The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-12-09T13:20:14Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/18820Integrate code signing into the release process2022-12-09T13:20:14ZGeorg KoppenIntegrate code signing into the release processWe should integrate the OS X code signing as good as we can into our release process. We have the following pieces at the moment
1) We create a .dmg file as the result of our build process
2) We have a signing machine where these files ...We should integrate the OS X code signing as good as we can into our release process. We have the following pieces at the moment
1) We create a .dmg file as the result of our build process
2) We have a signing machine where these files need to get transferred to
3) We need to sign the TorBrowser.app inside the .dmg file
4) We need to ship the .dmg file with the signed app
Taking these into account it seems quite cumbersome to automate this even a bit. But maybe there is something I am missing.
This ticket is not about signing/removing the signature in a reproducible fashion. Getting this going is very likely a separate fun task.https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/16820Torbutton design page outdated for 4 years2021-06-14T13:57:18ZcypherpunksTorbutton design page outdated for 4 yearshttps://www.torproject.org/docs/torbutton/en/design/
This page has not been updated in over 4 years....really needs one.https://www.torproject.org/docs/torbutton/en/design/
This page has not been updated in over 4 years....really needs one.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40000Gitlab Migration Milestone2020-06-16T01:26:47ZTracGitlab Migration MilestoneWe're creating this ticket as a part of the Trac-to-Gitlab migration, so that each project's numbering for new tickets will start with 40001.We're creating this ticket as a part of the Trac-to-Gitlab migration, so that each project's numbering for new tickets will start with 40001.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34451Include Tor Browser Manual in packages during build2022-12-08T15:15:25ZMatthew FinkelInclude Tor Browser Manual in packages during buildIn tor-browser#11698 we are discussing of what we need to bundle an offline manual.
My proposal is to limit the changes on tor-browser, and inject the "compiled" manual during the build.
The rationale behind this is it's a simple solut...In tor-browser#11698 we are discussing of what we need to bundle an offline manual.
My proposal is to limit the changes on tor-browser, and inject the "compiled" manual during the build.
The rationale behind this is it's a simple solution, Tor Browser has its own pace for changes, and the manual has another one, they have different requirements, not doubling the efforts is always good, especially with localization, etc...
The main disadvantage I see is that injecting contents into `omni.ja` is a bit hackish.
(It also make creating dev builds outside tor-browser-build more difficult, but contrarily to NoScript/HTTPS-E, the manual isn't a funding TBB part).
So, for this issue, first we need to setup a new project to build the manual in all languages.
We discussed about using the same tools used for the website (e.g., lektor), but with a slightly different configuration.
In particular, since the URLs of `omni.ja` contents are quite ugly/really not meaningful to the users, we'd like to serve the manual through an `about:` page.
However, I _think_ that associating multiple HTML files with a single about page could be involved (I'm not sure how slashes are handled by `nsAboutRedirector`).
So, since lektor can create single page sites, we should investigate about such configuration.
Stylesheets, images and any scripts will need to have the correct `chrome://` URL.
The second part of this issue is modifying the `tor-browser` project to inject the manual in the `omni.ja`.Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34399Electrum-NMC can't make outgoing connections on Python 3.8+2020-06-27T14:43:22ZJeremyRandElectrum-NMC can't make outgoing connections on Python 3.8+The Electrum-NMC version in Tor Browser is affected by this bug: https://github.com/kyuupichan/aiorpcX/pull/32 . The gist is that Electrum-NMC fails to properly initialize random SOCKS authentication when on Python 3.8+, which causes al...The Electrum-NMC version in Tor Browser is affected by this bug: https://github.com/kyuupichan/aiorpcX/pull/32 . The gist is that Electrum-NMC fails to properly initialize random SOCKS authentication when on Python 3.8+, which causes all outgoing connections to ElectrumX servers to fail with a Python exception. Thus, no Namecoin resolution is possible with those Python versions.
The `master-3.3.11` branch of Electrum-NMC contains a backported fix, which should be usable for Tor Browser. I'll submit a patch for `tor-browser-build` that bumps the Electrum-NMC dependency shortly.
