[tbb-commits] [Git][tpo/applications/tor-browser-build][maint-12.0] 3 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts
Richard Pospesel (@richard)
git at gitlab.torproject.org
Tue May 9 20:53:09 UTC 2023
Richard Pospesel pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build
Commits:
24c07ab6 by Nicolas Vigier at 2023-04-20T16:58:30+02:00
Bug 40841: Add signing machine setup scripts and adapt signing scripts
Use separate accounts to store the different keys.
- - - - -
985f768a by Nicolas Vigier at 2023-04-20T16:58:32+02:00
Bug 40841: Set SIGNING_PROJECTNAME=torbrowser in signing scripts
For compatibility with signing scripts on the main branch.
- - - - -
43f474b4 by Nicolas Vigier at 2023-04-20T16:58:33+02:00
Bug 40846: Temporarily disable Windows signing
- - - - -
25 changed files:
- + projects/mar-tools/config
- projects/osslsigncode/config
- + projects/yubihsm-shell/build
- + projects/yubihsm-shell/config
- rbm.conf
- tools/signing/do-all-signing
- tools/signing/linux-signer-authenticode-signing
- tools/signing/linux-signer-gpg-sign
- tools/signing/linux-signer-signmars
- + tools/signing/machines-setup/build-yubihsm-shell-pkg
- + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
- + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
- + tools/signing/machines-setup/setup-osslsigncode
- + tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
- + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
- + tools/signing/machines-setup/ssh-keys/richard.pub
- + tools/signing/machines-setup/sudoers.d/sign-exe
- + tools/signing/machines-setup/sudoers.d/sign-gpg
- + tools/signing/machines-setup/sudoers.d/sign-mar
- + tools/signing/machines-setup/upload-tbb-to-signing-machine
- tools/signing/set-config
- + tools/signing/wrappers/sign-exe
- + tools/signing/wrappers/sign-gpg
- + tools/signing/wrappers/sign-mar
Changes:
=====================================
projects/mar-tools/config
=====================================
@@ -0,0 +1,20 @@
+# vim: filetype=yaml sw=2
+#
+# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine
+# to fetch mar-tools for signing machine setup
+#
+version: 12.0.4
+filename: 'mar-tools-linux64.zip'
+container:
+ use_container: 0
+gpg_keyring: torbrowser.gpg
+tag_gpg_id: 1
+input_files:
+ - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'
+ sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584
+
+steps:
+ fetch_martools:
+ fetch_martools: |
+ #!/bin/bash
+ echo ok
=====================================
projects/osslsigncode/config
=====================================
@@ -1,5 +1,5 @@
# vim: filetype=yaml sw=2
-version: '[% c("abbrev") %]'
+version: '[% c("git_hash").substr(0, 12) %]'
git_url: https://github.com/mtrojnar/osslsigncode
git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
@@ -15,3 +15,12 @@ var:
input_files:
- filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
- filename: timestamping.patch
+ - filename: '[% c("var/srcfile") %]'
+ enable: '[% c("var/no-git") %]'
+
+targets:
+ no-git:
+ git_url: ''
+ var:
+ no-git: 1
+ srcfile: '[% project %]-[% c("version") %].tar.gz'
=====================================
projects/yubihsm-shell/build
=====================================
@@ -0,0 +1,11 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+distdir=$(pwd)/dist
+tar xf [% project %]-[% c('version') %].tar.gz
+cd [% project %]-[% c('version') %]
+dpkg-buildpackage -us -uc
+mkdir -p "$distdir"
+mv ../*.deb "$distdir"
+dest=[% dest_dir _ '/' _ c('filename') %]
+rm -Rf "$dest"
+mv "$distdir" "$dest"
=====================================
projects/yubihsm-shell/config
=====================================
@@ -0,0 +1,16 @@
+# vim: filetype=yaml sw=2
+version: 2.4.0
+filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'
+container:
+ use_container: 0
+var:
+ src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'
+input_files:
+ - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'
+ sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0
+
+steps:
+ fetch_src:
+ fetch_src: |
+ #!/bin/bash
+ echo ok
=====================================
rbm.conf
=====================================
@@ -84,7 +84,7 @@ var:
build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]'
build_id_txt: |
[% c("version") %]
- [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
+ [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]
[% IF c("container/use_container") && ! c("container/global_disable") -%]
[% c("var/container/suite") %]
[% c("var/container/arch") %]
=====================================
tools/signing/do-all-signing
=====================================
@@ -17,9 +17,9 @@ echo
test -f "$steps_dir/linux-signer-signmars.done" ||
read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
echo
-test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
- read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
-echo
+#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+# read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
+#echo
test -f "$steps_dir/linux-signer-gpg-sign.done" ||
read -sp "Enter gpg passphrase: " GPG_PASS
echo
@@ -193,10 +193,10 @@ do_step dmg2mar
do_step sync-scripts-to-linux-signer
do_step linux-signer-signmars
do_step sync-after-signmars
-do_step linux-signer-authenticode-signing
-do_step sync-after-authenticode-signing
-do_step authenticode-timestamping
-do_step sync-after-authenticode-timestamping
+#do_step linux-signer-authenticode-signing
+#do_step sync-after-authenticode-signing
+#do_step authenticode-timestamping
+#do_step sync-after-authenticode-timestamping
do_step hash_signed_bundles
do_step sync-after-hash
do_step linux-signer-gpg-sign
=====================================
tools/signing/linux-signer-authenticode-signing
=====================================
@@ -9,26 +9,14 @@ cd ~/"$tbb_version"
test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
echo
-tmpdir=$(mktemp -d)
-chgrp yubihsm "$tmpdir"
-chmod g+rwx "$tmpdir"
-
cwd=$(pwd)
for i in `find . -name "*.exe" -print`
do
echo "Signing $i"
- echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
- /home/yubihsm/osslsigncode/osslsigncode \
- -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
- -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
- -pass "'$YUBIPASS'" \
- -h sha256 \
- -certs /home/yubihsm/tpo-cert.crt \
- -key 1c40 \
- "$cwd/$i" "$tmpdir/$i" \
- | sudo su - yubihsm
- mv -vf "$tmpdir/$i" "$cwd/$i"
+ sudo -u signing-win -- "$wrappers_dir/sign-exe" \
+ "$YUBIPASS" \
+ "$cwd/$i"
+ cp /home/signing-win/last-signed-file.exe "$cwd/$i"
done
unset YUBIPASS
-rmdir "$tmpdir"
=====================================
tools/signing/linux-signer-gpg-sign
=====================================
@@ -7,6 +7,7 @@ source "$script_dir/functions"
cd ~/"$tbb_version"
test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
+currentdir=$(pwd)
for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`
do
if test -f "$i.asc"
@@ -15,5 +16,8 @@ do
rm -f "$i.asc"
fi
echo "Signing $i"
- echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i
+ i="$currentdir/$i"
+ tmpsig=$(mktemp)
+ echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
+ mv -f "$tmpsig" "${i}.asc"
done
=====================================
tools/signing/linux-signer-signmars
=====================================
@@ -1,8 +1,4 @@
#!/bin/bash
-#
-#
-# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
-# (if you don't want to use the default values).
set -e
set -u
@@ -10,33 +6,15 @@ set -u
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
-if [ -z "${NSS_DB_DIR+x}" ]; then
- NSS_DB_DIR=/home/boklm/marsigning/nssdb7
-fi
-
-if [ -z "${NSS_CERTNAME+x}" ]; then
- NSS_CERTNAME=marsigner
-fi
-
export LC_ALL=C
-# Check some prerequisites.
-if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
- >&2 echo "Please create and populate the $NSS_DB_DIR directory"
- exit 2
-fi
-
-# Extract the MAR tools so we can use the signmar program.
