Verified Commit ede46581 authored by Pier Angelo Vendrame's avatar Pier Angelo Vendrame 🎃
Browse files

Bug 41093: Add a patch to unsign APKs. 

Currently, we sign the APKs that were already signed with the QA key.
However, this makes it impossible to copy our signature on top of APKs
built independently, which would be the last step to reproduce our
builds.

With this commit, we provide a patch to go back to the unsigned (but
already aligned) APK, so that we can keep shipping QA-signed APKs for
testers, but we can go back to the unsigned APK for the final signing.

The changes to apply this patch in the signing scripts will be part of
another commit.
parent 5333cc52

README

+7 −6
Original line number Diff line number Diff line
@@ -54,7 +54,7 @@ If you are running Fedora, CentOS or RHEL, you can install them with: 
              "perl(Template)" "perl(IO::Handle)" "perl(Capture::Tiny)" \

              "perl(JSON)" "perl(File::Temp)" "perl(Path::Tiny)" \

              "perl(File::Path)" "perl(File::Slurp)" \

              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)"

              "perl(File::Copy::Recursive)" "perl(String::ShellQuote)" \

              "perl(Sort::Versions)" "perl(Digest::SHA)" "perl(Data::UUID)" \

              "perl(Data::Dump)" "perl(DateTime)" "perl(XML::Writer)" \

              "perl(Parallel::ForkManager)" perl-ph mercurial git zstd
@@ -237,11 +237,12 @@ builds, and will require that you run Debian Bullseye or Bookworm and 
install build dependencies for all the components that are built. This can

be done with the following command:



  # apt-get install build-essential python3 automake libtool zip unzip \

            autoconf2.13 openjdk-11-jdk gettext-base autotools-dev \

            automake autoconf libtool autopoint libssl-dev pkg-config \

            zlib1g-dev libparallel-forkmanager-perl libfile-slurp-perl bzip2 \

            xz-utils apksigner yasm wget bison gyp tcl python3-venv 7zip jq

  # apt-get install 7zip apksigner autoconf autoconf2.13 automake autopoint \

                    autotools-dev bison bsdiff build-essential bzip2 \

                    gettext-base gyp jq libfile-slurp-perl \

                    libparallel-forkmanager-perl libssl-dev libtool libtool \

                    openjdk-11-jdk pkg-config python3 python3-venv tcl unzip \

                    wget xz-utils yasm zip zlib1g-dev



Note that Debian Bullseye requires the bullseye-backports repository to

get the 7zip package.

projects/browser/build.android

+3 −0
Original line number Diff line number Diff line
@@ -66,6 +66,9 @@ zipalign -vp 4 repacked.apk $aligned_apk 
# flag in the manifest.

apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore --out $qa_apk --in $aligned_apk --ks-key-alias androidqakey --key-pass pass:android --ks-pass pass:android



unsign_patch="[% dest_dir %]/[% c('filename') %]/[% c('var/project-name') %]-qa-unsign-[% c('var/osname') %]-[% c('version') %].bspatch"

bsdiff $qa_apk $aligned_apk $unsign_patch



[%IF c("var/tor-browser") -%]

  tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]"

  # strip off trailing "$buildid.tar.gz"

projects/browser/config

+1 −0
Original line number Diff line number Diff line
@@ -48,6 +48,7 @@ targets: 
      arch_deps:

        - 7zip

        - openjdk-17-jdk-headless

        - bsdiff

      container:

        # 7zip is in backports in bullseye, and we can already use Java 17 for

        # apksigner.

projects/release/build

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ EOF 
# empty any existing sh256sums file

echo -n > sha256sums-unsigned-build.txt

# concat sha256sum entry for each file in set

for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.json | grep -v '\.incremental\.mar$' | sort)

for i in $(ls -1 *.exe *.tar.xz *.dmg *.mar *.zip *.tar.gz *.apk *.bspatch *.json | grep -v '\.incremental\.mar$' | sort)

do

  sha256sum $i >> sha256sums-unsigned-build.txt

done