Thanks to yanmaani for reporting the bug.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34398Harden our code signing on macOS2023-11-02T07:25:49ZGeorg KoppenHarden our code signing on macOSWhile legacy/trac#32506 might be not doable during our transition to ESR 78 we might be able to pick up some improvements nevertheless, see:
https://hg.mozilla.org/releases/mozilla-beta/rev/497690887467ccf0709d71fdb1b20d0647388df9While legacy/trac#32506 might be not doable during our transition to ESR 78 we might be able to pick up some improvements nevertheless, see:
https://hg.mozilla.org/releases/mozilla-beta/rev/497690887467ccf0709d71fdb1b20d0647388df9https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34368Improve authenticode-signing script to better check for a signature2023-11-01T19:18:57ZGeorg KoppenImprove authenticode-signing script to better check for a signatureOur current `authenticode-signing.sh` script checks two things at the moment:
1) Whether a .exe is still unsigned
2) Whether removing a signature (using `osslsigncode remove-signature`) is producing the same SHA-256 sum as outlined in t...Our current `authenticode-signing.sh` script checks two things at the moment:
1) Whether a .exe is still unsigned
2) Whether removing a signature (using `osslsigncode remove-signature`) is producing the same SHA-256 sum as outlined in the SHA-256 sums file.
If both conditions hold it concludes that the bundles are properly signed.
There are ways for improvement here. While I think it's important to check that removing the signature provides the expected unsigned SHA-256 we could try to check the signature directly.
`osslsigncode verify -require-leaf-hash` comes to mind. We should investigate, though, how that behaves in case of truncated/broken signatures or no signatures at all.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34367Use ossligncode's -readpass option2022-12-08T15:15:29ZGeorg KoppenUse ossligncode's -readpass optionI think we should switch to `osslsigncode`'s `-readpass` option to have a better setup when dealing with our passphrase for access to our signing key.I think we should switch to `osslsigncode`'s `-readpass` option to have a better setup when dealing with our passphrase for access to our signing key.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34356Consider bundling Python binary on GNU/Linux2023-01-05T15:02:07ZJeremyRandConsider bundling Python binary on GNU/LinuxNamecoin (specifically Electrum-NMC) currently requires Python 3.6+, which is not yet universally available. To avoid incompatibility issues on older GNU/Linux distros, it may be worth considering bundling a Python 3.6+ binary with Tor ...Namecoin (specifically Electrum-NMC) currently requires Python 3.6+, which is not yet universally available. To avoid incompatibility issues on older GNU/Linux distros, it may be worth considering bundling a Python 3.6+ binary with Tor Browser when building with Namecoin is enabled.
(This would have also avoided legacy/trac#33749.)https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34355Update entitlement files and other signing related pieces for 9.5 changes and...2023-01-05T15:05:37ZGeorg KoppenUpdate entitlement files and other signing related pieces for 9.5 changes and include fixupsWe have a bunch of scripts in our `tor-browser-build` repo (in `tools/signing`) which show how we do currently a bunch of signing related jobs.
We should update the things that need update for 9.5/10.0a1 (probably both on `master` and, ...We have a bunch of scripts in our `tor-browser-build` repo (in `tools/signing`) which show how we do currently a bunch of signing related jobs.
We should update the things that need update for 9.5/10.0a1 (probably both on `master` and, where applicable, on `maint-9.5` for stable) and go over the `README` again (typo fixing).https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34353Create a new subkey for our Tor Browser GPG key2022-12-08T15:15:27ZGeorg KoppenCreate a new subkey for our Tor Browser GPG keyThe currently used GPG subkey for signing our packages is expiring in a couple of weeks. We should create and deploy a new one.The currently used GPG subkey for signing our packages is expiring in a couple of weeks. We should create and deploy a new one.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34301Fix shellcheck issues in our tor-browser-build scripts2023-01-05T15:03:10ZGeorg KoppenFix shellcheck issues in our tor-browser-build scriptsWe add more and more shell scripts for different tasks into our `tor-browser-build` repo, which is great. We should go over the already existing ones and fix `shellcheck` issues.
