Bug 40736: Update signing scripts to support other browser names

.gitlab/issue_templates/Release Prep - Alpha.md

@@ -232,7 +232,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch, while Stable lives in
 - [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
 - [ ] run do-all-signing script:
     - `cd tor-browser-build/tools/signing/`
-    - `./do-all-signing.sh`
+    - `./do-all-signing.torbrowser`
 - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 - [ ] Update `staticiforme.torproject.org`:
   - From `screen` session on `staticiforme.torproject.org`:

tools/signing/.gitignore

+set-config.generated-config

tools/signing/android-signing

@@ -20,6 +20,7 @@ source "$script_dir/set-config.android-signing"
 
 topdir="$script_dir/../.."
 ARCHS="armv7 aarch64 x86 x86_64"
+projname=$(project-name)
 
 android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
 test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
@@ -51,13 +52,13 @@ setup_build_tools() {
 download_unsigned_apks() {
   apks_dir=$(mktemp -d)
   trap "rm -Rf $apks_dir" EXIT
-  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$projectname/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
+  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
 }
 
 upload_signed_apks() {
   rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
     --exclude="*-unsigned.apk" "$apks_dir/" \
-    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$projectname/$tbb_version_type/signed/$tbb_version/"
+    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
 }
 
 # Sign individual apk
@@ -122,11 +123,11 @@ sign_apk() {
 # Rename and verify signing certificate
 finalize() {
   for arch in ${ARCHS}; do
-      mv tor-browser-${tbb_version}-android-${arch}-multi{-qa,}.apk
+      mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
   done
 
   for arch in ${ARCHS}; do
-      verified=`apksigner verify --print-certs --verbose tor-browser-${tbb_version}-android-${arch}-multi.apk`
+      verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
       scheme_v1=
       scheme_v2=
       cert_digest=
@@ -174,7 +175,7 @@ cd $apks_dir
 
 # Sign all packages
 for arch in ${ARCHS}; do
-    sign_apk tor-browser-${tbb_version}-android-${arch}-multi-qa.apk
+    sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
 done
 
 finalize

tools/signing/android-signing.torbrowser

+android-signing
\ No newline at end of file

tools/signing/ddmg.sh

@@ -4,7 +4,7 @@
 # file from a directory
 #
 # Usage:
-#   ddmg.sh <dmg-file> <src-directory>
+#   ddmg.sh <dmg-file> <src-directory> <Volume Label>
 
 set -e
 
@@ -13,6 +13,7 @@ source "$script_dir/functions"
 
 dest_file="$1"
 src_dir="$2"
+volume_label="$3"
 
 set +e
 find $src_dir -executable -exec chmod 0755 {} \; 2> /dev/null
@@ -21,8 +22,6 @@ find $src_dir ! -executable -exec chmod 0644 {} \; 2> /dev/null
 find $src_dir -exec touch -m -t 200001010101 {} \; 2> /dev/null
 set -e
 
-VOLUME_LABEL="${VOLUME_LABEL:-Tor Browser}"
-
 dmg_tmpdir=$(mktemp -d)
 hfsfile="$dmg_tmpdir/tbb-uncompressed.dmg"
 
@@ -34,7 +33,7 @@ echo "Starting: " $(basename $dest_file)
 # Use a similar strategy to Mozilla (they have 1.02, we have 1.1)
 size=$(du -ms "$src_dir" | awk '{ print int( $1 * 1.1 ) }')
 dd if=/dev/zero of="$hfsfile" bs=1M count=$size
-newfs_hfs -v "$VOLUME_LABEL" "$hfsfile"
+newfs_hfs -v "$volume_label" "$hfsfile"
 
 cd $src_dir
 

tools/signing/dmg2mar

@@ -19,11 +19,12 @@ test "$version" = "$tbb_version" || \
 test -d "$macos_signed_dir" || \
   exit_error "$macos_signed_dir does not exist"
 
+ProjName=$(ProjectName)
 nb_locales=$(echo $bundle_locales | wc -w)
-nb_bundles=$(ls -1 "$macos_signed_dir"/TorBrowser-*.dmg | wc -l)
+nb_bundles=$(ls -1 "$macos_signed_dir/$ProjName"-*.dmg | wc -l)
 test "$nb_locales" -eq "$nb_bundles" || \
   exit_error "Wrong number of bundles: $nb_locales != $nb_bundles"
 
