[tbb-commits] [Git][tpo/applications/tor-browser-build][maint-12.0] 3 commits: Bug 40841: Add signing machine setup scripts and adapt signing scripts

Richard Pospesel (@richard) git at gitlab.torproject.org
Tue May 9 20:53:09 UTC 2023



Richard Pospesel pushed to branch maint-12.0 at The Tor Project / Applications / tor-browser-build


Commits:
24c07ab6 by Nicolas Vigier at 2023-04-20T16:58:30+02:00
Bug 40841: Add signing machine setup scripts and adapt signing scripts

Use separate accounts to store the different keys.

- - - - -
985f768a by Nicolas Vigier at 2023-04-20T16:58:32+02:00
Bug 40841: Set SIGNING_PROJECTNAME=torbrowser in signing scripts

For compatibility with signing scripts on the main branch.

- - - - -
43f474b4 by Nicolas Vigier at 2023-04-20T16:58:33+02:00
Bug 40846: Temporarily disable Windows signing

- - - - -


25 changed files:

- + projects/mar-tools/config
- projects/osslsigncode/config
- + projects/yubihsm-shell/build
- + projects/yubihsm-shell/config
- rbm.conf
- tools/signing/do-all-signing
- tools/signing/linux-signer-authenticode-signing
- tools/signing/linux-signer-gpg-sign
- tools/signing/linux-signer-signmars
- + tools/signing/machines-setup/build-yubihsm-shell-pkg
- + tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
- + tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
- + tools/signing/machines-setup/setup-osslsigncode
- + tools/signing/machines-setup/setup-signing-machine
- + tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
- + tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
- + tools/signing/machines-setup/ssh-keys/richard.pub
- + tools/signing/machines-setup/sudoers.d/sign-exe
- + tools/signing/machines-setup/sudoers.d/sign-gpg
- + tools/signing/machines-setup/sudoers.d/sign-mar
- + tools/signing/machines-setup/upload-tbb-to-signing-machine
- tools/signing/set-config
- + tools/signing/wrappers/sign-exe
- + tools/signing/wrappers/sign-gpg
- + tools/signing/wrappers/sign-mar


Changes:

=====================================
projects/mar-tools/config
=====================================
@@ -0,0 +1,20 @@
+# vim: filetype=yaml sw=2
+#
+# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine
+# to fetch mar-tools for signing machine setup
+#
+version: 12.0.4
+filename: 'mar-tools-linux64.zip'
+container:
+  use_container: 0
+gpg_keyring: torbrowser.gpg
+tag_gpg_id: 1
+input_files:
+  - URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'
+    sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584
+
+steps:
+  fetch_martools:
+    fetch_martools: |
+      #!/bin/bash
+      echo ok


=====================================
projects/osslsigncode/config
=====================================
@@ -1,5 +1,5 @@
 # vim: filetype=yaml sw=2
-version: '[% c("abbrev") %]'
+version: '[% c("git_hash").substr(0, 12) %]'
 git_url: https://github.com/mtrojnar/osslsigncode
 git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
@@ -15,3 +15,12 @@ var:
 input_files:
   - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
   - filename: timestamping.patch
+  - filename: '[% c("var/srcfile") %]'
+    enable: '[% c("var/no-git") %]'
+
+targets:
+  no-git:
+    git_url: ''
+    var:
+      no-git: 1
+      srcfile: '[% project %]-[% c("version") %].tar.gz'


=====================================
projects/yubihsm-shell/build
=====================================
@@ -0,0 +1,11 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+distdir=$(pwd)/dist
+tar xf [% project %]-[% c('version') %].tar.gz
+cd [% project %]-[% c('version') %]
+dpkg-buildpackage -us -uc
+mkdir -p "$distdir"
+mv ../*.deb "$distdir"
+dest=[% dest_dir _ '/' _ c('filename') %]
+rm -Rf "$dest"
+mv "$distdir" "$dest"


=====================================
projects/yubihsm-shell/config
=====================================
@@ -0,0 +1,16 @@
+# vim: filetype=yaml sw=2
+version: 2.4.0
+filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'
+container:
+  use_container: 0
+var:
+  src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'
+input_files:
+  - URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'
+    sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0
+
+steps:
+  fetch_src:
+    fetch_src: |
+      #!/bin/bash
+      echo ok


