Compare revisions

boklm · boklm · boklm · boklm · boklm · bb16c7d2
--- a/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
@@ -173,7 +173,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    - `cd tor-browser-build/tools/signing/`
    - `./macos-signer-proxy`
 - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
 - [ ] run do-all-signing script:
    - `cd tor-browser-build/tools/signing/`
    - `./do-all-signing.torbrowser`

--- a/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
+++ b/.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
@@ -178,7 +178,6 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    - `cd tor-browser-build/tools/signing/`
    - `./macos-signer-proxy`
 - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
- [ ] apk signing : copy signed `*multi.apk` files to the unsigned build outputs directory
 - [ ] run do-all-signing script:
    - `cd tor-browser-build/tools/signing/`
    - `./do-all-signing.sh`

--- a/projects/android-toolchain/config
+++ b/projects/android-toolchain/config
@@ -95,9 +95,8 @@ steps:
      #!/bin/bash
      set -e
      mv -v [% c("input_files_by_name/build_tools") %] [% dest_dir _ '/' _ c('filename') %]
-    var:
-      container:
-        use_container: 0
+    container:
+      use_container: 0
    input_files:
      - URL: '[% c("var/google_repo") %]/[% c("var/build_tools_filename") %]'
        name: build_tools

--- a/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch
+++ b/projects/osslsigncode/0001-Make-code-work-with-OpenSSL-1.1.patch
-From 86931f9d7c3d73b97010e598a5ad41ea4fab2b63 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
-Date: Sun, 12 Mar 2017 23:00:12 +0100
-Subject: [PATCH] Make code work with OpenSSL 1.1.
-
-Changes in consist of:
- Use EVP_MD_CTX_new/free API instead of on-stack allocation
- Remove some M_ prefixes like for ASN1_IA5STRING_new
- Remove pagehash functionality because it is useless to me and
-  fixing it would be a pain. Would require declaring a few
-  ASN_SEQUENCES and use that to get the required i2d functions
-  from what I could find out.
- Remove OBJ_create calls that seem to serve no purpose,
-  now crash because NULL pointers are no longer handled
-  (who changes API that way?!) and even if that was fixed
-  lead to errors when these objects are later created
-  again/"for real" by OBJ_txt2nid or OBJ_txt2obj (I think,
-  did not investigate further).
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 2978c02..3797458 100644
--- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -450,16 +450,16 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
- 	if (desc) {
- 		info->programName = SpcString_new();
- 		info->programName->type = 1;
-		info->programName->value.ascii = M_ASN1_IA5STRING_new();
-		ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
-+		info->programName->value.ascii = ASN1_IA5STRING_new();
-+		ASN1_STRING_set(info->programName->value.ascii,
- 						(const unsigned char*)desc, strlen(desc));
- 	}
- 
- 	if (url) {
- 		info->moreInfo = SpcLink_new();
- 		info->moreInfo->type = 0;
-		info->moreInfo->value.url = M_ASN1_IA5STRING_new();
-		ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
-+		info->moreInfo->value.url = ASN1_IA5STRING_new();
-+		ASN1_STRING_set(info->moreInfo->value.url,
- 						(const unsigned char*)url, strlen(url));
- 	}
- 
-@@ -609,19 +609,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
- 
- 	if (rfc3161) {
- 		unsigned char mdbuf[EVP_MAX_MD_SIZE];
-		EVP_MD_CTX mdctx;
-+		EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
- 
-		EVP_MD_CTX_init(&mdctx);
-		EVP_DigestInit(&mdctx, md);
-		EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
-		EVP_DigestFinal(&mdctx, mdbuf, NULL);
