Loading rbm.conf +33 −2 Original line number Diff line number Diff line Loading @@ -81,8 +81,6 @@ var: browser_release_date_timestamp: '[% USE date; date.format(c("var/browser_release_date"), "%s") %]' browser_default_channel: alpha browser_platforms: is_android_release: '[% c("var/tor-browser") %]' is_desktop_release: '1' android-armv7: '[% c("var/browser_platforms/is_android_release") %]' android-x86: '[% c("var/browser_platforms/is_android_release") %]' android-x86_64: '[% c("var/browser_platforms/is_android_release") %]' Loading @@ -93,6 +91,39 @@ var: windows-i686: '[% c("var/browser_platforms/is_desktop_release") && c("var/tor-browser") %]' windows-x86_64: '[% c("var/browser_platforms/is_desktop_release") %]' macos: '[% c("var/browser_platforms/is_desktop_release") %]' # is_android_release and is_desktop_release are used to quickly # enable/disable all android or desktop platforms. If you want to # check whether a release includes some android or desktop platforms # see signing_android and signing_desktop below. is_android_release: '[% c("var/tor-browser") %]' is_desktop_release: '1' # signing_android is used in signing scripts to check if at least # one android platform is being signed/published signing_android: | [%- c("var/browser_platforms/android-armv7") || c("var/browser_platforms/android-x86") || c("var/browser_platforms/android-x86_64") || c("var/browser_platforms/android-aarch64") -%] # signing_desktop is used in signing scripts to check if at least # one desktop platform is being signed/published signing_desktop: | [%- c("var/browser_platforms/linux-x86_64") || c("var/browser_platforms/linux-i686") || c("var/browser_platforms/linux-aarch64") || c("var/browser_platforms/windows-i686") || c("var/browser_platforms/windows-x86_64") || c("var/browser_platforms/macos") -%] signing_windows: | [%- c("var/browser_platforms/windows-i686") || c("var/browser_platforms/windows-x86_64") -%] updater_enabled: 1 build_mar: 1 torbrowser_incremental_from: Loading tools/signing/do-all-signing +66 −31 Original line number Diff line number Diff line Loading @@ -19,38 +19,66 @@ if [[ $1 = "-p" ]]; then shift fi function is_legacy { [[ "$tbb_version" = 13.* ]] } if is_legacy; then platform_android= platform_desktop=1 platform_macos=1 platform_windows=1 else platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop) platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos) platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows) fi is_project torbrowser && nssdb=torbrowser-nssdb7 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1 if [ -f "$passwords_gpg_file" ]; then echo "Reading passwords from $passwords_gpg_file" SEKRITS=$(gpg --decrypt "$passwords_gpg_file") [ -n "$platform_macos" ] && \ RCODESIGN_PW=$(get_sekrit 'rcodesign') [ -n "$platform_desktop" ] && \ NSSPASS=$(get_sekrit "$nssdb (mar signing)") [ -n "$platform_android" ] && \ KSPASS=$(get_sekrit "android apk ($tbb_version_type)") [ -n "$platform_windows" ] && \ YUBIPASS=$(get_sekrit "windows authenticode") GPG_PASS=$(get_sekrit "gpg") else echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords." fi test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] || [ -z "$platform_macos" ] || \ [ -f "$steps_dir/linux-signer-rcodesign-sign.done" ] || \ [ -n "$RCODESIGN_PW" ] || \ read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW echo test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] || [ -z "$platform_desktop" ] || \ [ -f "$steps_dir/linux-signer-signmars.done" ] || \ [ -n "$NSSPASS" ] || \ read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS echo if