Bug 40851: Integrate android apk signing in do-all-signing

e36799bf · boklm · Richard Pospesel · 747e1261 · e36799bf · e36799bf
Commit e36799bf authored Jun 5, 2023 by boklm Committed by Richard Pospesel Jun 12, 2023
--- a/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
@@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    - `cd tor-browser-build/tools/signing/`
    - `./macos-signer-proxy`
 - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
 - [ ] run do-all-signing script:
    - `cd tor-browser-build/tools/signing/`
    - `./do-all-signing.torbrowser`

--- a/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
@@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    - `cd tor-browser-build/tools/signing/`
    - `./macos-signer-proxy`
 - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
 - [ ] run do-all-signing script:
    - `cd tor-browser-build/tools/signing/`
    - `./do-all-signing.sh`

--- a/projects/android-toolchain/config
+++ b/projects/android-toolchain/config
@@ -95,7 +95,6 @@ steps:
      #!/bin/bash
      set -e
      mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
-    var:
    container:
      use_container: 0
    input_files:

--- a/tools/signing/android-signing.mullvadbrowser
+++ b/tools/signing/android-signing.mullvadbrowser
-android-signing
\ No newline at end of file
--- a/tools/signing/android-signing.torbrowser
+++ b/tools/signing/android-signing.torbrowser
-android-signing
\ No newline at end of file
--- a/tools/signing/do-all-signing
+++ b/tools/signing/do-all-signing
@@ -17,6 +17,9 @@ echo
 test -f "$steps_dir/linux-signer-signmars.done" ||
  read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
 echo
+test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
+  read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
+echo
 #test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
 #  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
 #echo
@@ -106,6 +109,18 @@ function sync-after-signmars {
  "$script_dir/sync-linux-signer-to-local"
 }

+function linux-signer-sign-android-apks {
+  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
+  export KSPASS=$KSPASS
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
+EOF
+  unset KSPASS
+}
+
+function sync-after-sign-android-apks {
+  "$script_dir/sync-linux-signer-to-local"
+}
+
 function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
  "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
 }
@@ -199,6 +214,10 @@ do_step sync-scripts-to-linux-signer
 do_step sync-before-linux-signer-signmars
 do_step linux-signer-signmars
 do_step sync-after-signmars
+is_project torbrowser && \
+  do_step linux-signer-sign-android-apks
+is_project torbrowser && \
+  do_step sync-after-sign-android-apks
 #do_step linux-signer-authenticode-signing
 #do_step sync-after-authenticode-signing
 #do_step authenticode-timestamping

--- a/tools/signing/linux-signer-sign-android-apks
+++ b/tools/signing/linux-signer-sign-android-apks
+#!/bin/bash
+
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.generated-config"
+
+topdir="$script_dir/../.."
+ARCHS="armv7 aarch64 x86 x86_64"
+projname=$(project-name)
+# tbb_version_type is used in wrappers/sign-apk, so we export it
+export tbb_version_type
+
+check_installed_packages() {
+  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+  for package in $packages
+  do
+    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+      exit_error "package $package is missing"
+  done
+}
+
+setup_build_tools() {
+  build_tools_dir=/signing/android-build-tools
+  test -f "$build_tools_dir"/android-12/apksigner || \
+    exit_error "$build_tools_dir/android-12/apksigner is missing"
+  export PATH="$build_tools_dir/android-12:${PATH}"
+}
+
+sign_apk() {
+  sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
+}
+
+verify_apk() {
+  verified=$(apksigner verify --print-certs --verbose "$1")
+  scheme_v1="Verified using v1 scheme (JAR signing): true"
+  scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
+
+  # Verify the expected signing key was used, Alpha verses Release based on the filename.
+  if test "$tbb_version_type" = "alpha"; then
+    cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
+    pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
+  else
+    cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
+    pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
+  fi
+  for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
+    if ! echo "${verified}" | grep -q "${digest}"; then
+      echo "Expected digest not found:"
+      echo ${digest}
+      echo "in:"
+      echo ${verified}
+      exit 1
+    fi
+  done
+}
+
+check_installed_packages
+
+if [ -z "$KSPASS" ]; then
+    echo "Enter keystore passphrase"
+    stty -echo; read KSPASS; stty echo
+    export KSPASS
+fi
+
+setup_build_tools
+
+mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+
+# Sign all packages
+for arch in ${ARCHS}; do
+  qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
+  signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
+  sign_apk "$qa_apk" "$signed_apk"
+  verify_apk "$signed_apk"
+  cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
+done
+
+rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
--- a/tools/signing/linux-signer-sign-android-apks.torbrowser
+++ b/tools/signing/linux-signer-sign-android-apks.torbrowser
+linux-signer-sign-android-apks
\ No newline at end of file
--- a/tools/signing/machines-setup/setup-signing-machine
+++ b/tools/signing/machines-setup/setup-signing-machine
@@ -83,11 +83,12 @@ create_group signing
 create_user signing-gpg
 create_user signing-mar
 create_user signing-win yubihsm
-
+create_user signing-apk signing

