Bug 41324: Improve build signing ergonomics

3af0e5b3 · ma1 · 4e8172c9 · 3af0e5b3 · 3af0e5b3 · 3af0e5b3
Verified Commit 3af0e5b3 authored 8 months ago by ma1
--- a/.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
+++ b/.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
@@ -208,7 +208,7 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
    ```
  - **Subject**
    ```
-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)
    ```
  - **Body**
    ```
@@ -219,6 +219,8 @@ Mullvad Browser Alpha (and Nightly) are on the `main` branch
    - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}
    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}

+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-responses
+
    changelog:
    # paste changelog as quote here
    ...

--- a/.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
+++ b/.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
@@ -208,7 +208,7 @@ Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWS
    ```
  - **Subject**
    ```
-    New build: Mullvad Browser ${MULLVAD_BROWSER_VERION} (signed)
+    New build: Mullvad Browser ${MULLVAD_BROWSER_VERSION} (signed)
    ```
  - **Body**
    ```
@@ -217,7 +217,9 @@ Mullvad Browser Stable is on the `maint-${MULLVAD_BROWSER_MAJOR}.${MULLVAD_BROWS
    Branch+Tags have been pushed to Mullvad's GitHub repo.

    - signed builds: https://dist.torproject.org/mullvadbrowser/${MULLVAD_BROWSER_VERSION}
-    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}
+    - update_response hashes: ${MULLVAD_UPDATE_RESPONSES_HASH}*
+
+    * https://gitlab.torproject.org/tpo/applications/mullvad-browser-update-responses

    changelog:
    # paste changelog as quote here

--- a/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
@@ -223,9 +223,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch

 ```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```

@@ -234,14 +234,15 @@ popd
    <summary>Check whether the MAR files got properly signed</summary>

 ```bash
-# Point NSSDB to your nssdb containing the mar signing certificate
+# Point NSS_DB_DIR to your nssdb dir containing the mar signing certificate
+# (check tools/marsigning_check.sh source code for details)
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```


--- a/.gitlab/issue_templates/Release Prep - Tor Browser Legacy.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Legacy.md
@@ -203,9 +203,9 @@ Tor Browser Legacy is on the `maint-13.5` branch

 ```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```

@@ -217,11 +217,11 @@ popd
 # Point NSSDB to your nssdb containing the mar signing certificate
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```


--- a/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
@@ -228,9 +228,9 @@ Tor Browser Stable is on the `maint-${TOR_BROWSER_MAJOR}.${TOR_BROWSER_MINOR}` b

 ```bash
 # Point OSSLSIGNCODE to your osslsigncode binary
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 OSSLSIGNCODE=/path/to/osslsigncode
-../../../tools/authenticode_check.sh
+../../../../tools/authenticode_check.sh
 popd
 ```

@@ -242,11 +242,11 @@ popd
 # Point NSSDB to your nssdb containing the mar signing certificate
 # Point SIGNMAR to your signmar binary
 # Point LD_LIBRARY_PATH to your mar-tools directory
-pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
+pushd tor-browser-build/torbrowser/${channel}/signed/$TORBROWSER_VERSION
 NSSDB=/path/to/nssdb
 SIGNMAR=/path/to/mar-tools/signmar
 LD_LIBRARY_PATH=/path/to/mar-tools/
-../../../tools/marsigning_check.sh
+../../../../tools/marsigning_check.sh
 popd
 ```


--- a/tools/signing/do-all-signing
+++ b/tools/signing/do-all-signing
@@ -3,34 +3,59 @@ set -e
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
 source "$script_dir/set-config.update-responses"
-
 NON_INTERACTIVE=1
 steps_dir="$signed_version_dir.steps"
 test -d "$steps_dir" || mkdir -p "$steps_dir"

-test -f "$steps_dir/linux-signer-rcodesign-sign.done" ||
+function get_sekrit {
+  echo "$SEKRITS" | grep -A1 "$1:" | tail -n1
+}
+
+[ -f "$script_dir/set-config.passwords" ] && . "$script_dir/set-config.passwords" 2>/dev/null
+
+if [[ $1 = "-p" ]]; then
+  shift
+  passwords_gpg_file="$1"
+  shift
+fi
+
+is_project torbrowser && nssdb=torbrowser-nssdb7
+is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1
+
+if [ -f "$passwords_gpg_file" ]; then
+  echo "Reading passwords from $passwords_gpg_file"
+  SEKRITS=$(gpg --decrypt "$passwords_gpg_file")
+  RCODESIGN_PW=$(get_sekrit 'rcodesign')
+  NSSPASS=$(get_sekrit "$nssdb (mar signing)")
+  KSPASS=$(get_sekrit "android apk ($tbb_version_type)")
+  YUBIPASS=$(get_sekrit "windows authenticode")
+  GPG_PASS=$(get_sekrit "gpg")
+else
+  echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords."
+fi
+
+test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] ||
  read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW
 echo
-is_project torbrowser && nssdb=torbrowser-nssdb7
-is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb-1
-test -f "$steps_dir/linux-signer-signmars.done" ||
+
+test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] ||
  read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS
 echo

 if is_project torbrowser; then
-  test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
+  test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] ||
    read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
  echo
 fi
-test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] ||
  read -sp "Enter windows authenticode passphrase: " YUBIPASS
 echo
-test -f "$steps_dir/linux-signer-gpg-sign.done" ||
+test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] ||
  read -sp "Enter gpg passphrase: " GPG_PASS
 echo

 function set-time-on-signing-machine {
-  local current_time=$(date -u)
+  local current_time=$(date -u -Iseconds)
  ssh "$ssh_host_linux_signer" sudo /usr/bin/date -s "'$current_time'"
 }

@@ -178,6 +203,10 @@ function do_step {
  echo "$(date -Iseconds) - Finished step: $1"
 }

+function is_legacy {
+  [[ "$tbb_version" = 13.* ]]
+}
+
 export SIGNING_PROJECTNAME

 do_step set-time-on-signing-machine
@@ -195,9 +224,9 @@ do_step sync-scripts-to-linux-signer
 do_step sync-before-linux-signer-signmars
 do_step linux-signer-signmars
 do_step sync-after-signmars
-is_project torbrowser && \
+is_project torbrowser && ! is_legacy && \
  do_step linux-signer-sign-android-apks
-is_project torbrowser && \
+is_project torbrowser && ! is_legacy && \
  do_step sync-after-sign-android-apks
 do_step linux-signer-authenticode-signing
 do_step sync-after-authenticode-signing
@@ -211,5 +240,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
 do_step sync-local-to-staticiforme
 do_step sync-scripts-to-staticiforme
 do_step staticiforme-prepare-cdn-dist-upload
+! is_legacy &&
  do_step upload-update_responses-to-staticiforme
 do_step finished-signing-clean-linux-signer
--- a/tools/signing/set-config.passwords
+++ b/tools/signing/set-config.passwords
+# Path to a gpg-encrypted cache of passwords not to be asked on each run
+passwords_gpg_file=~/.tor-browser-signing/tor-browser-passwords.txt.gpg