Skip to content
Snippets Groups Projects
Unverified Commit 24c07ab6 authored by boklm's avatar boklm
Browse files

Bug 40841: Add signing machine setup scripts and adapt signing scripts

Use separate accounts to store the different keys.
parent 8c7da1d9
No related branches found
No related tags found
1 merge request!710Bug 40841: Add signing machine setup scripts and adapt signing scripts
Showing
with 337 additions and 50 deletions
# vim: filetype=yaml sw=2
#
# Used by tools/signing/machines-setup/upload-tbb-to-signing-machine
# to fetch mar-tools for signing machine setup
#
version: 12.0.4
filename: 'mar-tools-linux64.zip'
container:
use_container: 0
gpg_keyring: torbrowser.gpg
tag_gpg_id: 1
input_files:
- URL: 'https://archive.torproject.org/tor-package-archive/torbrowser/[% c("version") %]/mar-tools-linux64.zip'
sha256sum: 726ec4192de61a9342b3262c7ac722cbd59eaba07879be9589c65599d2d69584
steps:
fetch_martools:
fetch_martools: |
#!/bin/bash
echo ok
# vim: filetype=yaml sw=2
version: '[% c("abbrev") %]'
version: '[% c("git_hash").substr(0, 12) %]'
git_url: https://github.com/mtrojnar/osslsigncode
git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
......@@ -15,3 +15,12 @@ var:
input_files:
- filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
- filename: timestamping.patch
- filename: '[% c("var/srcfile") %]'
enable: '[% c("var/no-git") %]'
targets:
no-git:
git_url: ''
var:
no-git: 1
srcfile: '[% project %]-[% c("version") %].tar.gz'
#!/bin/bash
[% c("var/set_default_env") -%]
distdir=$(pwd)/dist
tar xf [% project %]-[% c('version') %].tar.gz
cd [% project %]-[% c('version') %]
dpkg-buildpackage -us -uc
mkdir -p "$distdir"
mv ../*.deb "$distdir"
dest=[% dest_dir _ '/' _ c('filename') %]
rm -Rf "$dest"
mv "$distdir" "$dest"
# vim: filetype=yaml sw=2
version: 2.4.0
filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %]'
container:
use_container: 0
var:
src_filename: 'yubihsm-shell-[% c("version") %].tar.gz'
input_files:
- URL: 'https://developers.yubico.com/yubihsm-shell/Releases/[% c("var/src_filename") %]'
sha256sum: 319bb2ff2a7af5ecb949a170b181a6ee7c0b44270e31cf10d0840360b1b3b5e0
steps:
fetch_src:
fetch_src: |
#!/bin/bash
echo ok
......@@ -84,7 +84,7 @@ var:
build_id: '[% sha256(c("var/build_id_txt", { num_procs => 4 })).substr(0, 6) %]'
build_id_txt: |
[% c("version") %]
[% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
[% IF c("git_url") || c("hg_url"); GET c("abbrev"); END; %]
[% IF c("container/use_container") && ! c("container/global_disable") -%]
[% c("var/container/suite") %]
[% c("var/container/arch") %]
......
......@@ -9,26 +9,14 @@ cd ~/"$tbb_version"
test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
echo
tmpdir=$(mktemp -d)
chgrp yubihsm "$tmpdir"
chmod g+rwx "$tmpdir"
cwd=$(pwd)
for i in `find . -name "*.exe" -print`
do
echo "Signing $i"
echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
/home/yubihsm/osslsigncode/osslsigncode \
-pkcs11engine /usr/lib/engines/engine_pkcs11.so \
-pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
-pass "'$YUBIPASS'" \
-h sha256 \
-certs /home/yubihsm/tpo-cert.crt \
-key 1c40 \
"$cwd/$i" "$tmpdir/$i" \
| sudo su - yubihsm
mv -vf "$tmpdir/$i" "$cwd/$i"
sudo -u signing-win -- "$wrappers_dir/sign-exe" \
"$YUBIPASS" \
"$cwd/$i"
cp /home/signing-win/last-signed-file.exe "$cwd/$i"
done
unset YUBIPASS
rmdir "$tmpdir"
......@@ -7,6 +7,7 @@ source "$script_dir/functions"
cd ~/"$tbb_version"
test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
currentdir=$(pwd)
for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`
do
if test -f "$i.asc"
......@@ -15,5 +16,8 @@ do
rm -f "$i.asc"
fi
echo "Signing $i"
echo "$GPG_PASS" | gpg -absu 0xe53d989a9e2d47bf! --batch --no-tty --passphrase-fd 0 $i
i="$currentdir/$i"
tmpsig=$(mktemp)
echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
mv -f "$tmpsig" "${i}.asc"
done
#!/bin/bash
#
#
# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script
# (if you don't want to use the default values).
set -e
set -u
......@@ -10,33 +6,15 @@ set -u
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
source "$script_dir/functions"
if [ -z "${NSS_DB_DIR+x}" ]; then
NSS_DB_DIR=/home/boklm/marsigning/nssdb7
fi
if [ -z "${NSS_CERTNAME+x}" ]; then
NSS_CERTNAME=marsigner
fi
export LC_ALL=C
# Check some prerequisites.
if [ ! -r "$NSS_DB_DIR/cert9.db" ]; then
>&2 echo "Please create and populate the $NSS_DB_DIR directory"
