[tbb-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 41030: Add script to download a torbrowser/mullvadbrowser release
richard (@richard)
git at gitlab.torproject.org
Thu Nov 30 12:46:29 UTC 2023
richard pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
07898fd4 by Nicolas Vigier at 2023-11-30T11:59:45+01:00
Bug 41030: Add script to download a torbrowser/mullvadbrowser release
- - - - -
93819f81 by Nicolas Vigier at 2023-11-30T11:59:49+01:00
Bug 41030: Add make targets to unsign and compare exe files
- - - - -
6 changed files:
- Makefile
- doc/MAKEFILE.txt
- + projects/release/compare_windows_signed_unsigned_exe
- projects/release/config
- + tools/download-mullvadbrowser
- + tools/download-torbrowser
Changes:
=====================================
Makefile
=====================================
@@ -229,6 +229,12 @@ torbrowser-dmg2mar-alpha: submodule-update
tools/update-responses/download_missing_versions alpha
CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
+torbrowser-compare-windows-signed-unsigned-release: submodule-update
+ $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target torbrowser
+
+torbrowser-compare-windows-signed-unsigned-alpha: submodule-update
+ $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target torbrowser
+
########################
# Base Browser Targets #
@@ -557,6 +563,12 @@ mullvadbrowser-dmg2mar-alpha: submodule-update
tools/update-responses/download_missing_versions alpha
CHECK_CODESIGNATURE_EXISTS=1 MAR_SKIP_EXISTING=1 tools/update-responses/gen_incrementals alpha
+mullvadbrowser-compare-windows-signed-unsigned-release: submodule-update
+ $(rbm) build release --step compare_windows_signed_unsigned_exe --target release --target signed --target mullvadbrowser
+
+mullvadbrowser-compare-windows-signed-unsigned-alpha: submodule-update
+ $(rbm) build release --step compare_windows_signed_unsigned_exe --target alpha --target signed --target mullvadbrowser
+
############################
# Toolchain Update Targets #
=====================================
doc/MAKEFILE.txt
=====================================
@@ -136,3 +136,8 @@ Create update responses xml files for a signed build in the release or
alpha channel. The files can be found in a tar in the directory
torbrowser/{release,alpha}/update-responses.
+torbrowser-compare-windows-signed-unsigned-{release,alpha}
+----------------------------------------------------------
+Unsign exe files from directory torbrowser/{release,alpha}/signed/$version
+and compare them with the checksum from sha256sums-unsigned-build.txt.
+
=====================================
projects/release/compare_windows_signed_unsigned_exe
=====================================
@@ -0,0 +1,30 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+[% IF c("var/nightly") -%]
+ build_dir=[% shell_quote(path(dest_dir)) %]/[% c("version") %]
+[% ELSE -%]
+ build_dir=[% shell_quote(path(dest_dir)) %]/[% c("var/signed_status") %]/[% c("version") %]
+[% END -%]
+
+if ! test -d "$build_dir"
+then
+ echo "Error: Directory $build_dir does not exist" 1>&2
+ echo "You can download it with this command:" 1>&2
+ echo " ./tools/download-[% c("var/projectname") %] [% c("var/torbrowser_version") %]" 1>&2
+ exit 1
+fi
+
+cp -a "$build_dir"/*.exe "$build_dir"/sha256sums-unsigned-build.txt .
+
+tar -xf $rootdir/[% c('input_files_by_name/osslsigncode') %]
+
+for file in *.exe
+do
+ ./osslsigncode/bin/osslsigncode remove-signature -in "$file" -out "unsigned-$file" > /dev/null
+ mv -f "unsigned-$file" "$file"
+ echo "Unsigned $file"
+done
+
+grep '\.exe$' sha256sums-unsigned-build.txt | sha256sum -c
+
+echo "Unsigned exe files are matching with sha256sums-unsigned-build.txt"
=====================================
projects/release/config
=====================================
@@ -263,3 +263,11 @@ steps:
debug: 0
input_files: []
upload_sha256sums: '[% INCLUDE upload_sha256sums %]'
+ compare_windows_signed_unsigned_exe:
+ build_log: '-'
+ debug: 0
+ input_files:
+ - project: osslsigncode
+ name: osslsigncode
+ pkg_type: build
+ compare_windows_signed_unsigned_exe: '[% INCLUDE compare_windows_signed_unsigned_exe %]'
=====================================
tools/download-mullvadbrowser
=====================================
@@ -0,0 +1 @@
+download-torbrowser
\ No newline at end of file
=====================================
tools/download-torbrowser
=====================================
@@ -0,0 +1,100 @@
+#!/usr/bin/perl -w
+
+# This script downloads a torbrowser or mullvadbrowser release, checking
+# its signature
+
+use strict;
+use English;
+use LWP::Simple;
+use IO::CaptureOutput qw(capture_exec);
+use File::Temp;
+use File::Basename qw(fileparse);
+use FindBin;
+use File::Path qw(make_path);
+use File::Copy;
+use Path::Tiny;
+use Digest::SHA qw(sha256_hex);
+
+
+sub exit_error {
+ print STDERR "Error: ", $_[0], "\n";
+ chdir '/';
+ exit (exists $_[1] ? $_[1] : 1);
+}
+
+sub gpg_verify_file {
+ my ($file) = @_;
+ if (system('gpg', '--no-default-keyring', '--keyring',
+ "$FindBin::Bin/../keyring/torbrowser.gpg", '--verify',
+ "$file.asc",
+ $file)) {
+ exit_error "Error checking gpg signature for file $file";
+ }
+}
+
+my $progname = fileparse($PROGRAM_NAME);
+my ($projectname) = $progname =~ m/^download-(.+)$/;
+if (@ARGV != 1) {
+ print STDERR "usage: $progname <version>\n";
+ exit 1;
+}
+
+my $version = $ARGV[0];
+my $version_type = $version =~ m/a/ ? 'alpha' : 'release';
+my $destdir = "$FindBin::Bin/../$projectname/$version_type/signed/$version";
+my $urldir = "https://archive.torproject.org/tor-package-archive/$projectname/$version";
+
+make_path($destdir);
+my $tmpdir = File::Temp->newdir(DIR => "$FindBin::Bin/../tmp");
+
+foreach my $file (qw(sha256sums-signed-build.txt sha256sums-signed-build.txt.asc
+ sha256sums-unsigned-build.txt sha256sums-unsigned-build.txt.asc)) {
+ if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
+ exit_error "Error downloading $urldir/$file";
+ }
+}
+gpg_verify_file("$tmpdir/sha256sums-signed-build.txt");
+move "$tmpdir/sha256sums-signed-build.txt.asc", "$destdir/sha256sums-signed-build.txt.asc";
+move "$tmpdir/sha256sums-signed-build.txt", "$destdir/sha256sums-signed-build.txt";
+gpg_verify_file("$tmpdir/sha256sums-unsigned-build.txt");
+move "$tmpdir/sha256sums-unsigned-build.txt.asc", "$destdir/sha256sums-unsigned-build.txt.asc";
+move "$tmpdir/sha256sums-unsigned-build.txt", "$destdir/sha256sums-unsigned-build.txt";
+
+foreach my $file (qw(sha256sums-signed-build.incrementals.txt
+ sha256sums-signed-build.incrementals.txt.asc
+ sha256sums-unsigned-build.incrementals.txt
+ sha256sums-unsigned-build.incrementals.txt.asc)) {
+ if (getstore("$urldir/$file", "$tmpdir/$file") != 200) {
+ last;
+ }
+}
+if (-f "$tmpdir/sha256sums-signed-build.incrementals.txt.asc") {
+ gpg_verify_file("$tmpdir/sha256sums-signed-build.incrementals.txt");
+ move "$tmpdir/sha256sums-signed-build.incrementals.txt.asc", "$destdir/sha256sums-signed-build.incrementals.txt.asc";
+ move "$tmpdir/sha256sums-signed-build.incrementals.txt", "$destdir/sha256sums-signed-build.incrementals.txt";
+}
+if (-f "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc") {
+ gpg_verify_file("$tmpdir/sha256sums-unsigned-build.incrementals.txt");
+ move "$tmpdir/sha256sums-unsigned-build.incrementals.txt.asc", "$destdir/sha256sums-unsigned-build.incrementals.txt.asc";
+ move "$tmpdir/sha256sums-unsigned-build.incrementals.txt", "$destdir/sha256sums-unsigned-build.incrementals.txt";
+}
+
+my @sha256_lines = path("$destdir/sha256sums-signed-build.txt")->lines;
+push @sha256_lines, path("$destdir/sha256sums-signed-build.incrementals.txt")->lines
+ if -f "$destdir/sha256sums-signed-build.incrementals.txt";
+my %sums = map { chomp; reverse split ' ', $_ } @sha256_lines;
+
+foreach my $file (sort keys %sums) {
+ if (-f "$destdir/$file") {
+ print "Not downloading $file (already there)\n";
+ next;
+ }
+ print "Downloading $file\n";
+ exit_error "Error downloading $urldir/$file\n"
+ unless getstore("$urldir/$file", "$tmpdir/$file") == 200;
+ exit_error "Wrong checksum for $file"
+ unless $sums{$file} eq sha256_hex(path("$tmpdir/$file")->slurp);
+ move "$tmpdir/$file", "$destdir/$file";
+}
+
+print "Finished downloading $projectname $version in $destdir\n";
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/95fcf1388a6e8f6d5ce8a9bacf854c1d5bd972d0...93819f811d7dc40fb08a6ada55754b1dfb0c89dc
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/95fcf1388a6e8f6d5ce8a9bacf854c1d5bd972d0...93819f811d7dc40fb08a6ada55754b1dfb0c89dc
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20231130/7639b239/attachment-0001.htm>
More information about the tbb-commits
mailing list