=====================================
rbm.conf
=====================================
@@ -84,7 +84,7 @@ var:
   build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]'
   build_id_txt: |
     [% c("version") %]
-    [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
+    [% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]
     [% IF c("container/use_container") && ! c("container/global_disable") -%]
     [% c("var/container/suite") %]
     [% c("var/container/arch") %]


=====================================
tools/signing/do-all-signing
=====================================
@@ -17,9 +17,9 @@ echo
 test -f "$steps_dir/linux-signer-signmars.done" ||
   read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
 echo
-test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
-  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
-echo
+#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
+#echo
 test -f "$steps_dir/linux-signer-gpg-sign.done" ||
   read -sp "Enter gpg passphrase: " GPG_PASS
 echo
@@ -193,10 +193,10 @@ do_step dmg2mar
 do_step sync-scripts-to-linux-signer
 do_step linux-signer-signmars
 do_step sync-after-signmars
-do_step linux-signer-authenticode-signing
-do_step sync-after-authenticode-signing
-do_step authenticode-timestamping
-do_step sync-after-authenticode-timestamping
+#do_step linux-signer-authenticode-signing
+#do_step sync-after-authenticode-signing
+#do_step authenticode-timestamping
+#do_step sync-after-authenticode-timestamping
 do_step hash_signed_bundles
 do_step sync-after-hash
 do_step linux-signer-gpg-sign


=====================================
tools/signing/linux-signer-authenticode-signing
=====================================
@@ -9,26 +9,14 @@ cd ~/"$tbb_version"
 test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
 echo
 
-tmpdir=$(mktemp -d)
-chgrp yubihsm "$tmpdir"
-chmod g+rwx "$tmpdir"
-
 cwd=$(pwd)
 for i in `find . -name "*.exe" -print`
 do
   echo "Signing $i"
-  echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
-       /home/yubihsm/osslsigncode/osslsigncode \
-                 -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
-                 -pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
-                 -pass "'$YUBIPASS'" \
-                 -h sha256 \
-                 -certs /home/yubihsm/tpo-cert.crt \
-                 -key 1c40 \
-                 "$cwd/$i" "$tmpdir/$i" \
-                 | sudo su - yubihsm
-  mv -vf "$tmpdir/$i" "$cwd/$i"
+  sudo -u signing-win -- "$wrappers_dir/sign-exe" \
+                 "$YUBIPASS" \
+                 "$cwd/$i"
+  cp /home/signing-win/last-signed-file.exe "$cwd/$i"
 done
 
 unset YUBIPASS
-rmdir "$tmpdir"


=====================================
tools/signing/linux-signer-gpg-sign
=====================================
@@ -7,6 +7,7 @@ source "$script_dir/functions"
 cd ~/"$tbb_version"
 
 test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
+currentdir=$(pwd)
 for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`
 do
   if test -f "$i.asc"
@@ -15,5 +16,8 @@ do
     rm -f "$i.asc"
   fi
   echo "Signing $i"
-  echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i
+  i="$currentdir/$i"
+  tmpsig=$(mktemp)
+  echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
+  mv -f "$tmpsig" "${i}.asc"
 done


=====================================
tools/signing/linux-signer-signmars
=====================================
@@ -1,8 +1,4 @@
 #!/bin/bash
-#
-#
-# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
-# (if you don't want to use the default values).
 
 set -e
 set -u
@@ -10,33 +6,15 @@ set -u
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
 
-if [ -z "${NSS_DB_DIR+x}" ]; then
-  NSS_DB_DIR=/home/boklm/marsigning/nssdb7
-fi
-
-if [ -z "${NSS_CERTNAME+x}" ]; then
-  NSS_CERTNAME=marsigner
-fi
-
 export LC_ALL=C
 
-# Check some prerequisites.
-if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
-  >&2 echo "Please create and populate the $NSS_DB_DIR directory"
-  exit 2
-fi
-
-# Extract the MAR tools so we can use the signmar program.
-MARTOOLS_TMP_DIR=$(mktemp -d)
-trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
-MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
-unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
-export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
-if [ -z "${LD_LIBRARY_PATH+x}" ]; then
-  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
-else
-  export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
+martools_dir=/home/signing-mar/mar-tools
+if ! test -d "$martools_dir"; then
+  >&2 echo "Please create $martools_dir"
+  exit 3
 fi
+export LD_LIBRARY_PATH="$martools_dir"
+export PATH="$martools_dir:$PATH"
 
 # Prompt for the NSS password.
 # TODO: Test that the entered NSS password is correct.  But how?  Unfortunately,
@@ -65,9 +43,8 @@ for marfile in *.mar; do
     continue;
   fi
 
