[tbb-commits] [tor-browser-spec/master] Bug 40009: Update signing process documentation

Fri Jan 14 17:03:35 UTC 2022

commit 4663f9bfc956e43ff2153e69a7b4996f9e53b5dc
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Tue Nov 17 03:24:20 2020 +0000

    Bug 40009: Update signing process documentation
---
 processes/ReleaseProcess | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/processes/ReleaseProcess b/processes/ReleaseProcess
index 563f263..3dee1e9 100644
--- a/processes/ReleaseProcess
+++ b/processes/ReleaseProcess
@@ -50,28 +50,41 @@
    # For stable releases put tails-dev at boum.org into Cc.
 
 #. Codesign the macOS dmg files.
-   # XXX: Update with Notarization bits once they are included in our signing
    # setup
    torsocks ssh mac-signer "mkdir $TORBROWSER_VERSION"
    torsocks rsync -avP $TORBROWSER_BUILDDIR/*.dmg mac-signer:$TORBROWSER_VERSION/
    torsocks ssh mac-signer
    # Unlock the keychain and then...
    cd $TORBROWSER_VERSION
+   # Enable networking
+   networksetup -setsecurewebproxystate Ethernet on
    # Sign the bundles.
    ../gatekeeper-signing.sh $TORBROWSER_VERSION
+   # notarize and staple
+   ../notarization.sh $TORBROWSER_VERSION
+   ../stapler.sh $TORBROWSER_VERSION
    # Check that it worked.
-   tar xf torbrowser-$TORBROWSER_VERSION-osx_zh-CN-signed.tar.bz2
-   spctl -a -t exec -vv TorBrowser.app/
-   rm -rf TorBrowser.app
+   unzip -d test tb-$TORBROWSER_VERSION-osx_zh-CN-stapled.zip
+   pushd test
+   # Both should be "Tor Browser.app: Accepted" with "source=Notarized Developer ID"
+   spctl -vvvv --assess --type=exec --context context:primary-signature Tor\ Browser.app/
+   spctl -vvvv --assess --type=open --context context:primary-signature Tor\ Browser.app/
+   popd
+   rm -rf test
+   # Disable networking
+   networksetup -setsocksfirewallproxystate Ethernet off
    exit
-   torsocks rsync -avP mac-signer:$TORBROWSER_VERSION/*.bz2 .
+   torsocks rsync -avP mac-signer:$TORBROWSER_VERSION/tb-*-stapled.zip /path/to/builddir/$TORBROWSER_VERSION/
+
+   cp -rT tor-browser-build/projects/tor-browser/Bundle-Data/mac-applications.dmg dmg
 
 #. Regenerate macOS MAR files from code signed dmg files.
    # XXX Go to your directory prepared for recreating the .dmg files and containing
-   # the uploaded .bz2 files.
+   # the uploaded .zip files.
    ./gatekeeper-bundling.sh $TORBROWSER_VERSION
-   rsync -avP *.dmg $TORBROWSER_BUILDDIR/
+   rsync -avP ../$TORBROWSER_VERSION-signed/*.dmg $TORBROWSER_BUILDDIR/
    cd tor-browser-build
+   mv $TORBROWSER_BUILDDIR/ release/signed/ (or alpha)
    # The code signed dmg files should be in the $TORBROWSER_VERSION directory
    # Install a recent p7zip version (see ../tools/dmg2mar for instructions)
    make dmg2mar-release # or `make dmg2mar-alpha`
@@ -107,13 +120,14 @@
    export OSSLSIGNCODE=/path/to/osslsigncode
    /path/to/authenticode-timestamping.sh
    # Hashes of the signed bundles
-   ../tools/hash_signed_bundles.sh
+   ../../../tools/hash_signed_bundles.sh
    # All the GPG signatures at last
    torsocks rsync -avP $TORBROWSER_BUILDDIR/* signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/
    cd tor-browser-bundle/gitian/$TORBROWSER_VERSION
    /path/to/tbb-signing.sh
    exit
    torsocks rsync -avP signing-machine:tor-browser-bundle/gitian/$TORBROWSER_VERSION/ $TORBROWSER_BUILDDIR
+   # Fetch signatures on unsigned sha256sums from other builds
 
 #. Sync to people.torproject.org
    torsocks rsync -avP $TORBROWSER_BUILDDIR/ people.torproject.org:public_html/builds/$TORBROWSER_BUILDDIR