-mv -vf "$macos_signed_dir"/TorBrowser-*.dmg "$signed_version_dir"/
+mv -vf "$macos_signed_dir"/"$ProjName"-*.dmg "$signed_version_dir"/
 
 make dmg2mar-$tbb_version_type

tools/signing/do-all-signing

@@ -56,7 +56,7 @@ function macos-signer-gatekeeper-signing {
   "$script_dir/sync-macos-local-to-macos-signer"
   ssh "$ssh_host_macos_signer" 'bash -s' << EOF
   export KEYCHAIN_PW=$KEYCHAIN_PW
-  ~/signing-$tbb_version_type/macos-signer-gatekeeper-signing
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-gatekeeper-signing.$SIGNING_PROJECTNAME
 EOF
   unset KEYCHAIN_PW
 }
@@ -64,13 +64,13 @@ EOF
 function macos-signer-notarization {
   ssh "$ssh_host_macos_signer" 'bash -s' << EOF
   export PW=$NOTARIZATION_PW
-  ~/signing-$tbb_version_type/macos-signer-notarization
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-notarization.$SIGNING_PROJECTNAME
 EOF
   unset NOTARIZATION_PW
 }
 
 function macos-signer-stapler {
-  ssh "$ssh_host_macos_signer" "~/signing-$tbb_version_type/macos-signer-stapler"
+  ssh "$ssh_host_macos_signer" "~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/macos-signer-stapler.$SIGNING_PROJECTNAME"
   "$script_dir/sync-macos-signer-stapled-to-macos-local-stapled"
 }
 
@@ -94,7 +94,7 @@ function linux-signer-signmars {
   "$script_dir/sync-local-to-linux-signer"
   ssh "$ssh_host_linux_signer" 'bash -s' << EOF
   export NSSPASS=$NSSPASS
-  ~/signing-$tbb_version_type/linux-signer-signmars
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-signmars.$SIGNING_PROJECTNAME
 EOF
   unset NSSPASS
 }
@@ -110,7 +110,7 @@ function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
 function linux-signer-authenticode-signing {
   ssh "$ssh_host_linux_signer" 'bash -s' << EOF
   export YUBIPASS='$YUBIPASS'
-  ~/signing-$tbb_version_type/linux-signer-authenticode-signing
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-authenticode-signing.$SIGNING_PROJECTNAME
 EOF
   unset YUBIPASS
 }
@@ -138,7 +138,7 @@ function sync-after-hash {
 function linux-signer-gpg-sign {
   ssh "$ssh_host_linux_signer" 'bash -s' << EOF
   export GPG_PASS=$GPG_PASS
-  ~/signing-$tbb_version_type/linux-signer-gpg-sign
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-gpg-sign.$SIGNING_PROJECTNAME
 EOF
 }
 
@@ -155,7 +155,7 @@ function sync-scripts-to-staticiforme {
 }
 
 function staticiforme-prepare-cdn-dist-upload {
-  ssh "$ssh_host_staticiforme" "signing-$tbb_version_type/staticiforme-prepare-cdn-dist-upload"
+  ssh "$ssh_host_staticiforme" "signing-$SIGNING_PROJECTNAME-$tbb_version_type/staticiforme-prepare-cdn-dist-upload.$SIGNING_PROJECTNAME"
 }
 
 function upload-update_responses-to-staticiforme {
@@ -179,6 +179,8 @@ function do_step {
   echo "$(date -Iseconds) - Finished step: $1"
 }
 
+export SIGNING_PROJECTNAME
+
 do_step wait-for-finished-build
 do_step sync-builder-unsigned-to-local-signed
 do_step macos-signer-directory-not-present
@@ -189,9 +191,12 @@ do_step macos-signer-notarization
 do_step macos-signer-stapler
 do_step macos-signer-disable-network-proxy-settings
 do_step gatekeeper-bundling
+is_project torbrowser && \
   do_step dmg2mar
 do_step sync-scripts-to-linux-signer
+is_project torbrowser && \
   do_step linux-signer-signmars
+is_project torbrowser && \
   do_step sync-after-signmars
 do_step linux-signer-authenticode-signing
 do_step sync-after-authenticode-signing
@@ -202,9 +207,13 @@ do_step sync-after-hash
 do_step linux-signer-gpg-sign
 do_step sync-after-gpg-sign
 do_step download-unsigned-sha256sums-gpg-signatures-from-people-tpo
+is_project torbrowser && \
   do_step sync-local-to-staticiforme
+is_project torbrowser && \
   do_step sync-scripts-to-staticiforme
+is_project torbrowser && \
   do_step staticiforme-prepare-cdn-dist-upload
+is_project torbrowser && \
   do_step upload-update_responses-to-staticiforme
 do_step finished-signing-clean-macos-signer
 do_step finished-signing-clean-linux-signer