 sudoers_file sign-gpg
 sudoers_file sign-mar
 sudoers_file sign-exe
+sudoers_file sign-apk

 authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
 create_user richard signing
@@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl
 # Install deps for building yubihsm-shell
 install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec

+# Install deps for android/apk signing
+install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
+
 # Build and install yubihsm-pkcs11 package
 create_user build-pkgs
 if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
@@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then
  chmod go+rX "$tmpdir/mar-tools"/*
  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
 fi
+
+for rel in release alpha; do
+  keypath=/home/signing-apk/keys/tba_$rel.p12
+  if ! test -f "$keypath"; then
+    echo "$rel key for android should be put in $keypath"
+  else
+    chown signing-apk "$keypath"
+    chmod 700 "$keypath"
+  fi
+done
--- a/tools/signing/machines-setup/sudoers.d/sign-apk
+++ b/tools/signing/machines-setup/sudoers.d/sign-apk
+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk
--- a/tools/signing/machines-setup/upload-tbb-to-signing-machine
+++ b/tools/signing/machines-setup/upload-tbb-to-signing-machine
@@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
  echo "Fetched $yubihsm_filename"
 fi

+android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
+if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
+  ./rbm/rbm build --step get_build_tools android-toolchain
+  echo "Fetched $android_build_tools_filename"
+fi
+
 signing_machine='linux-signer'
 setup_user='setup'
 signing_dir='/signing'
@@ -43,14 +49,26 @@ signing_dir='/signing'
 echo "Uploading $osslsigncodefile to $signing_machine"
 chmod go+r "./out/osslsigncode/$osslsigncodefile"
 rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
+
 echo "Uploading rbm.tar to $signing_machine"
 rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
+
 echo "Uploading $martools_filename"
 chmod go+r "./out/mar-tools/$martools_filename"
 rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
+
 echo "Uploading $yubihsm_filename"
 chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
 rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
+
+echo "Uploading $android_build_tools_filename"
+chmod go+r "./out/android-toolchain/$android_build_tools_filename"
+rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
+echo "Extracting $android_build_tools_filename"
+ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
+ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
+ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
+
 echo "Uploading tor-browser-build.tar to $signing_machine"
 scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
 echo "Extracting tor-browser-build.tar on $signing_machine"

--- a/tools/signing/set-config.android-signing
+++ b/tools/signing/set-config.android-signing
-# The following line should be uncommented and updated:
-
-#ssh_host_pkgstage=tbbuild
-#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
-#android_signing_key_dir=/path/to/signing/key/dir
-
-var_is_defined ssh_host_pkgstage android_signing_key_dir
--- a/tools/signing/android-signing
+++ b/tools/signing/android-signing
 #!/bin/bash
-
-# Sign apk for each target architecture.
-# This script does not require command line argument, but it needs 
-# some configuration options to be set in set-config.android-signing:
-#  - ssh_host_pkgstage is the host which you use for staging packages
-#    during signing. The script will download the unsigned .apk files
-#    from this host, and upload the signed .apk there
-#  - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
-#    on pkgstage
-#  - android_signing_key_dir: the local path where the android signing
-#    keys are located. That directory should contains files tba_alpha.p12
-#    and tba_release.p12 for alpha and release signing keys.
-# The Tor Browser version is taken from set-config.tbb-version
-
 set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.android-signing"
-
-topdir="$script_dir/../.."
-ARCHS="armv7 aarch64 x86 x86_64"
-projname=$(project-name)