-+		EVP_DigestInit(mdctx, md);
-+		EVP_DigestUpdate(mdctx, si->enc_digest->data, si->enc_digest->length);
-+		EVP_DigestFinal(mdctx, mdbuf, NULL);
-+		EVP_MD_CTX_free(mdctx);
-+		mdctx = NULL;
- 
- 		TimeStampReq *req = TimeStampReq_new();
- 		ASN1_INTEGER_set(req->version, 1);
- 		req->messageImprint->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
- 		req->messageImprint->digestAlgorithm->parameters = ASN1_TYPE_new();
- 		req->messageImprint->digestAlgorithm->parameters->type = V_ASN1_NULL;
-		M_ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
-+		ASN1_OCTET_STRING_set(req->messageImprint->digest, mdbuf, EVP_MD_size(md));
- 		req->certReq = (void*)0x1;
- 
- 		len = i2d_TimeStampReq(req, NULL);
-@@ -921,83 +922,8 @@ static const unsigned char classid_page_hash[] = {
- 	0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
- };
- 
-static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus,
-									 unsigned int sigpos, int phtype, unsigned int *phlen);
-
-DECLARE_STACK_OF(ASN1_OCTET_STRING)
-#ifndef sk_ASN1_OCTET_STRING_new_null
-#define sk_ASN1_OCTET_STRING_new_null() SKM_sk_new_null(ASN1_OCTET_STRING)
-#define sk_ASN1_OCTET_STRING_free(st) SKM_sk_free(ASN1_OCTET_STRING, (st))
-#define sk_ASN1_OCTET_STRING_push(st, val) SKM_sk_push(ASN1_OCTET_STRING, (st), (val))
-#define i2d_ASN1_SET_OF_ASN1_OCTET_STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \
-	SKM_ASN1_SET_OF_i2d(ASN1_OCTET_STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
-#endif
-
-DECLARE_STACK_OF(SpcAttributeTypeAndOptionalValue)
-#ifndef sk_SpcAttributeTypeAndOptionalValue_new_null
-#define sk_SpcAttributeTypeAndOptionalValue_new_null() SKM_sk_new_null(SpcAttributeTypeAndOptionalValue)
-#define sk_SpcAttributeTypeAndOptionalValue_free(st) SKM_sk_free(SpcAttributeTypeAndOptionalValue, (st))
-#define sk_SpcAttributeTypeAndOptionalValue_push(st, val) SKM_sk_push(SpcAttributeTypeAndOptionalValue, (st), (val))
-#define i2d_SpcAttributeTypeAndOptionalValue(st, pp, i2d_func, ex_tag, ex_class, is_set) \
-	SKM_ASN1_SET_OF_i2d(SpcAttributeTypeAndOptionalValue, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
-#endif
-
-static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos)
-{
-	unsigned int phlen;
-	unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
-	if (!ph) {
-		fprintf(stderr, "Failed to calculate page hash\n");
-		exit(-1);
-	}
-
-	ASN1_OCTET_STRING *ostr = M_ASN1_OCTET_STRING_new();
-	M_ASN1_OCTET_STRING_set(ostr, ph, phlen);
-	free(ph);
-
-	STACK_OF(ASN1_OCTET_STRING) *oset = sk_ASN1_OCTET_STRING_new_null();
-	sk_ASN1_OCTET_STRING_push(oset, ostr);
-	unsigned char *p, *tmp;
-	unsigned int l;
-	l = i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, NULL, i2d_ASN1_OCTET_STRING,
-										  V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-	tmp = p = OPENSSL_malloc(l);
-	i2d_ASN1_SET_OF_ASN1_OCTET_STRING(oset, &tmp, i2d_ASN1_OCTET_STRING,
-									  V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-	ASN1_OCTET_STRING_free(ostr);
-	sk_ASN1_OCTET_STRING_free(oset);
-
-	SpcAttributeTypeAndOptionalValue *aval = SpcAttributeTypeAndOptionalValue_new();
-	aval->type = OBJ_txt2obj((phtype == NID_sha1) ? SPC_PE_IMAGE_PAGE_HASHES_V1 : SPC_PE_IMAGE_PAGE_HASHES_V2, 1);
-	aval->value = ASN1_TYPE_new();
-	aval->value->type = V_ASN1_SET;
-	aval->value->value.set = ASN1_STRING_new();
-	ASN1_STRING_set(aval->value->value.set, p, l);
-	OPENSSL_free(p);
-
-	STACK_OF(SpcAttributeTypeAndOptionalValue) *aset = sk_SpcAttributeTypeAndOptionalValue_new_null();
-	sk_SpcAttributeTypeAndOptionalValue_push(aset, aval);
-	l = i2d_SpcAttributeTypeAndOptionalValue(aset, NULL, i2d_SpcAttributeTypeAndOptionalValue,
-											 V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-	tmp = p = OPENSSL_malloc(l);