tools/signing/do-all-signing.torbrowser

+do-all-signing
\ No newline at end of file

tools/signing/finished-signing-clean-linux-signer

@@ -10,5 +10,5 @@ source "$script_dir/functions"
 var_is_defined ssh_host_linux_signer tbb_version
 
 ssh "$ssh_host_linux_signer" 'bash -s' << EOF
-  test -n "$tbb_version" && rm -Rfv ~/"$tbb_version"
+  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"
 EOF

tools/signing/finished-signing-clean-macos-signer

@@ -10,5 +10,5 @@ source "$script_dir/functions"
 var_is_defined ssh_host_macos_signer tbb_version
 
 ssh "$ssh_host_macos_signer" 'bash -s' << EOF
-  test -n "$tbb_version" && rm -Rfv ~/"$tbb_version"
+  test -n "$tbb_version" && rm -Rfv ~/"$SIGNING_PROJECTNAME-$tbb_version"
 EOF

tools/signing/functions

@@ -31,4 +31,40 @@ EOF
   fi
 }
 
+function is_project {
+  test "$1" = "$SIGNING_PROJECTNAME"
+}
+
+function generate_config {
+  p1=$("$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME")
+  p2=$("$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME")
+  p3=$("$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME")
+  echo 'rbm_not_available=1' > "$script_dir/set-config.generated-config"
+  echo "SIGNING_PROJECTNAMES=(\"$p1\" \"$p2\" \"$p3\")" >> "$script_dir/set-config.generated-config"
+}
+
+function project-name {
+   if test -n "${rbm_not_available+x}"; then
+     echo "${SIGNING_PROJECTNAMES[0]}"
+   else
+     "$rbm" showconf browser var/project-name --target "$SIGNING_PROJECTNAME"
+   fi
+}
+
+function Project_Name {
+   if test -n "${rbm_not_available+x}"; then
+     echo "${SIGNING_PROJECTNAMES[1]}"
+   else
+     "$rbm" showconf browser var/Project_Name --target "$SIGNING_PROJECTNAME"
+   fi
+}
+
+function ProjectName {
+   if test -n "${rbm_not_available+x}"; then
+     echo "${SIGNING_PROJECTNAMES[2]}"
+   else
+     "$rbm" showconf browser var/ProjectName --target "$SIGNING_PROJECTNAME"
+   fi
+}
+
 . "$script_dir/set-config"

tools/signing/gatekeeper-bundling.sh

@@ -62,13 +62,15 @@ tar -C "$tmpdir" -xf "$libdmg_file"
 tar -C "$tmpdir" -xf "$hfstools_file"
 export PATH="$PATH:$tmpdir/libdmg-hfsplus:$tmpdir/hfsplus-tools"
 
+ProjName=$(ProjectName)
+Proj_Name=$(Project_Name)
 for lang in $bundle_locales
 do
   cd $tmpdir/dmg
   unzip -q $macos_stapled_dir/tb-${tbb_version}_$lang-stapled.zip
   cd ..
-  $script_dir/ddmg.sh $macos_signed_dir/TorBrowser-${tbb_version}-macos_$lang.dmg $tmpdir/dmg/
-  rm -rf 'dmg/Tor Browser.app'
+  $script_dir/ddmg.sh $macos_signed_dir/$ProjName-${tbb_version}-macos_$lang.dmg $tmpdir/dmg/ "$Proj_Name"
+  rm -rf "dmg/$Proj_Name.app"
 done
 
 rm -Rf "$tmpdir"

tools/signing/linux-signer-authenticode-signing

@@ -4,7 +4,7 @@ set -e
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
 
-cd ~/"$tbb_version"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
 
 test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
 echo

tools/signing/linux-signer-authenticode-signing.torbrowser

+linux-signer-authenticode-signing
\ No newline at end of file

tools/signing/linux-signer-gpg-sign

@@ -4,7 +4,7 @@ set -e
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
 
-cd ~/"$tbb_version"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
 
 test -n "$GPG_PASS" || read -sp "Enter gpg passphrase: " GPG_PASS
 for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk" | sort`

tools/signing/linux-signer-gpg-sign.torbrowser

+linux-signer-gpg-sign
\ No newline at end of file

tools/signing/linux-signer-signmars

@@ -46,7 +46,7 @@ test -n "${NSSPASS:-}" || read -s -p "NSS password:" NSSPASS
 echo ""
 