is_project torbrowser; then test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] || [ -z "$platform_android" ] || \ [ -f "$steps_dir/linux-signer-sign-android-apks.done" ] || \ [ -n "$KSPASS" ] || \ read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS echo fi test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] || [ -z "$platform_windows" ] || \ [ -f "$steps_dir/linux-signer-authenticode-signing.done" ] || \ [ -n "$YUBIPASS" ] || \ read -sp "Enter windows authenticode passphrase: " YUBIPASS echo test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] || [ -f "$steps_dir/linux-signer-gpg-sign.done" ] || [ -n "$GPG_PASS" ] || \ read -sp "Enter gpg passphrase: " GPG_PASS echo Loading Loading @@ -203,10 +231,6 @@ function do_step { echo "$(date -Iseconds) - Finished step: $1" } function is_legacy { [[ "$tbb_version" = 13.* ]] } export SIGNING_PROJECTNAME do_step set-time-on-signing-machine Loading @@ -215,22 +239,33 @@ do_step sync-builder-unsigned-to-local-signed do_step clean-build-artifacts do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-rcodesign-sign [ -n "$platform_macos" ] && \ do_step linux-signer-rcodesign-sign [ -n "$platform_macos" ] && \ do_step sync-linux-signer-macos-signed-tar-to-local [ -n "$platform_macos" ] && \ do_step rcodesign-notary-submit [ -n "$platform_macos" ] && \ do_step gatekeeper-bundling [ -n "$platform_macos" ] && \ do_step dmg2mar do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars [ -n "$platform_desktop" ] && \ do_step linux-signer-signmars [ -n "$platform_desktop" ] && \ do_step sync-after-signmars is_project torbrowser && ! is_legacy && \ [ -n "$platform_android" ] && \ do_step linux-signer-sign-android-apks is_project torbrowser && ! is_legacy && \ [ -n "$platform_android" ] && \ do_step sync-after-sign-android-apks [ -n "$platform_windows" ] && \ do_step linux-signer-authenticode-signing [ -n "$platform_windows" ] && \ do_step sync-after-authenticode-signing [ -n "$platform_windows" ] && \ do_step authenticode-timestamping [ -n "$platform_windows" ] && \ do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash Loading @@ -240,6 +275,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo do_step sync-local-to-staticiforme do_step sync-scripts-to-staticiforme do_step staticiforme-prepare-cdn-dist-upload ! is_legacy && ! is_legacy && [ -n "$platform_desktop" ] && \ do_step upload-update_responses-to-staticiforme do_step finished-signing-clean-linux-signer tools/signing/functions +12 −0 Original line number Diff line number Diff line Loading @@ -69,5 +69,17 @@ function display_name { echo "${SIGNING_PROJECTNAMES[3]}" } function rbm_showconf { "$rbm" showconf release "$1" --target "$SIGNING_PROJECTNAME" \ --target "$tbb_version_type" } function rbm_showconf_boolean { local res=$(rbm_showconf "$1") if [ -z "$res" ] || [ "a$res" = "a0" ]; then return fi echo '1' } . "$script_dir/set-config" tools/signing/upload-update_responses-to-staticiforme +2 −1 Original line number Diff line number Diff line Loading @@ -56,7 +56,8 @@ do git commit -m "$tbb_version_type: new version, $tbb_version ($file)" done if is_project torbrowser; then platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) if [ -n "$platform_android" ]; then git add "$tbb_version_type"/download-android-*.json git diff --quiet --cached --exit-code || \ git commit -m "$tbb_version_type: new version, $tbb_version (android)" Loading Loading