-	l = i2d_SpcAttributeTypeAndOptionalValue(aset, &tmp, i2d_SpcAttributeTypeAndOptionalValue,
-											 V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);
-	sk_SpcAttributeTypeAndOptionalValue_free(aset);
-	SpcAttributeTypeAndOptionalValue_free(aval);
-
-	SpcSerializedObject *so = SpcSerializedObject_new();
-	M_ASN1_OCTET_STRING_set(so->classId, classid_page_hash, sizeof(classid_page_hash));
-	M_ASN1_OCTET_STRING_set(so->serializedData, p, l);
-	OPENSSL_free(p);
-
-	SpcLink *link = SpcLink_new();
-	link->type = 1;
-	link->value.moniker = so;
-	return link;
-}
-
- static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type,
-								   int pagehash, char *indata, unsigned int peheader, int pe32plus,
-+								   char *indata, unsigned int peheader, int pe32plus,
- 								   unsigned int sigpos)
- {
- 	static const unsigned char msistr[] = {
-@@ -1024,14 +950,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- 	} else if (type == FILE_TYPE_PE) {
- 		SpcPeImageData *pid = SpcPeImageData_new();
- 		ASN1_BIT_STRING_set(pid->flags, (unsigned char*)"0", 0);
-		if (pagehash) {
-			int phtype = NID_sha1;
-			if (EVP_MD_size(md) > EVP_MD_size(EVP_sha1()))
-				phtype = NID_sha256;
-			pid->file = get_page_hash_link(phtype, indata, peheader, pe32plus, sigpos);
-		} else {
-			pid->file = get_obsolete_link();
-		}
-+		pid->file = get_obsolete_link();
- 		l = i2d_SpcPeImageData(pid, NULL);
- 		p = OPENSSL_malloc(l);
- 		i2d_SpcPeImageData(pid, &p);
-@@ -1046,7 +965,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- 		ASN1_INTEGER_set(si->d, 0);
- 		ASN1_INTEGER_set(si->e, 0);
- 		ASN1_INTEGER_set(si->f, 0);
-		M_ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
-+		ASN1_OCTET_STRING_set(si->string, msistr, sizeof(msistr));
- 		l = i2d_SpcSipInfo(si, NULL);
- 		p = OPENSSL_malloc(l);
- 		i2d_SpcSipInfo(si, &p);
-@@ -1068,7 +987,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, fi
- 	hashlen = EVP_MD_size(md);
- 	hash = OPENSSL_malloc(hashlen);
- 	memset(hash, 0, hashlen);
-	M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
-+	ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
- 	OPENSSL_free(hash);
- 
- 	*len  = i2d_SpcIndirectDataContent(idc, NULL);
-@@ -1923,19 +1842,18 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
- 						   unsigned int peheader, int pe32plus, unsigned int fileend)
- {
- 	static unsigned char bfb[16*1024*1024];
-	EVP_MD_CTX mdctx;
-+	EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
- 
-	EVP_MD_CTX_init(&mdctx);
-	EVP_DigestInit(&mdctx, md);
-+	EVP_DigestInit(mdctx, md);
- 
- 	memset(mdbuf, 0, EVP_MAX_MD_SIZE);
- 
- 	(void)BIO_seek(bio, 0);
- 	BIO_read(bio, bfb, peheader + 88);
-	EVP_DigestUpdate(&mdctx, bfb, peheader + 88);
-+	EVP_DigestUpdate(mdctx, bfb, peheader + 88);
- 	BIO_read(bio, bfb, 4);
- 	BIO_read(bio, bfb, 60+pe32plus*16);
-	EVP_DigestUpdate(&mdctx, bfb, 60+pe32plus*16);
-+	EVP_DigestUpdate(mdctx, bfb, 60+pe32plus*16);
- 	BIO_read(bio, bfb, 8);
- 
- 	unsigned int n = peheader + 88 + 4 + 60+pe32plus*16 + 8;
-@@ -1946,11 +1864,12 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
- 		int l = BIO_read(bio, bfb, want);
- 		if (l <= 0)
- 			break;
-		EVP_DigestUpdate(&mdctx, bfb, l);
-+		EVP_DigestUpdate(mdctx, bfb, l);
- 		n += l;
- 	}
- 
-	EVP_DigestFinal(&mdctx, mdbuf, NULL);
-+	EVP_DigestFinal(mdctx, mdbuf, NULL);
-+	EVP_MD_CTX_free(mdctx);
- }
- 
- 
-@@ -2019,16 +1938,15 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
- 	int phlen = pphlen * (3 + nsections + sigpos / pagesize);
- 	unsigned char *res = malloc(phlen);
- 	unsigned char *zeroes = calloc(pagesize, 1);
-	EVP_MD_CTX mdctx;
-
-	EVP_MD_CTX_init(&mdctx);
-	EVP_DigestInit(&mdctx, md);