exit 2
fi
# Extract the MAR tools so we can use the signmar program.
MARTOOLS_TMP_DIR=$(mktemp -d)
trap "rm -rf $MARTOOLS_TMP_DIR" EXIT
MARTOOLS_ZIP=~/gitian-builder/inputs/mar-tools-new-linux32.zip
unzip -d "$MARTOOLS_TMP_DIR" -q "$MARTOOLS_ZIP"
export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH"
if [ -z "${LD_LIBRARY_PATH+x}" ]; then
export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools"
else
export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH"
martools_dir=/home/signing-mar/mar-tools
if ! test -d "$martools_dir"; then
>&2 echo "Please create $martools_dir"
exit 3
fi
export LD_LIBRARY_PATH="$martools_dir"
export PATH="$martools_dir:$PATH"
# Prompt for the NSS password.
# TODO: Test that the entered NSS password is correct. But how? Unfortunately,
......@@ -65,9 +43,8 @@ for marfile in *.mar; do
continue;
fi
echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \
"$marfile" tmp.mar
mv -f tmp.mar "$marfile"
echo "$NSSPASS" | sudo -u signing-mar -- "$wrappers_dir/sign-mar" "$marfile"
cp /home/signing-mar/last-signed-mar.mar "$marfile"
COUNT=$((COUNT + 1))
echo "Signed MAR file $COUNT ($marfile)"
done
......
#!/bin/bash
set -e
if test $(whoami) != 'build-pkgs'; then
echo 'This script should be run as the build-pkgs user' >&2
exit 1
fi
destdir=/home/build-pkgs/packages/yubihsm-shell-pkgs
if test -d "$destdir"; then
echo "$destdir already exists. Doing nothing."
exit 0
fi
cd /home/build-pkgs
tar xf /signing/tor-browser-build.tar
cd tor-browser-build
tar xf /signing/rbm.tar
yubihsm_src_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
mkdir -p out/yubihsm-shell
cp "/signing/$yubihsm_src_filename" out/yubihsm-shell
./rbm/rbm build yubihsm-shell
yubihsm_out_filename=$(./rbm/rbm showconf yubihsm-shell filename)
rm -Rf "$destdir"
mkdir -p $(dirname $destdir)
mv -f "out/yubihsm-shell/$yubihsm_out_filename" "$destdir"
ACTION=="add|change", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", MODE="0660", GROUP="yubihsm"
connector = yhusb://
#debug
#dinout
#libdebug
#debug-file = /tmp/yubihsm_pkcs11_debug
#!/bin/bash
set -e
if test $(whoami) != 'signing-win'; then
echo 'This script should be run as the signing-win user' >&2
exit 1
fi
destdir=/home/signing-win/osslsigncode
if test -d "$destdir"; then
echo "$destdir already exists. Doing nothing."