rbm.conf +33 −2 Original line number Diff line number Diff line Loading @@ -81,8 +81,6 @@ var: browser_release_date_timestamp: '[% USE date; date.format(c("var/browser_release_date"), "%s") %]' browser_default_channel: alpha browser_platforms: is_android_release: '[% c("var/tor-browser") %]' is_desktop_release: '1' android-armv7: '[% c("var/browser_platforms/is_android_release") %]' android-x86: '[% c("var/browser_platforms/is_android_release") %]' android-x86_64: '[% c("var/browser_platforms/is_android_release") %]' Loading @@ -93,6 +91,39 @@ var: windows-i686: '[% c("var/browser_platforms/is_desktop_release") && c("var/tor-browser") %]' windows-x86_64: '[% c("var/browser_platforms/is_desktop_release") %]' macos: '[% c("var/browser_platforms/is_desktop_release") %]' # is_android_release and is_desktop_release are used to quickly # enable/disable all android or desktop platforms. If you want to # check whether a release includes some android or desktop platforms # see signing_android and signing_desktop below. is_android_release: '[% c("var/tor-browser") %]' is_desktop_release: '1' # signing_android is used in signing scripts to check if at least # one android platform is being signed/published signing_android: | [%- c("var/browser_platforms/android-armv7") || c("var/browser_platforms/android-x86") || c("var/browser_platforms/android-x86_64") || c("var/browser_platforms/android-aarch64") -%] # signing_desktop is used in signing scripts to check if at least # one desktop platform is being signed/published signing_desktop: | [%- c("var/browser_platforms/linux-x86_64") || c("var/browser_platforms/linux-i686") || c("var/browser_platforms/linux-aarch64") || c("var/browser_platforms/windows-i686") || c("var/browser_platforms/windows-x86_64") || c("var/browser_platforms/macos") -%] signing_windows: | [%- c("var/browser_platforms/windows-i686") || c("var/browser_platforms/windows-x86_64") -%] updater_enabled: 1 build_mar: 1 torbrowser_incremental_from: Loading
tools/signing/do-all-signing +66 −31 Original line number Diff line number Diff line Loading @@ -19,38 +19,66 @@ if [[ $1 = "-p" ]]; then shift fi function is_legacy { [[ "$tbb_version" = 13.* ]] } if is_legacy; then platform_android= platform_desktop=1 platform_macos=1 platform_windows=1 else platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) platform_desktop=$(rbm_showconf_boolean var/browser_platforms/signing_desktop) platform_macos=$(rbm_showconf_boolean var/browser_platforms/macos) platform_windows=$(rbm_showconf_boolean var/browser_platforms/signing_windows) fi is_project torbrowser && nssdb=torbrowser-nssdb7 is_project mullvadbrowser && nssdb=mullvadbrowser-nssdb1 if [ -f "$passwords_gpg_file" ]; then echo "Reading passwords from $passwords_gpg_file" SEKRITS=$(gpg --decrypt "$passwords_gpg_file") [ -n "$platform_macos" ] && \ RCODESIGN_PW=$(get_sekrit 'rcodesign') [ -n "$platform_desktop" ] && \ NSSPASS=$(get_sekrit "$nssdb (mar signing)") [ -n "$platform_android" ] && \ KSPASS=$(get_sekrit "android apk ($tbb_version_type)") [ -n "$platform_windows" ] && \ YUBIPASS=$(get_sekrit "windows authenticode") GPG_PASS=$(get_sekrit "gpg") else echo "Rather than entering all the password manually, you may want to provide a gpg-encrypted file either on the command line (-p <filepath>) or in set-config.passwords." fi test -f "$steps_dir/linux-signer-rcodesign-sign.done" || [ -n "$RCODESIGN_PW" ] || [ -z "$platform_macos" ] || \ [ -f "$steps_dir/linux-signer-rcodesign-sign.done" ] || \ [ -n "$RCODESIGN_PW" ] || \ read -sp "Enter rcodesign passphrase for key-1: " RCODESIGN_PW echo test -f "$steps_dir/linux-signer-signmars.done" || [ -n "$NSSPASS" ] || [ -z "$platform_desktop" ] || \ [ -f "$steps_dir/linux-signer-signmars.done" ] || \ [ -n "$NSSPASS" ] || \ read -sp "Enter $nssdb (mar signing) passphrase: " NSSPASS echo if is_project torbrowser; then test -f "$steps_dir/linux-signer-sign-android-apks.done" || [ -n "$KSPASS" ] || [ -z "$platform_android" ] || \ [ -f "$steps_dir/linux-signer-sign-android-apks.done" ] || \ [ -n "$KSPASS" ] || \ read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS echo fi test -f "$steps_dir/linux-signer-authenticode-signing.done" || [ -n "$YUBIPASS" ] || [ -z "$platform_windows" ] || \ [ -f "$steps_dir/linux-signer-authenticode-signing.done" ] || \ [ -n "$YUBIPASS" ] || \ read -sp "Enter windows authenticode passphrase: " YUBIPASS echo test -f "$steps_dir/linux-signer-gpg-sign.done" || [ -n "$GPG_PASS" ] || [ -f "$steps_dir/linux-signer-gpg-sign.done" ] || [ -n "$GPG_PASS" ] || \ read -sp "Enter gpg passphrase: " GPG_PASS echo Loading Loading @@ -203,10 +231,6 @@ function do_step { echo "$(date -Iseconds) - Finished step: $1" } function is_legacy { [[ "$tbb_version" = 13.* ]] } export SIGNING_PROJECTNAME do_step set-time-on-signing-machine Loading @@ -215,22 +239,33 @@ do_step sync-builder-unsigned-to-local-signed do_step clean-build-artifacts do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-rcodesign-sign [ -n "$platform_macos" ] && \ do_step linux-signer-rcodesign-sign [ -n "$platform_macos" ] && \ do_step sync-linux-signer-macos-signed-tar-to-local [ -n "$platform_macos" ] && \ do_step rcodesign-notary-submit [ -n "$platform_macos" ] && \ do_step gatekeeper-bundling [ -n "$platform_macos" ] && \ do_step dmg2mar do_step sync-scripts-to-linux-signer do_step sync-before-linux-signer-signmars [ -n "$platform_desktop" ] && \ do_step linux-signer-signmars [ -n "$platform_desktop" ] && \ do_step sync-after-signmars is_project torbrowser && ! is_legacy && \ [ -n "$platform_android" ] && \ do_step linux-signer-sign-android-apks is_project torbrowser && ! is_legacy && \ [ -n "$platform_android" ] && \ do_step sync-after-sign-android-apks [ -n "$platform_windows" ] && \ do_step linux-signer-authenticode-signing [ -n "$platform_windows" ] && \ do_step sync-after-authenticode-signing [ -n "$platform_windows" ] && \ do_step authenticode-timestamping [ -n "$platform_windows" ] && \ do_step sync-after-authenticode-timestamping do_step hash_signed_bundles do_step sync-after-hash Loading @@ -240,6 +275,6 @@ do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo do_step sync-local-to-staticiforme do_step sync-scripts-to-staticiforme do_step staticiforme-prepare-cdn-dist-upload ! is_legacy && ! is_legacy && [ -n "$platform_desktop" ] && \ do_step upload-update_responses-to-staticiforme do_step finished-signing-clean-linux-signer
tools/signing/functions +12 −0 Original line number Diff line number Diff line Loading @@ -69,5 +69,17 @@ function display_name { echo "${SIGNING_PROJECTNAMES[3]}" } function rbm_showconf { "$rbm" showconf release "$1" --target "$SIGNING_PROJECTNAME" \ --target "$tbb_version_type" } function rbm_showconf_boolean { local res=$(rbm_showconf "$1") if [ -z "$res" ] || [ "a$res" = "a0" ]; then return fi echo '1' } . "$script_dir/set-config"
tools/signing/upload-update_responses-to-staticiforme +2 −1 Original line number Diff line number Diff line Loading @@ -56,7 +56,8 @@ do git commit -m "$tbb_version_type: new version, $tbb_version ($file)" done if is_project torbrowser; then platform_android=$(rbm_showconf_boolean var/browser_platforms/signing_android) if [ -n "$platform_android" ]; then git add "$tbb_version_type"/download-android-*.json git diff --quiet --cached --exit-code || \ git commit -m "$tbb_version_type: new version, $tbb_version (android)" Loading