-	EVP_DigestUpdate(&mdctx, indata, peheader + 88);
-	EVP_DigestUpdate(&mdctx, indata + peheader + 92, 60 + pe32plus*16);
-	EVP_DigestUpdate(&mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
-	EVP_DigestUpdate(&mdctx, zeroes, pagesize - hdrsize);
-+	EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
-+
-+	EVP_DigestInit(mdctx, md);
-+	EVP_DigestUpdate(mdctx, indata, peheader + 88);
-+	EVP_DigestUpdate(mdctx, indata + peheader + 92, 60 + pe32plus*16);
-+	EVP_DigestUpdate(mdctx, indata + peheader + 160 + pe32plus*16, hdrsize - (peheader + 160 + pe32plus*16));
-+	EVP_DigestUpdate(mdctx, zeroes, pagesize - hdrsize);
- 	memset(res, 0, 4);
-	EVP_DigestFinal(&mdctx, res + 4, NULL);
-+	EVP_DigestFinal(mdctx, res + 4, NULL);
- 
- 	unsigned short sizeofopthdr = GET_UINT16_LE(indata + peheader + 20);
- 	char *sections = indata + peheader + 24 + sizeofopthdr;
-@@ -2040,18 +1958,20 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
- 		unsigned int l;
- 		for (l=0; l < rs; l+=pagesize, pi++) {
- 			PUT_UINT32_LE(ro + l, res + pi*pphlen);
-			EVP_DigestInit(&mdctx, md);
-+			EVP_DigestInit(mdctx, md);
- 			if (rs - l < pagesize) {
-				EVP_DigestUpdate(&mdctx, indata + ro + l, rs - l);
-				EVP_DigestUpdate(&mdctx, zeroes, pagesize - (rs - l));
-+				EVP_DigestUpdate(mdctx, indata + ro + l, rs - l);
-+				EVP_DigestUpdate(mdctx, zeroes, pagesize - (rs - l));
- 			} else {
-				EVP_DigestUpdate(&mdctx, indata + ro + l, pagesize);
-+				EVP_DigestUpdate(mdctx, indata + ro + l, pagesize);
- 			}
-			EVP_DigestFinal(&mdctx, res + pi*pphlen + 4, NULL);
-+			EVP_DigestFinal(mdctx, res + pi*pphlen + 4, NULL);
- 		}
- 		lastpos = ro + rs;
- 		sections += 40;
- 	}
-+	EVP_MD_CTX_free(mdctx);
-+	mdctx = NULL;
- 	PUT_UINT32_LE(lastpos, res + pi*pphlen);
- 	memset(res + pi*pphlen + 4, 0, EVP_MD_size(md));
- 	pi++;
-@@ -2413,7 +2333,7 @@ int main(int argc, char **argv)
- 	int nturl = 0, ntsurl = 0;
- 	int addBlob = 0;
- 	u_char *p = NULL;
-	int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
-+	int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0;
- 	unsigned int tmp, peheader = 0, padlen = 0;
- 	off_t filesize, fileend, sigfilesize, sigfileend, outdatasize;
- 	file_type_t type;
-@@ -2448,13 +2368,6 @@ int main(int argc, char **argv)
- 	ERR_load_crypto_strings();
- 	OPENSSL_add_all_algorithms_conf();
- 
-	/* create some MS Authenticode OIDS we need later on */
-	if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
-		!OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
-		!OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL) ||
-		!OBJ_create(SPC_NESTED_SIGNATURE_OBJID, NULL, NULL))
-		DO_EXIT_0("Failed to add objects\n");
-
- 	md = EVP_sha1();
- 
- 	if (argc > 1) {
-@@ -2531,8 +2444,6 @@ int main(int argc, char **argv)
- 			readpass = *(++argv);
- 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-comm")) {
- 			comm = 1;
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ph")) {
-			pagehash = 1;
- 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
- 			if (--argc < 1) usage(argv0);
- 			desc = *(++argv);
-@@ -3243,7 +3154,7 @@ int main(int argc, char **argv)
- 		p7x = NULL;
- 	}
- 
-	get_indirect_data_blob(&p, &len, md, type, pagehash, indata, peheader, pe32plus, fileend);
-+	get_indirect_data_blob(&p, &len, md, type, indata, peheader, pe32plus, fileend);
- 	len -= EVP_MD_size(md);
- 	memcpy(buf, p, len);
- 	OPENSSL_free(p);
-- 
-2.34.1
-
--- a/projects/osslsigncode/build
+++ b/projects/osslsigncode/build
@@ -4,11 +4,10 @@ distdir=$(pwd)/dist
 mkdir -p $distdir/[% project %]
 tar xf [% project %]-[% c('version') %].tar.gz
 cd [% project %]-[% c('version') %]
-patch -p1 < ../0001-Make-code-work-with-OpenSSL-1.1.patch
-patch -p1 < ../timestamping.patch

