash
 #
 #
-# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script.
+# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
+# (if you don't want to use the default values).
 
 set -e
 set -u
 
-WRAPPER_DIR=$(dirname "$0")
-WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR")
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
 
 if [ -z "${NSS_DB_DIR+x}" ]; then
-  NSS_DB_DIR=$WRAPPER_DIR/nssdb
+  NSS_DB_DIR=/home/gk/marsigning/nssdb7
 fi
 
 if [ -z "${NSS_CERTNAME+x}" ]; then
   NSS_CERTNAME=marsigner
 fi
 
-# Incorporate definitions from the versions file.
-if [ -z "$1" ]; then
-  VERSIONS_FILE=$WRAPPER_DIR/versions
-else
-  VERSIONS_FILE=$1
-fi
-
-if ! [ -e $VERSIONS_FILE ]; then
-  echo >&2 "Error: $VERSIONS_FILE file does not exist"
-  exit 1
-fi
-
-. $VERSIONS_FILE
-#eval $(./get-tb-version $TORBROWSER_VERSION_TYPE)
-
 export LC_ALL=C
 
 # Check some prerequisites.
@@ -40,27 +26,11 @@ if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
   exit 2
 fi
 
-OSNAME=""
-ARCH="$(uname -s)-$(uname -m)"
-case $ARCH in
-  Linux-x86_64)
-    OSNAME="linux64"
-    ;;
-  Linux-i*86)
-    OSNAME="linux32"
-    ;;
-  *)
-    >&2 echo "Unsupported architecture $ARCH"
-    exit 2
-esac
-
 # Extract the MAR tools so we can use the signmar program.
 MARTOOLS_TMP_DIR=$(mktemp -d)
 trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
-MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-new-${OSNAME}.zip"
-cd $MARTOOLS_TMP_DIR
-unzip -q "$MARTOOLS_ZIP"
-cd $WRAPPER_DIR
+MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
+unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
 export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
 if [ -z "${LD_LIBRARY_PATH+x}" ]; then
   export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
@@ -72,25 +42,11 @@ fi
 # TODO: Test that the entered NSS password is correct.  But how?  Unfortunately,
 # both certutil and signmar keep trying to read a new password when they are
 # given an incorrect one.
-read -s -p "NSS password:" NSSPASS
+test -n "${NSSPASS:-}" || read -s -p "NSS password:" NSSPASS
 echo ""
 
-# Sign each MAR file.
-#
-# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION
-# directory into a TORBROWSER_VERSION-unsigned/ directory.  Details:
-#   If a file has not been signed, we move it to the -unsigned/ directory.
-#   If a file has already been signed and a file with the same name exists in
-#     the -unsigned/ directory, we just delete the signed file.
-#   If a file has already been signed but no corresponding file exists in
-#     the -unsigned/ directory, we report an error and exit.
-#
-# Once the above is done,  the -unsigned/ directory contains a set of .mar
-# files that need to be signed, so we go ahead and sign them one-by-one.
-SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION"
-UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned"
-mkdir -p "$UNSIGNED_DIR"
-cd "$SIGNED_DIR"
+COUNT=0
+cd ~/"$tbb_version"
 for marfile in *.mar; do
   if [ ! -f "$marfile" ]; then
     continue;
@@ -104,30 +60,16 @@ for marfile in *.mar; do
   if [ ! -z "$SIGINFO" ]; then
     SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/\([0-9]*\).*$/\1/')
   fi
-  if [ $SIGCOUNT -eq 0 ]; then
-    # No signature; move this .mar file to the -unsigned/ directory.
-    mv "$marfile" "$UNSIGNED_DIR/"
-  else
+  if [ $SIGCOUNT -ne 0 ]; then
     echo "Skipping $marfile (already signed)"
-  fi
-done
-
-# Use signmar to sign each .mar file that is now in the -unsigned directory.
-TMPMAR="$SIGNED_DIR/tmp.mar"
-trap "rm -f $TMPMAR" EXIT
-cd "$UNSIGNED_DIR"
-echo "Starting the signing..."
-COUNT=0
-for marfile in *.mar; do
-  if [ ! -f "$marfile" ]; then
     continue;
   fi
+
   echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
-      "$marfile" "$TMPMAR"
-  mv "$TMPMAR" "$SIGNED_DIR/$marfile"
+    "$marfile" tmp.mar
+  mv -f tmp.mar "$marfile"
   COUNT=$((COUNT + 1))
-  echo "Signed MAR file $COUNT"
-  rm "$marfile"
+  echo "Signed MAR file $COUNT ($marfile)"
 done
 
-echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed."
+echo "$COUNT MAR files have been signed."

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tbb-commits mailing list