-  echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
-    "$marfile" tmp.mar
-  mv -f tmp.mar "$marfile"
+  echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"
+  cp /home/signing-mar/last-signed-mar.mar "$marfile"
   COUNT=$((COUNT + 1))
   echo "Signed MAR file $COUNT ($marfile)"
 done


=====================================
tools/signing/machines-setup/build-yubihsm-shell-pkg
=====================================
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+if test $(whoami) != 'build-pkgs'; then
+  echo 'This script should be run as the build-pkgs user' >&2
+  exit 1
+fi
+
+destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs
+if test -d "$destdir"; then
+  echo "$destdir already exists. Doing nothing."
+  exit 0
+fi
+
+cd /home/build-pkgs
+tar xf /signing/tor-browser-build.tar
+cd tor-browser-build
+tar xf /signing/rbm.tar
+yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
+mkdir -p out/yubihsm-shell
+cp "/signing/$yubihsm_src_filename" out/yubihsm-shell
+./rbm/rbm build yubihsm-shell
+yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)
+rm -Rf "$destdir"
+mkdir -p $(dirname $destdir)
+mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"


=====================================
tools/signing/machines-setup/etc/udev/rules.d/70-yubikey.rules
=====================================
@@ -0,0 +1,2 @@
+ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
+ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"


=====================================
tools/signing/machines-setup/etc/yubihsm_pkcs11.conf
=====================================
@@ -0,0 +1,5 @@
+connector = yhusb://
+#debug
+#dinout
+#libdebug
+#debug-file = /tmp/yubihsm_pkcs11_debug


=====================================
tools/signing/machines-setup/setup-osslsigncode
=====================================
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -e
+
+if test $(whoami) != 'signing-win'; then
+  echo 'This script should be run as the signing-win user' >&2
+  exit 1
+fi
+
+destdir=/home/signing-win/osslsigncode
+if test -d "$destdir"; then
+  echo "$destdir already exists. Doing nothing."
+  exit 0
+fi
+
+cd /home/signing-win
+tar xf /signing/tor-browser-build.tar
+cd tor-browser-build
+tar xf /signing/rbm.tar
+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
+mkdir -p out/osslsigncode
+cp "/signing/$osslsigncodefile" out/osslsigncode
+./rbm/rbm build osslsigncode --target no-git
+osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)
+cd /home/signing-win
+tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"
+chmod -R 755 /home/signing-win/osslsigncode
+echo "Extracted osslsigncode to /home/signing-win/osslsigncode"