-./autogen.sh
-./configure --prefix=/[% project %]
+mkdir build
+cd build
+cmake -DCMAKE_INSTALL_PREFIX=/[% project %] -S ..
 make
 make DESTDIR=$distdir install


--- a/projects/osslsigncode/config
+++ b/projects/osslsigncode/config
 # vim: filetype=yaml sw=2
 version: '[% c("git_hash").substr(0, 12) %]'
 git_url: https://github.com/mtrojnar/osslsigncode
-git_hash: e72a1937d1a13e87074e4584f012f13e03fc1d64
+git_hash: d6f94d71f731868a3df86c6e0b8094da0c1412ed
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 container:
  use_container: 0
 var:
  deps:
-    - autoconf
-    - libtool
-    - pkg-config
+    - cmake
    - libssl-dev
    - libcurl4-openssl-dev
 input_files:
-  - filename: 0001-Make-code-work-with-OpenSSL-1.1.patch
-  - filename: timestamping.patch
  - filename: '[% c("var/srcfile") %]'
    enable: '[% c("var/no-git") %]'


--- a/projects/osslsigncode/timestamping.patch
+++ b/projects/osslsigncode/timestamping.patch
-From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001
-From: Georg Koppen <gk@torproject.org>
-Date: Fri, 5 Feb 2016 09:23:10 +0000
-Subject: [PATCH] Allow timestamping with the 'add' command
-
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 32e37c8..2978c02 100644
--- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -2556,16 +2556,16 @@ int main(int argc, char **argv)
- 			if (--argc < 1) usage(argv0);
- 			url = *(++argv);
- #ifdef ENABLE_CURL
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) {
-+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) {
- 			if (--argc < 1) usage(argv0);
- 			turl[nturl++] = *(++argv);
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) {
-+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) {
- 			if (--argc < 1) usage(argv0);
- 			tsurl[ntsurl++] = *(++argv);
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) {
-+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) {
- 			if (--argc < 1) usage(argv0);
- 			proxy = *(++argv);
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) {
-+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) {
- 			noverifypeer = 1;
- #endif
- 		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
--
-2.7.0
-
-
-From 8159546dfa270da0e3512dcba983ce15029111d0 Mon Sep 17 00:00:00 2001
-From: Georg Koppen <gk@torproject.org>
-Date: Sat, 11 Apr 2020 05:50:36 +0000
-Subject: [PATCH] fixup! Allow timestamping with the 'add' command
-
-
-diff --git a/osslsigncode.c b/osslsigncode.c
-index 3797458..4f4b897 100644
--- a/osslsigncode.c
-+++ b/osslsigncode.c
-@@ -2447,7 +2447,7 @@ int main(int argc, char **argv)
- 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-n")) {
- 			if (--argc < 1) usage(argv0);
- 			desc = *(++argv);
-		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-h")) {
-+		} else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-h")) {
- 			if (--argc < 1) usage(argv0);
- 			++argv;
- 			if (!strcmp(*argv, "md5")) {
--
-2.26.0
--- a/tools/signing/android-signing.mullvadbrowser
+++ b/tools/signing/android-signing.mullvadbrowser
-android-signing
\ No newline at end of file
--- a/tools/signing/android-signing.torbrowser
+++ b/tools/signing/android-signing.torbrowser
-android-signing
\ No newline at end of file
--- a/tools/signing/authenticode-timestamping.sh
+++ b/tools/signing/authenticode-timestamping.sh
@@ -35,7 +35,7 @@ set -e
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 source "$script_dir/functions"

-osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-e72a1937d1a1-25066d.tar.gz"
+osslsigncode_file="$script_dir/../../out/osslsigncode/osslsigncode-d6f94d71f731-3a61fb.tar.gz"

 test -f "$osslsigncode_file" ||
  exit_error "$osslsigncode_file is missing." \

--- a/tools/signing/do-all-signing
+++ b/tools/signing/do-all-signing
@@ -17,9 +17,12 @@ echo
 test -f "$steps_dir/linux-signer-signmars.done" ||
  read -sp "Enter nssdb7 (mar signing) passphrase: " NSSPASS
 echo
-#test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
-#  read -sp "Enter windows authenticode (yubihsm) passphrase: " YUBIPASS
-#echo
+test -f "$steps_dir/linux-signer-sign-android-apks.done" ||
+  read -sp "Enter android apk signing password ($tbb_version_type): " KSPASS
+echo
+test -f "$steps_dir/linux-signer-authenticode-signing.done" ||
+  read -sp "Enter windows authenticode passphrase: " YUBIPASS
+echo
 test -f "$steps_dir/linux-signer-gpg-sign.done" ||
  read -sp "Enter gpg passphrase: " GPG_PASS
 echo
@@ -106,6 +109,18 @@ function sync-after-signmars {
  "$script_dir/sync-linux-signer-to-local"
 }

+function linux-signer-sign-android-apks {
+  ssh "$ssh_host_linux_signer" 'bash -s' << EOF
+  export KSPASS=$KSPASS
+  ~/signing-$SIGNING_PROJECTNAME-$tbb_version_type/linux-signer-sign-android-apks.$SIGNING_PROJECTNAME
+EOF
+  unset KSPASS
+}
+
+function sync-after-sign-android-apks {
+  "$script_dir/sync-linux-signer-to-local"
+}
+
 function download-unsigned-sha256sums-gpg-signatures-from-people-tpo {
  "$script_dir/download-unsigned-sha256sums-gpg-signatures-from-people-tpo"
 }
@@ -199,10 +214,14 @@ do_step sync-scripts-to-linux-signer
 do_step sync-before-linux-signer-signmars
 do_step linux-signer-signmars
 do_step sync-after-signmars
-#do_step linux-signer-authenticode-signing
-#do_step sync-after-authenticode-signing
-#do_step authenticode-timestamping
-#do_step sync-after-authenticode-timestamping
+is_project torbrowser && \
+  do_step linux-signer-sign-android-apks
+is_project torbrowser && \
+  do_step sync-after-sign-android-apks
+do_step linux-signer-authenticode-signing
+do_step sync-after-authenticode-signing
+do_step authenticode-timestamping
+do_step sync-after-authenticode-timestamping
 do_step hash_signed_bundles
 do_step sync-after-hash
 do_step linux-signer-gpg-sign