-MARTOOLS_TMP_DIR=$(mktemp -d)
-trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
-MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
-unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
-export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
-if [ -z "${LD_LIBRARY_PATH+x}" ]; then
- export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
-else
- export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
+martools_dir=/home/signing-mar/mar-tools
+if ! test -d "$martools_dir"; then
+ >&2 echo "Please create $martools_dir"
+ exit 3
fi
+export LD_LIBRARY_PATH="$martools_dir"
+export PATH="$martools_dir:$PATH"
# Prompt for the NSS password.
# TODO: Test that the entered NSS password is correct. But how? Unfortunately,
@@ -65,9 +43,8 @@ for marfile in *.mar; do
continue;
fi
- echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
- "$marfile" tmp.mar
- mv -f tmp.mar "$marfile"
+ echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"
+ cp /home/signing-mar/last-signed-mar.mar "$marfile"
COUNT=$((COUNT + 1))
echo "Signed MAR file $COUNT ($marfile)"
done
=====================================
tools/signing/machines-setup/build-yubihsm-shell-pkg
=====================================
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+if test $(whoami) != 'build-pkgs'; then
+ echo 'This script should be run as the build-pkgs user' >&2
+ exit 1
+fi
+
+destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs
+if test -d "$destdir"; then
+ echo "$destdir already exists. Doing nothing."
+ exit 0
+fi
+
+cd /home/build-pkgs
+tar xf /signing/tor-browser-build.tar
+cd tor-browser-build
+tar xf /signing/rbm.tar
+yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
+mkdir -p out/yubihsm-shell
+cp "/signing/$yubihsm_src_filename" out/yubihsm-shell
+./rbm/rbm build yubihsm-shell
+yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)
+rm -Rf "$destdir"
+mkdir -p $(dirname $destdir)
+mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"
=====================================
tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
=====================================
@@ -0,0 +1,2 @@
+ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
+ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
=====================================
tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
=====================================
@@ -0,0 +1,5 @@
+connector = yhusb://
+#debug
+#dinout
+#libdebug
+#debug-file = /tmp/yubihsm_pkcs11_debug
=====================================
tools/signing/machines-setup/setup-osslsigncode
=====================================
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -e
+
+if test $(whoami) != 'signing-win'; then
+ echo 'This script should be run as the signing-win user' >&2
+ exit 1
+fi
+
+destdir=/home/signing-win/osslsigncode
+if test -d "$destdir"; then
+ echo "$destdir already exists. Doing nothing."
+ exit 0
+fi
+
+cd /home/signing-win
+tar xf /signing/tor-browser-build.tar
+cd tor-browser-build
+tar xf /signing/rbm.tar
+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
+mkdir -p out/osslsigncode
+cp "/signing/$osslsigncodefile" out/osslsigncode
+./rbm/rbm build osslsigncode --target no-git
+osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)
+cd /home/signing-win
+tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"
+chmod -R 755 /home/signing-win/osslsigncode
+echo "Extracted osslsigncode to /home/signing-win/osslsigncode"
=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -0,0 +1,134 @@
+#!/bin/bash
+set -e
+
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+function create_user {
+ user="$1"
+ groups="$2"
+ id "$user" > /dev/null 2>&1 && return 0
+ test -n "$groups" && groups="--groups $groups"
+ useradd -s /bin/bash -m "$user" $groups
+}
+
+function create_group {
+ group="$1"
+ getent group "$group" > /dev/null 2>&1 && return 0
+ groupadd "$group"
+}
+
+function authorized_keys {
+ user="$1"
+ shift
+ tmpfile=$(mktemp)
+ for file in "$@"; do
+ cat "$script_dir/ssh-keys/$file" >> "$tmpfile"
+ done
+ sshdir="/home/$user/.ssh"
+ authkeysfile="$sshdir/authorized_keys"
+ if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then
+ rm "$tmpfile"
+ return 0
+ fi
+ echo "Update authorized_keys for user $user"
+ if ! test -d "$sshdir"; then
+ mkdir "$sshdir"
+ chmod 700 "$sshdir"
+ chown $user:$user "$sshdir"
+ fi
+ mv "$tmpfile" "$authkeysfile"
+ chown $user:$user "$authkeysfile"