 COUNT=0
-cd ~/"$tbb_version"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version"
 for marfile in *.mar; do
   if [ ! -f "$marfile" ]; then
     continue;

tools/signing/linux-signer-signmars.torbrowser

+linux-signer-signmars
\ No newline at end of file

tools/signing/macos-signer-gatekeeper-signing

@@ -3,8 +3,10 @@ set -e
 
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"
+source "$script_dir/set-config.generated-config"
 
 ENTITLEMENTS="$script_dir/$tbb_version_type.entitlements.xml"
+app_name=$(Project_Name)
 
 function check_signature() {
   LANG=$1
@@ -18,12 +20,12 @@ function check_signature() {
     pushd test_${LANG}
   fi
   echo "Checking $LANG..."
-  spctl -vvvv --assess --type open --context context:primary-signature 'Tor Browser.app/'
+  spctl -vvvv --assess --type open --context context:primary-signature "$app_name.app/"
   if [ $? -ne 3 ]; then
     echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed open.
     failed_open=1
   fi
-  spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/'
+  spctl -vvvv --assess --type exec --context context:primary-signature "$app_name.app/"
   if [ $? -ne 0 ]; then
     echo tb-${tbb_version}_$LANG.zip not signed correctly. Failed exec.
     failed_exec=1
@@ -39,7 +41,7 @@ function check_signature() {
   fi
 }
 
-cd ~/${tbb_version}
+cd ~/$SIGNING_PROJECTNAME-${tbb_version}
 
 if test -n "$KEYCHAIN_PW"
 then
@@ -58,40 +60,40 @@ do
     echo "Deleting tb-${tbb_version}_${LANG}.zip"
     rm tb-${tbb_version}_${LANG}.zip
   fi
-  if [ -d "Tor Browser.app" ]
+  if [ -d "$app_name.app" ]
   then
-    echo "Deleting Tor Browser.app"
-    rm -r "Tor Browser.app"
+    echo "Deleting $app_name.app"
+    rm -r "$app_name.app"
   fi
-  if [ -d '/Volumes/Tor Browser' ]; then
+  if [ -d "/Volumes/$app_name" ]; then
     echo "DMG already mounted. Please correct."
     exit 1
   fi
-  hdiutil attach TorBrowser-${tbb_version}-macos_$LANG.dmg
-  cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app"
-  echo "Signing Tor Browser_$LANG.app"
-  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "Tor Browser.app/"
+  hdiutil attach $(ProjectName)-${tbb_version}-macos_$LANG.dmg
+  cp -rf "/Volumes/$app_name/$app_name.app" "$app_name.app"
+  echo "Signing ${app_name}_${LANG}.app"
+  codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "Developer ID Application: The Tor Project, Inc (MADPSAYN6T)" "$app_name.app/"
   echo "codesign exit code: $?"
   set +e
   check_signature $LANG 0
   if [ $? -eq 1 ]
   then
     echo Signature verification failed.
-    rm -r "Tor Browser.app"
-    hdiutil detach "/Volumes/Tor Browser"
+    rm -r "$app_name.app"
+    hdiutil detach "/Volumes/$app_name"
     exit 1
   fi
   set -e
   echo "Zipping up tb-${tbb_version}_${LANG}.zip"
-  zip -qr tb-${tbb_version}_${LANG}.zip "Tor Browser.app"
-  rm -rf "Tor Browser.app"
-  hdiutil detach "/Volumes/Tor Browser"
+  zip -qr tb-${tbb_version}_${LANG}.zip "$app_name.app"
+  rm -rf "$app_name.app"
+  hdiutil detach "/Volumes/$app_name"
   set +e
   check_signature $LANG 1
   if [ $? -eq 1 ]
   then
     echo "Signature verification failed (${LANG})".
-    rm -r "Tor Browser.app"
+    rm -r "$app_name.app"
     exit 1
   fi
   set -e

tools/signing/macos-signer-gatekeeper-signing.torbrowser

+macos-signer-gatekeeper-signing
\ No newline at end of file