--- a/tools/signing/linux-signer-gpg-sign
+++ b/tools/signing/linux-signer-gpg-sign
@@ -20,4 +20,5 @@ do
  tmpsig=$(mktemp)
  echo "$GPG_PASS" | sudo -u signing-gpg -- "$wrappers_dir/sign-gpg" "$i" > "$tmpsig"
  mv -f "$tmpsig" "${i}.asc"
+  chmod 644 "${i}.asc"
 done
--- a/tools/signing/linux-signer-sign-android-apks
+++ b/tools/signing/linux-signer-sign-android-apks
+#!/bin/bash
+
+set -e
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
+source "$script_dir/set-config.generated-config"
+
+topdir="$script_dir/../.."
+ARCHS="armv7 aarch64 x86 x86_64"
+projname=$(project-name)
+# tbb_version_type is used in wrappers/sign-apk, so we export it
+export tbb_version_type
+
+check_installed_packages() {
+  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
+  for package in $packages
+  do
+    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
+      exit_error "package $package is missing"
+  done
+}
+
+setup_build_tools() {
+  build_tools_dir=/signing/android-build-tools
+  test -f "$build_tools_dir"/android-12/apksigner || \
+    exit_error "$build_tools_dir/android-12/apksigner is missing"
+  export PATH="$build_tools_dir/android-12:${PATH}"
+}
+
+sign_apk() {
+  sudo -u signing-apk -- /signing/tor-browser-build/tools/signing/wrappers/sign-apk "$(pwd)/$1" "$(pwd)/$2"
+}
+
+verify_apk() {
+  verified=$(apksigner verify --print-certs --verbose "$1")
+  scheme_v1="Verified using v1 scheme (JAR signing): true"
+  scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
+
+  # Verify the expected signing key was used, Alpha verses Release based on the filename.
+  if test "$tbb_version_type" = "alpha"; then
+    cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
+    pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
+  else
+    cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
+    pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
+  fi
+  for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
+    if ! echo "${verified}" | grep -q "${digest}"; then
+      echo "Expected digest not found:"
+      echo ${digest}
+      echo "in:"
+      echo ${verified}
+      exit 1
+    fi
+  done
+}
+
+check_installed_packages
+
+if [ -z "$KSPASS" ]; then
+    echo "Enter keystore passphrase"
+    stty -echo; read KSPASS; stty echo
+    export KSPASS
+fi
+
+setup_build_tools
+
+mkdir -p ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chgrp signing ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+chmod g+w ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cp -af ~/"$SIGNING_PROJECTNAME-$tbb_version"/*.apk ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+cd ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
+
+# Sign all packages
+for arch in ${ARCHS}; do
+  qa_apk=${projname}-${tbb_version}-android-${arch}-multi-qa.apk
+  signed_apk=${projname}-${tbb_version}-android-${arch}-multi.apk
+  sign_apk "$qa_apk" "$signed_apk"
+  verify_apk "$signed_apk"
+  cp -f "$signed_apk" ~/"$SIGNING_PROJECTNAME-$tbb_version"
+done
+
+rm -Rf ~/"$SIGNING_PROJECTNAME-$tbb_version-apks"
--- a/tools/signing/linux-signer-sign-android-apks.torbrowser
+++ b/tools/signing/linux-signer-sign-android-apks.torbrowser
+linux-signer-sign-android-apks
\ No newline at end of file
--- a/tools/signing/machines-setup/setup-signing-machine
+++ b/tools/signing/machines-setup/setup-signing-machine
@@ -83,11 +83,12 @@ create_group signing
 create_user signing-gpg
 create_user signing-mar
 create_user signing-win yubihsm
-
+create_user signing-apk signing

 sudoers_file sign-gpg
 sudoers_file sign-mar
 sudoers_file sign-exe
+sudoers_file sign-apk

 authorized_keys boklm boklm-tb-release.pub boklm-yk1.pub
 create_user richard signing
@@ -111,6 +112,9 @@ install_packages opensc libengine-pkcs11-openssl
 # Install deps for building yubihsm-shell
 install_packages cmake libusb-1.0-0-dev libedit-dev gengetopt libpcsclite-dev help2man chrpath dh-exec

+# Install deps for android/apk signing
+install_packages unzip openjdk-11-jdk-headless openjdk-11-jre-headless
+
 # Build and install yubihsm-pkcs11 package
 create_user build-pkgs
 if ! dpkg-query -s yubihsm-pkcs11 2> /dev/null | grep -q '^Status: .* installed'; then
@@ -132,3 +136,13 @@ if ! test -d /home/signing-mar/mar-tools; then
  chmod go+rX "$tmpdir/mar-tools"/*
  mv "$tmpdir/mar-tools" /home/signing-mar/mar-tools
 fi
+
+for rel in release alpha; do
+  keypath=/home/signing-apk/keys/tba_$rel.p12
+  if ! test -f "$keypath"; then
+    echo "$rel key for android should be put in $keypath"
+  else
+    chown signing-apk "$keypath"
+    chmod 700 "$keypath"
+  fi
+done
--- a/tools/signing/machines-setup/sudoers.d/sign-apk
+++ b/tools/signing/machines-setup/sudoers.d/sign-apk
+Defaults>signing-apk env_keep += "SIGNING_PROJECTNAME tbb_version_type KSPASS"
+%signing ALL = (signing-apk) NOPASSWD: /signing/tor-browser-build/tools/signing/wrappers/sign-apk
--- a/tools/signing/machines-setup/upload-tbb-to-signing-machine
+++ b/tools/signing/machines-setup/upload-tbb-to-signing-machine
@@ -36,6 +36,12 @@ if ! test -f "./out/yubihsm-shell/$yubihsm_filename"; then
  echo "Fetched $yubihsm_filename"
 fi