+ chmod 600 "$authkeysfile"
+}
+
+function sudoers_file {
+ sfile="$1"
+ cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
+ chown root:root "/etc/sudoers.d/$sfile"
+ chmod 0440 "/etc/sudoers.d/$sfile"
+}
+
+function udev_rule {
+ udevrule="$1"
+ rulepath="/etc/udev/rules.d/$udevrule"
+ if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then
+ cp "$script_dir$rulepath" "$rulepath"
+ udevadm control --reload-rules
+ fi
+}
+
+function install_packages {
+ for pkg in "$@"
+ do
+ dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue
+ apt-get install -y "$pkg"
+ done
+}
+
+install_packages build-essential rsync unzip
+install_packages sudo vim tmux gnupg
+
+create_user setup
+authorized_keys setup boklm-yk1.pub
+mkdir -p /signing
+chmod 0755 /signing
+chown setup /signing
+
+create_user yubihsm
+create_group yubihsm
+udev_rule 70-yubikey.rules
+
+create_user signing
+create_group signing
+create_user signing-gpg
+create_user signing-mar
+create_user signing-win yubihsm
+
+
+sudoers_file sign-gpg
+sudoers_file sign-mar
+sudoers_file sign-exe
+
+authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
+create_user richard signing
+authorized_keys richard richard.pub
+
+# Install rbm deps
+install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
+ libio-handle-util-perl libio-all-perl \
+ libio-captureoutput-perl libjson-perl libpath-tiny-perl \
+ libstring-shellquote-perl libsort-versions-perl \
+ libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
+ libfile-copy-recursive-perl libfile-slurp-perl
+
+# Install deps for building osslsigncode
+install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev
+sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode
+
+# Packages needed for windows signing
+install_packages opensc libengine-pkcs11-openssl
+
+# Install deps for building yubihsm-shell
+install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
+
+# Build and install yubihsm-pkcs11 package
+create_user build-pkgs
+if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
+ yubishm_version=2.4.0
+ sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg
+ pushd /home/build-pkgs/packages/yubihsm-shell-pkgs
+ apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \
+ ./libyubihsm1_${yubishm_version}_amd64.deb \
+ ./libyubihsm-http1_${yubishm_version}_amd64.deb \
+ ./libyubihsm-usb1_${yubishm_version}_amd64.deb
+ popd
+fi
+
+# install mar-tools
+if ! test -d /home/signing-mar/mar-tools; then
+ tmpdir=$(mktemp -d)
+ unzip -d "$tmpdir" /signing/mar-tools-linux64.zip
+ chown -R signing-mar:signing-mar "$tmpdir/mar-tools"
+ chmod go+rX "$tmpdir/mar-tools"/*
+ mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
+fi
=====================================
tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user at tb-release
=====================================
tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1
=====================================
tools/signing/machines-setup/ssh-keys/richard.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a
=====================================
tools/signing/machines-setup/sudoers.d/sign-exe
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-win env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe
=====================================
tools/signing/machines-setup/sudoers.d/sign-gpg
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg
=====================================
tools/signing/machines-setup/sudoers.d/sign-mar
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-mar env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar
=====================================
tools/signing/machines-setup/upload-tbb-to-signing-machine
=====================================
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Upload tor-browser-build directory from current HEAD commit and other
+# dependencies to signing machine
+set -e
+
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+cd "$script_dir/../../.."
+tmpdir=$(mktemp -d)
+tbbtar=$tmpdir/tor-browser-build.tar
+git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .
+
+echo "Created $tbbtar"
+
+make submodule-update
+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
+if ! test -f "./out/osslsigncode/$osslsigncodefile"; then
+ ./rbm/rbm tar osslsigncode
+ echo "Created $osslsigncodefile"
+fi
+
+cd rbm
+git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .
+echo "Created rbm.tar"
+cd ..