exit 0
fi
cd /home/signing-win
tar xf /signing/tor-browser-build.tar
cd tor-browser-build
tar xf /signing/rbm.tar
osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
mkdir -p out/osslsigncode
cp "/signing/$osslsigncodefile" out/osslsigncode
./rbm/rbm build osslsigncode --target no-git
osslscbuild=$(./rbm/rbm showconf osslsigncode filename --target no-git)
cd /home/signing-win
tar xf "tor-browser-build/out/osslsigncode/$osslscbuild"
chmod -R 755 /home/signing-win/osslsigncode
echo "Extracted osslsigncode to /home/signing-win/osslsigncode"
#!/bin/bash
set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
function create_user {
user="$1"
groups="$2"
id "$user" > /dev/null 2>&1 && return 0
test -n "$groups" && groups="--groups $groups"
useradd -s /bin/bash -m "$user" $groups
}
function create_group {
group="$1"
getent group "$group" > /dev/null 2>&1 && return 0
groupadd "$group"
}
function authorized_keys {
user="$1"
shift
tmpfile=$(mktemp)
for file in "$@"; do
cat "$script_dir/ssh-keys/$file" >> "$tmpfile"
done
sshdir="/home/$user/.ssh"
authkeysfile="$sshdir/authorized_keys"
if diff "$tmpfile" "$authkeysfile" > /dev/null 2>&1; then
rm "$tmpfile"
return 0
fi
echo "Update authorized_keys for user $user"
if ! test -d "$sshdir"; then
mkdir "$sshdir"
chmod 700 "$sshdir"
chown $user:$user "$sshdir"
fi
mv "$tmpfile" "$authkeysfile"
chown $user:$user "$authkeysfile"
chmod 600 "$authkeysfile"
}
function sudoers_file {
sfile="$1"
cp "$script_dir/sudoers.d/$sfile" "/etc/sudoers.d/$sfile"
chown root:root "/etc/sudoers.d/$sfile"
chmod 0440 "/etc/sudoers.d/$sfile"
}
function udev_rule {
udevrule="$1"
rulepath="/etc/udev/rules.d/$udevrule"
if ! diff "$script_dir$rulepath" "$rulepath" > /dev/null 2>&1; then
cp "$script_dir$rulepath" "$rulepath"
udevadm control --reload-rules
fi
}
function install_packages {
for pkg in "$@"
do
dpkg-query -s "$pkg" 2> /dev/null | grep -q '^Status: .* installed' && continue
apt-get install -y "$pkg"
done
}
install_packages build-essential rsync unzip
install_packages sudo vim tmux gnupg
create_user setup
authorized_keys setup boklm-yk1.pub
mkdir -p /signing
chmod 0755 /signing
chown setup /signing
create_user yubihsm
create_group yubihsm
udev_rule 70-yubikey.rules
create_user signing
create_group signing
create_user signing-gpg
create_user signing-mar
create_user signing-win yubihsm
sudoers_file sign-gpg
sudoers_file sign-mar
sudoers_file sign-exe
authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
create_user richard signing
authorized_keys richard richard.pub
# Install rbm deps
install_packages libyaml-libyaml-perl libtemplate-perl libdatetime-perl \
libio-handle-util-perl libio-all-perl \
libio-captureoutput-perl libjson-perl libpath-tiny-perl \
libstring-shellquote-perl libsort-versions-perl \
libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
libfile-copy-recursive-perl libfile-slurp-perl
# Install deps for building osslsigncode
install_packages autoconf libtool pkg-config libssl-dev libcurl4-openssl-dev
sudo -u signing-win /signing/tor-browser-build/tools/signing/machines-setup/setup-osslsigncode
# Packages needed for windows signing
install_packages opensc libengine-pkcs11-openssl
# Install deps for building yubihsm-shell
install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec
# Build and install yubihsm-pkcs11 package
create_user build-pkgs
if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
yubishm_version=2.4.0
sudo -u build-pkgs /signing/tor-browser-build/tools/signing/machines-setup/build-yubihsm-shell-pkg
pushd /home/build-pkgs/packages/yubihsm-shell-pkgs
apt-get install -y ./yubihsm-pkcs11_${yubishm_version}_amd64.deb \
./libyubihsm1_${yubishm_version}_amd64.deb \
./libyubihsm-http1_${yubishm_version}_amd64.deb \
./libyubihsm-usb1_${yubishm_version}_amd64.deb
popd
fi
# install mar-tools
if ! test -d /home/signing-mar/mar-tools; then
tmpdir=$(mktemp -d)
unzip -d "$tmpdir" /signing/mar-tools-linux64.zip
chown -R signing-mar:signing-mar "$tmpdir/mar-tools"
chmod go+rX "$tmpdir/mar-tools"/*
mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
fi