+android_build_tools_filename=$(./rbm/rbm showconf --step get_build_tools android-toolchain filename)
+if ! test -f "./out/android-toolchain/$android_build_tools_filename"; then
+  ./rbm/rbm build --step get_build_tools android-toolchain
+  echo "Fetched $android_build_tools_filename"
+fi
+
 signing_machine='linux-signer'
 setup_user='setup'
 signing_dir='/signing'
@@ -43,14 +49,26 @@ signing_dir='/signing'
 echo "Uploading $osslsigncodefile to $signing_machine"
 chmod go+r "./out/osslsigncode/$osslsigncodefile"
 rsync -v "./out/osslsigncode/$osslsigncodefile" "$setup_user@$signing_machine:$signing_dir/$osslsigncodefile"
+
 echo "Uploading rbm.tar to $signing_machine"
 rsync -v "$tmpdir/rbm.tar" "$setup_user@$signing_machine:$signing_dir/rbm.tar"
+
 echo "Uploading $martools_filename"
 chmod go+r "./out/mar-tools/$martools_filename"
 rsync -v "./out/mar-tools/$martools_filename" "$setup_user@$signing_machine:$signing_dir/$martools_filename"
+
 echo "Uploading $yubihsm_filename"
 chmod go+r "./out/yubihsm-shell/$yubihsm_filename"
 rsync -v "./out/yubihsm-shell/$yubihsm_filename" "$setup_user@$signing_machine:$signing_dir/$yubihsm_filename"
+
+echo "Uploading $android_build_tools_filename"
+chmod go+r "./out/android-toolchain/$android_build_tools_filename"
+rsync -v "./out/android-toolchain/$android_build_tools_filename" "$setup_user@$signing_machine:$signing_dir/$android_build_tools_filename"
+echo "Extracting $android_build_tools_filename"
+ssh "$setup_user@$signing_machine" mkdir -p $signing_dir/android-build-tools
+ssh "$setup_user@$signing_machine" unzip -qo -d $signing_dir/android-build-tools "$signing_dir/$android_build_tools_filename"
+ssh "$setup_user@$signing_machine" chmod -R o+rX "$signing_dir/$android_build_tools_filename"
+
 echo "Uploading tor-browser-build.tar to $signing_machine"
 scp -p "$tbbtar" "$setup_user@$signing_machine:$signing_dir/"
 echo "Extracting tor-browser-build.tar on $signing_machine"

--- a/tools/signing/set-config.android-signing
+++ b/tools/signing/set-config.android-signing
-# The following line should be uncommented and updated:
-
-#ssh_host_pkgstage=tbbuild
-#pkgstage_tor_browser_build_dir=/home/user/tor-browser-build
-#android_signing_key_dir=/path/to/signing/key/dir
-
-var_is_defined ssh_host_pkgstage android_signing_key_dir
--- a/tools/signing/android-signing
+++ b/tools/signing/android-signing
 #!/bin/bash
-
-# Sign apk for each target architecture.
-# This script does not require command line argument, but it needs 
-# some configuration options to be set in set-config.android-signing:
-#  - ssh_host_pkgstage is the host which you use for staging packages
-#    during signing. The script will download the unsigned .apk files
-#    from this host, and upload the signed .apk there
-#  - pkgstage_tor_browser_build_dir: this is the path to tor-browser-build
-#    on pkgstage
-#  - android_signing_key_dir: the local path where the android signing
-#    keys are located. That directory should contains files tba_alpha.p12
-#    and tba_release.p12 for alpha and release signing keys.
-# The Tor Browser version is taken from set-config.tbb-version
-
 set -e
-script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-source "$script_dir/functions"
-source "$script_dir/set-config.android-signing"

-topdir="$script_dir/../.."
-ARCHS="armv7 aarch64 x86 x86_64"
-projname=$(project-name)
-
-android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
-test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
-
-check_installed_packages() {
-  local packages='unzip openjdk-11-jdk-headless openjdk-11-jre-headless'
-  for package in $packages
+function exit_error {
+  for msg in "$@"
  do
-    dpkg -s "$package" | grep -q '^Status: install ok installed$' || \
-      exit_error "package $package is missing"
+    echo "$msg" >&2
  done
+  exit 1
 }

+if test "$tbb_version_type" != 'release' \
+  && test "$tbb_version_type" != 'alpha'; then
+  exit_error "Unexpected value for tbb_version_type: $tbb_version_type"
+fi
+
+android_signing_key_dir=/home/signing-apk/keys
+android_signing_key_path="$android_signing_key_dir/tba_$tbb_version_type.p12"
+test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is missing"
+
 setup_build_tools() {
-  local rbm="$topdir/rbm/rbm"
-  local build_tools_zipfile="$topdir/out/android-toolchain/$("$rbm" showconf --step get_build_tools android-toolchain filename)"
-  if ! test -f "$build_tools_zipfile"; then
-    "$rbm" build --step get_build_tools android-toolchain
-    test -f "$build_tools_zipfile" || exit_error "$build_tools_zipfile is missing"
-  fi
-  local build_tools_dir=$(mktemp -d)
-  trap "rm -Rf $build_tools_dir" EXIT
-  unzip -d "$build_tools_dir" "$build_tools_zipfile"
+  build_tools_dir=/signing/android-build-tools
  test -f "$build_tools_dir"/android-12/apksigner || \
    exit_error "$build_tools_dir/android-12/apksigner is missing"
  export PATH="$build_tools_dir/android-12:${PATH}"
 }