-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
-test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
-
-check_installed_packages() {
-  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
-  for package in $packages
+function exit_error {
+  for msg in "$@"
  do
-    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
-      exit_error "package $package is missing"
+    echo "$msg" >&2
  done
+  exit 1
 }

-setup_build_tools() {
-  local rbm="$topdir/rbm/rbm"
-  local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
-  if ! test -f "$build_tools_zipfile"; then
-    "$rbm" build --step get_build_tools android-toolchain
-    test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
+if test "$tbb_version_type" != 'release' \
+  && test "$tbb_version_type" != 'alpha'; then
+  exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
 fi
-  local build_tools_dir=$(mktemp -d)
-  trap "rm -Rf $build_tools_dir" EXIT
-  unzip -d "$build_tools_dir" "$build_tools_zipfile"
+
+android_signing_key_dir=/home/signing-apk/keys
+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
+
+setup_build_tools() {
+  build_tools_dir=/signing/android-build-tools
  test -f "$build_tools_dir"/android-12/apksigner || \
    exit_error "$build_tools_dir/android-12/apksigner is missing"
  export PATH="$build_tools_dir/android-12:${PATH}"
 }

-download_unsigned_apks() {
-  apks_dir=$(mktemp -d)
-  trap "rm -Rf $apks_dir" EXIT
-  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
-}
-
-upload_signed_apks() {
-  rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
-    --exclude="*-unsigned.apk" "$apks_dir/" \
-    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
-}
-
 # Sign individual apk
 sign_apk() {
    INPUTAPK="$1"
+    OUTPUTAPK="$2"

    # https://developer.android.com/studio/publish/app-signing#sign-manually
    # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
@@ -75,10 +40,11 @@ sign_apk() {
    echo Aligning and signing ${INPUTAPK}

    # Append the different stages of signing
-    UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
+    UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
    UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
    SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`

+    # ${INPUTAPK} is full path. We copy to local tmp directory.
    cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"

    # Step 1: Align
@@ -117,67 +83,16 @@ sign_apk() {
        exit 1
    fi

+    mv -f "${SIGNED_APK}" "$OUTPUTAPK"
    echo apksigner verify succeeded
 }

-# Rename and verify signing certificate
-finalize() {
-  for arch in ${ARCHS}; do
-      mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
-  done
-
-  for arch in ${ARCHS}; do
-      verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
-      scheme_v1=
-      scheme_v2=
-      cert_digest=
-      pubkey_digest=
-
-      # Verify the expected signing key was used, Alpha verses Release based on the filename.
-      if test "$tbb_version_type" = "alpha"; then
-          scheme_v1="Verified using v1 scheme (JAR signing): true"
-          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
-          cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
-          pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
-      else
-          scheme_v1="Verified using v1 scheme (JAR signing): true"
-          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
-          cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
-          pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
-      fi
-      for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
-          if ! `echo "${verified}" | grep -q "${digest}"`; then
-              echo "Expected digest not found:"
-              echo ${digest}
-              echo "in:"
-              echo ${verified}
-              exit 1
-          fi
-      done
-  done
-
-  echo Done.
-}
-
-check_installed_packages
-
-if [ -z "$KSPASS" ]; then
-    echo "Enter keystore passphrase"
-    stty -echo; read KSPASS; stty echo
-    export KSPASS
-fi
-
 setup_build_tools

-download_unsigned_apks
-
-cd $apks_dir
-
-# Sign all packages
-for arch in ${ARCHS}; do
-    sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
-done
+tmpdir=$(mktemp -d)
+cd "$tmpdir"

-finalize
+sign_apk "$1" "$2"

-upload_signed_apks
+cd -
+rm -Rf "$tmpdir"