=====================================
tools/signing/machines-setup/setup-signing-machine
=====================================
@@ -0,0 +1,134 @@
+#!/bin/bash
+set -e
+
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+function create_user {
+  user="$1"
+  groups="$2"
+  id "$user" > /dev/null 2>&1 && return 0
+  test -n "$groups" && groups="--groups $groups"
+  useradd -s /bin/bash -m "$user" $groups
+}
+
+function create_group {
+  group="$1"
+  getent group "$group" > /dev/null 2>&1 && return 0
+  groupadd "$group"
+}
+
+function authorized_keys {
+  user="$1"
+  shift
+  tmpfile=$(mktemp)
+  for file in "$@"; do
+    cat "$script_dir/ssh-keys/$file" >> "$tmpfile"
+  done
+  sshdir="/home/$user/.ssh"
+  authkeysfile="$sshdir/authorized_keys"
+  if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then
+    rm "$tmpfile"
+    return 0
+  fi
+  echo "Update authorized_keys for user $user"
+  if ! test -d "$sshdir"; then
+    mkdir "$sshdir"
+    chmod 700 "$sshdir"
+    chown $user:$user "$sshdir"
+  fi
+  mv "$tmpfile" "$authkeysfile"
+  chown $user:$user "$authkeysfile"
+  chmod 600 "$authkeysfile"
+}
+
+function sudoers_file {
+  sfile="$1"
+  cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
+  chown root:root "/etc/sudoers.d/$sfile"
+  chmod 0440 "/etc/sudoers.d/$sfile"
+}
+
+function udev_rule {
+  udevrule="$1"
+  rulepath="/etc/udev/rules.d/$udevrule"
+  if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then
+    cp "$script_dir$rulepath" "$rulepath"
+    udevadm control --reload-rules
+  fi
+}
+
+function install_packages {
+  for pkg in "$@"
+  do
+    dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue
+    apt-get install -y "$pkg"
+  done
+}
+
+install_packages build-essential rsync unzip
+install_packages sudo vim tmux gnupg
+
+create_user setup
+authorized_keys setup boklm-yk1.pub
+mkdir -p /signing
+chmod 0755 /signing
+chown setup /signing
+
+create_user yubihsm
+create_group yubihsm
+udev_rule 70-yubikey.rules
+
+create_user signing
+create_group signing
+create_user signing-gpg
+create_user signing-mar
+create_user signing-win yubihsm
+
+
+sudoers_file sign-gpg
+sudoers_file sign-mar
+sudoers_file sign-exe
+
+authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
+create_user richard signing
+authorized_keys richard richard.pub
+
+# Install rbm deps
+install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
+                 libio-handle-util-perl libio-all-perl \
+                 libio-captureoutput-perl libjson-perl libpath-tiny-perl \
+                 libstring-shellquote-perl libsort-versions-perl \
+                 libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
+                 libfile-copy-recursive-perl libfile-slurp-perl
+
+# Install deps for building osslsigncode
+install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev
+sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode
+
+# Packages needed for windows signing
+install_packages opensc libengine-pkcs11-openssl
+
+# Install deps for building yubihsm-shell
+install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
+
+# Build and install yubihsm-pkcs11 package
+create_user build-pkgs
+if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
+  yubishm_version=2.4.0
+  sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg
+  pushd /home/build-pkgs/packages/yubihsm-shell-pkgs
+  apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \
+    ./libyubihsm1_${yubishm_version}_amd64.deb \
+    ./libyubihsm-http1_${yubishm_version}_amd64.deb \
+    ./libyubihsm-usb1_${yubishm_version}_amd64.deb
+  popd
+fi
+
+# install mar-tools
+if ! test -d /home/signing-mar/mar-tools; then
+  tmpdir=$(mktemp -d)
+  unzip -d "$tmpdir" /signing/mar-tools-linux64.zip
+  chown -R signing-mar:signing-mar "$tmpdir/mar-tools"
+  chmod go+rX "$tmpdir/mar-tools"/*
+  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
+fi


=====================================
tools/signing/machines-setup/ssh-keys/boklm-tb-release.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user at tb-release


=====================================
tools/signing/machines-setup/ssh-keys/boklm-yk1.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1


=====================================
tools/signing/machines-setup/ssh-keys/richard.pub
=====================================
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a


=====================================
tools/signing/machines-setup/sudoers.d/sign-exe
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-win env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe


=====================================
tools/signing/machines-setup/sudoers.d/sign-gpg
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg


=====================================
tools/signing/machines-setup/sudoers.d/sign-mar
=====================================
@@ -0,0 +1,2 @@
+Defaults>signing-mar env_keep += SIGNING_PROJECTNAME
+%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar


=====================================
tools/signing/machines-setup/upload-tbb-to-signing-machine
=====================================
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Upload tor-browser-build directory from current HEAD commit and other
+# dependencies to signing machine
+set -e
+
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+cd "$script_dir/../../.."
+tmpdir=$(mktemp -d)
+tbbtar=$tmpdir/tor-browser-build.tar
+git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .
+
+echo "Created $tbbtar"
+
+make submodule-update
+osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
+if ! test -f "./out/osslsigncode/$osslsigncodefile"; then
+  ./rbm/rbm tar osslsigncode
+  echo "Created $osslsigncodefile"
+fi
+
+cd rbm
+git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .
+echo "Created rbm.tar"
+cd ..
+
+martools_filename=mar-tools-linux64.zip
+if ! test -f "./out/mar-tools/$martools_filename"; then
+  ./rbm/rbm build --step fetch_martools mar-tools
+  echo "Downloaded $martools_filename"
+fi
+
+yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
+if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
+  ./rbm/rbm build yubihsm-shell --step fetch_src
+  echo "Fetched $yubihsm_filename"
+fi
+
+signing_machine='linux-signer'
+setup_user='setup'
+signing_dir='/signing'
+
+echo "Uploading $osslsigncodefile to $signing_machine"
+chmod go+r "./out/osslsigncode/$osslsigncodefile"
+rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
+echo "Uploading rbm.tar to $signing_machine"
+rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
+echo "Uploading $martools_filename"
+chmod go+r "./out/mar-tools/$martools_filename"
+rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
+echo "Uploading $yubihsm_filename"
+chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
+rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
+echo "Uploading tor-browser-build.tar to $signing_machine"
+scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
+echo "Extracting tor-browser-build.tar on $signing_machine"
+ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar
+echo "You can now run this command on $signing_machine to update signing machine setup:"
+echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"


=====================================
tools/signing/set-config
=====================================
@@ -2,6 +2,7 @@
 . "$script_dir/set-config.hosts"
 
 bundle_locales="ALL"
+export SIGNING_PROJECTNAME=torbrowser
 
 signed_dir="$script_dir/../../$tbb_version_type/signed"
 signed_version_dir="$signed_dir/$tbb_version"
@@ -15,3 +16,4 @@ test -z "${NON_INTERACTIVE:-}" || rsync_progress="--progress"
 rsync_options="-avH ${rsync_progress:-} ${DRY_RUN:-}"
 
 tb_builders='boklm dan henry ma1 pierov richard'
+wrappers_dir=/signing/tor-browser-build/tools/signing/wrappers


=====================================
tools/signing/wrappers/sign-exe
=====================================
@@ -0,0 +1,37 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 2; then
+  echo "Wrong number of arguments" >&2
+  exit 1
+fi
+
+if test $(whoami) != 'signing-win'; then
+  echo 'This script should be run as the signing-win user' >&2
+  exit 2
+fi
+
+yubipass="$1"
+to_sign_exe="$2"
+
+tpo_cert=/home/signing-win/tpo-cert.crt
+
+if ! test -f "$tpo_cert"; then
+  echo "File $tpo_cert is missing" >&2
+  exit 2
+fi
+
+output_signed_exe=/home/signing-win/last-signed-file.exe
+rm -f "$output_signed_exe"
+
+export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
+/home/signing-win/osslsigncode/bin/osslsigncode \
+  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
+  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
+  -pass "$yubipass" \
+  -h sha256 \
+  -certs "$tpo_cert" \
+  -key 1c40 \
+  "$to_sign_exe" "$output_signed_exe"
+
+chmod 644 "$output_signed_exe"


=====================================
tools/signing/wrappers/sign-gpg
=====================================
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 1; then
+  echo "Wrong number of arguments" >&2
+  exit 2
+fi
+
+if test $(whoami) != 'signing-gpg'; then
+  echo 'This script should be run as the signing-gpg user' >&2
+  exit 1
+fi
+
+exec gpg --homedir /home/signing-gpg/.gnupg -absu 0xe53d989a9e2d47bf! --batch --no-tty -o- --passphrase-fd 0 -- "$1"


=====================================
tools/signing/wrappers/sign-mar
=====================================
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+
+if test "$#" -ne 1; then
+  echo "Wrong number of arguments" >&2
+  exit 1
+fi
+
+if test $(whoami) != 'signing-mar'; then
+  echo 'This script should be run as the signing-mar user' >&2
+  exit 2
+fi
+
+output_signed_mar=/home/signing-mar/last-signed-mar.mar
+rm -f "$output_signed_mar"
+
+if test "$SIGNING_PROJECTNAME" = 'torbrowser'; then
+  NSS_DB_DIR=/home/signing-mar/nssdb/torbrowser-nssdb7
+elif test "$SIGNING_PROJECTNAME" = 'mullvadbrowser'; then
+  NSS_DB_DIR=/home/signing-mar/nssdb/mullvadbrowser-nssdb-1
+else
+  echo "Unknown SIGNING_PROJECTNAME: $SIGNING_PROJECTNAME"
+  exit 3
+fi
+NSS_CERTNAME=marsigner
+
+if ! test -d "$NSS_DB_DIR"; then
+  echo "$NSS_DB_DIR is missing" >&2
+  exit 3
+fi
+
+martools_dir=/home/signing-mar/mar-tools
+if ! test -d "$martools_dir"; then
+  >&2 echo "Please create $martools_dir"
+  exit 4
+fi
+export LD_LIBRARY_PATH="$martools_dir"
+export PATH="$martools_dir:$PATH"
+
+"$martools_dir/signmar" -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s "$1" "$output_signed_mar"
+chmod 644 "$output_signed_mar"



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8c7da1d98c5ab30eb3788cea703b60adf0acf2e4...43f474b4a39a37d737659c99794e38d3e6e275b8

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8c7da1d98c5ab30eb3788cea703b60adf0acf2e4...43f474b4a39a37d737659c99794e38d3e6e275b8
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230509/99745983/attachment-0001.htm>


More information about the tbb-commits mailing list