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwAicsGXrffx9W5vXDUmE/+JP8qvbXp1oCY6eO+vuSwZ5aF7U1jXoEUdhaeytacO9ibhsBsUcC2F9ulzhUk08AKC9ylKf8vfxFMIaTu0kSo983kr+KWpeUgJijY4uwPCyZgwMZi2imTBa/ilmTxzh3Bd1WL2F2BljntdT85sfUOfZT5IEbZs5/eD+aVEbJne9fVK5M3N4fBlRwUAiCpTPe5Eqo1ZxJc3RQB+0wy+VQBJEx0MXrF/WOoyhe8OKpBCg4hraRQVP/PvO5hpVMxgEuC/AWejKB71fwjEfdZlilGqhPVbCK7+uDGfwll2FoRbNTbQRPW6rNYSStpYmP2xVSzJrMVnmEqecltTOEHaNZtrz1N2H79RyRwdx0mdA4DraI4okjgxv/O5yM5uarmW3Nadyr5ddG/9kjmgRv4s4Y94OWzEPk4kS6XMGn5ALecr2NJzlR64QtG7NO8YCRVnseEeDS8nWvDQsdM4lFroko6iDb01HjvyVJJg4jsasw5g8= user@tb-release
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7nEOKbxQX46guAanVHEfMZL/Udvd3g/HFQnJDDK0Nr+OPe2doGcUs2DD8xxADNihh59fsvVSeerHfe0Fuer039Y2PZNjg1zfm8Gk099zLIJWgZ23Lj59sLmrHQOSgE+VKaLq6OPre9wuhoe0XbiJOmoJRH78TF5GSOidPngLgthrm3rsCAofsJ26DzObVdbKKvR5XmvloBAIiNbvPnyq+0cn6LFSSueRG/v+A9ESl423b6n01msEm8yi5wqUE3ciskRF/IpP8HJV2C2naOgXVLmYw5Ft2NQzRSSgLy+l2mQxU4FTY2SaO7TVlo8aBjxLSHWakZMsnYyWOHrSnpx+l2g2wC2Bw5CwvS4z+n1/u568/UvRvAyZ/i6f7MO56MC9ipaQH165U+Lh4Ra6V82XvOvAtQwr/ts55/ypTzEerNXO5aoRQdnfU+funQEhT80Upqo3Cda+Eexn/thF3B+uCys7gszbWHa0L0WsLmH0vlHOIY/zS34pI2BChaKk237fOMILrY3AdWaK/ZNnkvTks262dMNJiv3WjxoMBvj3M/uOawT+ir2fWoASrcWbWOJcHNcigzWruZ0J4H0tzy7GMizYs2uV7fvTvCvgVyuPtTVb7S61k2PFDozzQaWUkJIs3/OTnfXdvB1d1p/7mK+BuSb8dnNhaklxZWAeMgbSjQw== boklm-yk1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo+S69a6A3fBaft5va/iZIjRjgn4xLMZ4wszr6HZImJWr7lvSUCOy+3wCp/ABRHuYfhMsrR+YwrW/Ixdu/MqkSOSzhVxVhwoAAgQjxHcOucGzanpdl2ezEPbYtXSnI5XOw/CdYqeDVdK9wZFbADpHxECHu45Knc1dQ9VTbQzA3b6CNZE4Otv1B1gwydfqPIAoM7R4g6HAHK8i50PWczgRqiPMNtoZUYAKDKhSXIaP3gdefKpePHf/KynXYTEwpdYBnxHcC0RbjzvfY5e0oO9Y9/QuXZmSGRTGf7FT8P03gItNKfaEeeSn219M0/xPypODogN9JCg1reTP1UqtOxYSJ YubiKey #18117406 PIV Slot 9a
Defaults>signing-win env_keep += SIGNING_PROJECTNAME
%signing ALL = (signing-win) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-exe
Defaults>signing-gpg env_keep += SIGNING_PROJECTNAME
%signing ALL = (signing-gpg) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-gpg
Defaults>signing-mar env_keep += SIGNING_PROJECTNAME
%signing ALL = (signing-mar) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-mar
#!/bin/bash
# Upload tor-browser-build directory from current HEAD commit and other
# dependencies to signing machine
set -e
script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd "$script_dir/../../.."
tmpdir=$(mktemp -d)
tbbtar=$tmpdir/tor-browser-build.tar
git archive --prefix=tor-browser-build/ --output="$tbbtar" HEAD .
echo "Created $tbbtar"
make submodule-update
osslsigncodefile=$(./rbm/rbm showconf osslsigncode --target no-git var/srcfile)
if ! test -f "./out/osslsigncode/$osslsigncodefile"; then
./rbm/rbm tar osslsigncode
echo "Created $osslsigncodefile"
fi
cd rbm
git archive --prefix=rbm/ --output="$tmpdir/rbm.tar" HEAD .
echo "Created rbm.tar"
cd ..
martools_filename=mar-tools-linux64.zip
if ! test -f "./out/mar-tools/$martools_filename"; then
./rbm/rbm build --step fetch_martools mar-tools
echo "Downloaded $martools_filename"
fi
yubihsm_filename=$(./rbm/rbm showconf yubihsm-shell var/src_filename)
if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
./rbm/rbm build yubihsm-shell --step fetch_src
echo "Fetched $yubihsm_filename"
fi
signing_machine='linux-signer'
setup_user='setup'
signing_dir='/signing'
echo "Uploading $osslsigncodefile to $signing_machine"
chmod go+r "./out/osslsigncode/$osslsigncodefile"
rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
echo "Uploading rbm.tar to $signing_machine"
rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
echo "Uploading $martools_filename"
chmod go+r "./out/mar-tools/$martools_filename"
rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
echo "Uploading $yubihsm_filename"
chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
echo "Uploading tor-browser-build.tar to $signing_machine"
scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
echo "Extracting tor-browser-build.tar on $signing_machine"
ssh "$setup_user@$signing_machine" tar -C $signing_dir -xf $signing_dir/tor-browser-build.tar
echo "You can now run this command on $signing_machine to update signing machine setup:"
echo " sudo -- $signing_dir/tor-browser-build/tools/signing/machines-setup/setup-signing-machine"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment