[tor-bugs] #18925 [Webpages/Website]: Add instructions for removing the code signing parts of OS X bundles and MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 30 03:40:51 UTC 2018


#18925: Add instructions for removing the code signing parts of OS X bundles and
MAR files
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Webpages/Website                     |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  website-content, GeorgKoppen201806,  |  Actual Points:
  TorBrowserTeam201806                           |
Parent ID:  #17413                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by traumschule):

 I cannot test it right now, but i used
 [http://blog.smalleycreative.com/administration/automating-osx-part-one/
 this guide] some time ago for testing an ansible role with travis. Here's
 my draft:
 {{{
 set -e
 # Tests the checksum of our generated mar files on macOS

 # settings
 tbbversion=8.0a10
 lang=en-US
 distdomain=https://dist.torproject.org
 #distdomain=http://rqef5a5mebgq46y5
 dmgurl="$domain/torbrowser/$tbbversion/TorBrowser-$tbbversion-
 osx64_$lang.dmg"
 martoolsurl="http://rqef5a5mebgq46y5.onion/torbrowser/$tbbversion/mar-
 tools-mac64.zip"
 sumsurl=$domain/torbrowser/$tbbversion/sha256sums-signed-build.txt

 cache="$(pwd)/cache" # Assuming this is run by a CI and it supports it,
 cache be mounted before.
 dmgfile="$cache/$(basename $dmgurl)"
 mountpath="/Volumes/$dmgfile" # TODO may differ
 signedmarfile="signed-mar-file.mar"
 unsignedmarfile="tor-browser-osx64-$tbbversion_$lang.mar"

 # preparation
 [ -n "$cache" ] && [ -d "$cache" ] || mkdir "$cache"
 cd $cache
 wget $martoolsurl
 wget $dmgurl
 wget $sumsurl
 wget $sumsurl.asc
 sumfile="$cache/$(basename $sumsurl)"

 gpg --recv 0x4E2C6E8793298290
 if [ ! $(gpg --verify $sumfile.asc|grep "Good signature"|wc -l) -gt 0 ]
 then echo "Signature verification failed: $sumfile"; exit 1; fi

 martoolszip="$(basename $martoolsurl)"
 [ -n "martoolszip" ] || exit 1
 [ -f "martoolszip" ] || exit 1
 unzip "$martoolszip" # should extract to mar-tools
 [ -f mar-tools/marsign ] || exit 1
 marpath="$cache/mar-tools"

 hdiutil mount -nobrowse $cache/$dmgfile
 cd $mountpath
 export LD_LIBRARY_PATH=$marpath
 $marpath/marsign -r $signedmarfile $unsignedmarfile
 if [ "$(sha256sum $unsignedmarfile)" -ne "$(grep $unsignedmarfile
 $sumfile)" ]
 then echo "sha256sum does not match: $unsignedmarfile"; exit 1; fi
 }}}
 Would that work?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18925#comment:60>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list