-download_unsigned_apks() {
-  apks_dir=$(mktemp -d)
-  trap "rm -Rf $apks_dir" EXIT
-  rsync -avH "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/*-qa.apk" "$apks_dir/"
-}
-
-upload_signed_apks() {
-  rsync -avH --exclude="*-qa.apk" --exclude="*-unaligned.apk" \
-    --exclude="*-unsigned.apk" "$apks_dir/" \
-    "$ssh_host_pkgstage:$pkgstage_tor_browser_build_dir/$SIGNING_PROJECTNAME/$tbb_version_type/signed/$tbb_version/"
-}
-
 # Sign individual apk
 sign_apk() {
    INPUTAPK="$1"
+    OUTPUTAPK="$2"

    # https://developer.android.com/studio/publish/app-signing#sign-manually
    # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
@@ -75,10 +40,11 @@ sign_apk() {
    echo Aligning and signing ${INPUTAPK}

    # Append the different stages of signing
-    UNSIGNED_UNALIGNED_APK=`echo "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
+    UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
    UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
    SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`

+    # ${INPUTAPK} is full path. We copy to local tmp directory.
    cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"

    # Step 1: Align
@@ -117,67 +83,16 @@ sign_apk() {
        exit 1
    fi

+    mv -f "${SIGNED_APK}" "$OUTPUTAPK"
    echo apksigner verify succeeded
 }

-# Rename and verify signing certificate
-finalize() {
-  for arch in ${ARCHS}; do
-      mv ${projname}-${tbb_version}-android-${arch}-multi{-qa,}.apk
-  done
-
-  for arch in ${ARCHS}; do
-      verified=`apksigner verify --print-certs --verbose ${projname}-${tbb_version}-android-${arch}-multi.apk`
-      scheme_v1=
-      scheme_v2=
-      cert_digest=
-      pubkey_digest=
-
-      # Verify the expected signing key was used, Alpha verses Release based on the filename.
-      if test "$tbb_version_type" = "alpha"; then
-          scheme_v1="Verified using v1 scheme (JAR signing): true"
-          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
-          cert_digest="Signer #1 certificate SHA-256 digest: 15f760b41acbe4783e667102c9f67119be2af62fab07763f9d57f01e5e1074e1"
-          pubkey_digest="Signer #1 public key SHA-256 digest: 4e617e6516f81123ca58e718d617a704ac8365c575bd9e7a731ba5dd0476869d"
-      else
-          scheme_v1="Verified using v1 scheme (JAR signing): true"
-          scheme_v2="Verified using v2 scheme (APK Signature Scheme v2): true"
-          cert_digest="Signer #1 certificate SHA-256 digest: 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8"
-          pubkey_digest="Signer #1 public key SHA-256 digest: 343ca8a2e5452670bdc335a181a4baed909f868937d68c4653e44ef84de8dfc6"
-      fi
-      for digest in "${scheme_v1}" "${scheme_v2}" "${cert_digest}" "${pubkey_digest}"; do
-          if ! `echo "${verified}" | grep -q "${digest}"`; then
-              echo "Expected digest not found:"
-              echo ${digest}
-              echo "in:"
-              echo ${verified}
-              exit 1
-          fi
-      done
-  done
-
-  echo Done.
-}
-
-check_installed_packages
-
-if [ -z "$KSPASS" ]; then
-    echo "Enter keystore passphrase"
-    stty -echo; read KSPASS; stty echo
-    export KSPASS
-fi
-
 setup_build_tools

-download_unsigned_apks
-
-cd $apks_dir
-
-# Sign all packages
-for arch in ${ARCHS}; do
-    sign_apk ${projname}-${tbb_version}-android-${arch}-multi-qa.apk
-done
+tmpdir=$(mktemp -d)
+cd "$tmpdir"

-finalize
+sign_apk "$1" "$2"

-upload_signed_apks
+cd -
+rm -Rf "$tmpdir"
--- a/tools/signing/wrappers/sign-exe
+++ b/tools/signing/wrappers/sign-exe
@@ -11,10 +11,12 @@ if test $(whoami) != 'signing-win'; then
  exit 2
 fi

-yubipass="$1"
+pass="$1"
 to_sign_exe="$2"

-tpo_cert=/home/signing-win/tpo-cert.crt
+key_dir=/home/signing-win/keys/key-1
+tpo_cert=$key_dir/the_tor_project_inc.crt
+tpo_key=$key_dir/private.pem

 if ! test -f "$tpo_cert"; then
  echo "File $tpo_cert is missing" >&2
@@ -26,12 +28,10 @@ rm -f "$output_signed_exe"

 export 'YUBIHSM_PKCS11_CONF=/signing/tor-browser-build/tools/signing/machines-setup/etc/yubihsm_pkcs11.conf'
 /home/signing-win/osslsigncode/bin/osslsigncode \
-  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
-  -pkcs11module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so \
-  -pass "$yubipass" \
+  -pass "$pass" \
  -h sha256 \
  -certs "$tpo_cert" \
-  -key 1c40 \
+  -key "$tpo_key" \
  "$to_sign_exe" "$output_signed_exe"

 chmod 644 "$output_signed_exe"
No results found