This is the parent ticket for that effort.We add more and more shell scripts for different tasks into our `tor-browser-build` repo, which is great. We should go over the already existing ones and fix `shellcheck` issues.
This is the parent ticket for that effort.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34203Some of the static libraries we build are not reproducible2023-01-05T14:34:24ZGeorg KoppenSome of the static libraries we build are not reproducibleI just realized that the `.a` archives we create (e.g.) for `libevent` on android are not reproducible while their contents are. We should fix that as it makes it easier to compare results and spot problems.
While we are at it we should...I just realized that the `.a` archives we create (e.g.) for `libevent` on android are not reproducible while their contents are. We should fix that as it makes it easier to compare results and spot problems.
While we are at it we should check other outputs as well as I bet not only `lilbevent` is affected.
FWIW: In the `libevent` case it seems timestamps play a role when creating the `.a` files.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34187Update zlib build script to pick up new android toolchain2020-07-18T00:04:04ZGeorg KoppenUpdate zlib build script to pick up new android toolchainIt seems in order to pick up the new android toolchain we need to update our `zlib` project as well.It seems in order to pick up the new android toolchain we need to update our `zlib` project as well.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34110Investigate `./mach android gradle-dependencies` for our use cases2022-08-03T12:18:56ZGeorg KoppenInvestigate `./mach android gradle-dependencies` for our use casesMozilla has a neat way of automating the gradle dependencies it needs during build time and making them available: https://firefox-source-docs.mozilla.org/build/buildsystem/toolchains.html#firefox-for-android-with-gradle
We should think...Mozilla has a neat way of automating the gradle dependencies it needs during build time and making them available: https://firefox-source-docs.mozilla.org/build/buildsystem/toolchains.html#firefox-for-android-with-gradle
We should think about how we could use that either just for Fenix or in general for our mobile related projects.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34052Create a fonts tarball during tor browser build process2023-01-05T15:05:49ZboklmCreate a fonts tarball during tor browser build processTor Browser for Linux/Windows/macOS includes a specific list of fonts, which we get using `projects/fonts/`.
To make packaging for other OSs such as OpenBSD and NetBSD easier, we can create and distribute a tarball containing the fonts ...Tor Browser for Linux/Windows/macOS includes a specific list of fonts, which we get using `projects/fonts/`.
To make packaging for other OSs such as OpenBSD and NetBSD easier, we can create and distribute a tarball containing the fonts from the linux build.
An other file we might want to include in/with this tarball is `projects/tor-browser/Bundle-Data/linux/Data/fontconfig/fonts.conf`.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34051Generate list of all dependencies and additional files2023-11-07T12:36:49ZMatthew FinkelGenerate list of all dependencies and additional filesExternal Tor Browser packages (for other platforms) would find it helpful if we produce a list of all dependencies used for building Tor Browser for a platform and if those dependencies were built using custom patches. This list should i...External Tor Browser packages (for other platforms) would find it helpful if we produce a list of all dependencies used for building Tor Browser for a platform and if those dependencies were built using custom patches. This list should include any additional files we inject into the final packages (such as licenses, start script, fonts, etc.).https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34046Sign commits with gpg2023-01-05T15:06:47ZboklmSign commits with gpgAs discussed in ticket:25102#comment:20, we should sign all top commits from branches that are used in nightly builds.As discussed in ticket:25102#comment:20, we should sign all top commits from branches that are used in nightly builds.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34014Support sqlite3 in our python project2020-07-18T00:04:07ZGeorg KoppenSupport sqlite3 in our python projectPython3 we use needs sqlite3 support now.Python3 we use needs sqlite3 support now.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34013Bump node version to v10.21.02020-07-18T00:04:08ZGeorg KoppenBump node version to v10.21.0Update our node version to what is used in mozilla-central.Update our node version to what is used in mozilla-central.Georg KoppenGeorg Koppen