+
+martools_filename=mar-tools-linux64.zip
+if ! test -f "./out/mar-tools/$martools_filename"; then
+ ./rbm/rbm build --step fetch_martools mar-tools
+ echo "Downloaded $martools_filename"
+fi
+
+yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
+if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
+ ./rbm/rbm build yubihsm-shell --step fetch_src
+ echo "Fetched $yubihsm_filename"
+fi
+
+signing_machine='linux-signer'
+setup_user='setup'
+signing_dir='/signing'
+
+echo "Uploading $osslsigncodefile to $signing_machine"
+chmod go+r "./out/osslsigncode/$osslsigncodefile"
+rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
+echo "Uploading rbm.tar to $signing_machine"
+rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
+echo "Uploading $martools_filename"
+chmod go+r "./out/mar-tools/$martools_filename"
+rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
+echo "Uploading $yubihsm_filename"
+chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
+rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
+echo "Uploading tor-browser-build.tar to $signing_machine"
+scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
+echo "Extracting tor-browser-build.tar on $signing_machine"
+ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar
+echo "You can now run this command on $signing_machine to update signing machine setup:"
+echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"
=====================================
tools/signing/set-config
=====================================
@@ -2,6 +2,7 @@
. "$script_dir/set-config.hosts"
bundle_locales="ALL"
+export SIGNING_PROJECTNAME=torbrowser
signed_dir="$script_dir/../../$tbb_version_type/signed"
signed_version_dir="$signed_dir/$tbb_version"
@@ -15,3 +16,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress"
rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
tb_builders='boklm dan henry ma1 pierov richard'
+wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers
=====================================
tools/signing/wrappers/sign-exe
=====================================
@@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 2; then
+ echo "Wrong number of arguments" >&2
+ exit 1
+fi
+
+if test $(whoami) != 'signing-win'; then
+ echo 'This script should be run as the signing-win user' >&2
+ exit 2
+fi
+
+yubipass="$1"
+to_sign_exe="$2"
+
+tpo_cert=/home/signing-win/tpo-cert.crt
+
+if ! test -f "$tpo_cert"; then
+ echo "File $tpo_cert is missing" >&2
+ exit 2
+fi
+
+output_signed_exe=/home/signing-win/last-signed-file.exe
+rm -f "$output_signed_exe"
+
+export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
+/home/signing-win/osslsigncode/bin/osslsigncode \
+ -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
+ -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
+ -pass "$yubipass" \
+ -h sha256 \
+ -certs "$tpo_cert" \
+ -key 1c40 \
+ "$to_sign_exe" "$output_signed_exe"
+
+chmod 644 "$output_signed_exe"
=====================================
tools/signing/wrappers/sign-gpg
=====================================
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 1; then
+ echo "Wrong number of arguments" >&2
+ exit 2
+fi
+
+if test $(whoami) != 'signing-gpg'; then
+ echo 'This script should be run as the signing-gpg user' >&2
+ exit 1
+fi
+
+exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"
=====================================
tools/signing/wrappers/sign-mar
=====================================
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 1; then
+ echo "Wrong number of arguments" >&2
+ exit 1
+fi
+
+if test $(whoami) != 'signing-mar'; then
+ echo 'This script should be run as the signing-mar user' >&2
+ exit 2
+fi
+
+output_signed_mar=/home/signing-mar/last-signed-mar.mar
+rm -f "$output_signed_mar"
+
+if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then
+ NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7
+elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then
+ NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1
+else
+ echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
+ exit 3
+fi
+NSS_CERTNAME=marsigner
+
+if ! test -d "$NSS_DB_DIR"; then
+ echo "$NSS_DB_DIR is missing" >&2
+ exit 3
+fi
+
+martools_dir=/home/signing-mar/mar-tools
+if ! test -d "$martools_dir"; then
+ >&2 echo "Please create $martools_dir"
+ exit 4
+fi
+export LD_LIBRARY_PATH="$martools_dir"
+export PATH="$martools_dir:$PATH"
+
+"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar"
+chmod 644 "$output_signed_mar"
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8c7da1d98c5ab30eb3788cea703b60adf0acf2e4...43f474b4a39a37d737659c99794e38d3e6e275b8
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8c7da1d98c5ab30eb3788cea703b60adf0acf2e4...43f474b4a39a37d737659c99794e38d3e6e275b8
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230509/99745983/attachment-0001.htm>
More information about the tbb-commits
mailing list