tor-browser-build issueshttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues2024-03-26T20:08:31Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41097authenticode-timestamping.sh fails to run again because tmp-timestamp already...2024-03-26T20:08:31Zboklmauthenticode-timestamping.sh fails to run again because tmp-timestamp already existsIf running `authenticode-timestamping.sh` fails for some reason, running
it again will fail because directory `tmp-timestamp` already exists.
We should use a directory created with `mktemp` to avoid this.If running `authenticode-timestamping.sh` fails for some reason, running
it again will fail because directory `tmp-timestamp` already exists.
We should use a directory created with `mktemp` to avoid this.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41093Sign unsigned APKs instead of the QA-signed ones2024-02-28T15:29:59ZPier Angelo VendrameSign unsigned APKs instead of the QA-signed onesIf I understand correctly, we start from the QA-signed APKs.
Then we re-align them and apply the new signature.
However, this doesn't allow to use `apksigcopier` to copy our official signatures to APK independently built.
It would be v...If I understand correctly, we start from the QA-signed APKs.
Then we re-align them and apply the new signature.
However, this doesn't allow to use `apksigcopier` to copy our official signatures to APK independently built.
It would be very nice to be able to do so, as the final step of reproducing the builds.
`apksigcopier` complains about metadata being already in the APK, but it would work with unsigned APKs.
`apksigner` instead couldn't care less of a signature being already there.
Moreover, us running zipalign again makes everything more complicated.
I think the changes would to the signing script could be trivial, but it depends on the way we want to address this.
Exporting a signed APK for QA is very useful in my opinion, because it avoids testers the step to self-sign the APK, which requires some tools, a computer (whereas with an already signed APK you can even download it on the Android device) etc...
However, exporting both the signed and unsigned APKs (the easiest solution) would increase the size taken by each build by 400MB for minimal changes.
Stripping the signature seems to be very difficult.
So, as a solution, I think we could try to run `bsdiff`:
```
time bsdiff signed.apk aligned.apk unsign.bspatch
________________________________________________________
Executed in 14.29 secs fish external
usr time 14.24 secs 177.00 micros 14.24 secs
sys time 0.04 secs 153.00 micros 0.04 secs
ll unsign.bspatch
-rw-r--r-- 1 piero piero 282 27 feb 09.41 unsign.bspatch
time bspatch signed.apk unsigned.apk unsign.bspatch
________________________________________________________
Executed in 213.61 millis fish external
usr time 177.25 millis 145.00 micros 177.11 millis
sys time 36.37 millis 143.00 micros 36.23 millis
```
So, it adds 15 seconds to the build (which is more than I expected, but still extremely feasible), but with 282 bytes we'd be okay.
It will also require us to add the `bsdiff` package to the signing machines, but I guess it's fine.
I could do the build part, but maybe it's better if someone who can also sign does everything together.
/cc @Mynacolhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41059Update keyring/torbrowser.gpg with updated key2024-01-10T15:56:40ZboklmUpdate keyring/torbrowser.gpg with updated keyTor Browser gpg key has been updated with new expiration date, so we
should update `keyring/torbrowser.gpg`.Tor Browser gpg key has been updated with new expiration date, so we
should update `keyring/torbrowser.gpg`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41039Update tools/signing/upload-update_responses-to-staticiforme to keep download...2023-12-12T09:55:30Zmeskiomeskio@torproject.orgUpdate tools/signing/upload-update_responses-to-staticiforme to keep download-*json files from previous release when new release does not include themhttps://aus1.torproject.org/torbrowser/update_3/release/ doesn't have android-aarch64 and android-armv7.https://aus1.torproject.org/torbrowser/update_3/release/ doesn't have android-aarch64 and android-armv7.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41037Set time on signing machine before starting signing2024-01-18T10:33:28ZboklmSet time on signing machine before starting signingIt seems our signing machine is not storing the current time before
rebooting, so after a reboot its time is wrong.
To avoid signing with an incorrect time, we can have a step in
`do-all-signing` to set the time on the signing machine.It seems our signing machine is not storing the current time before
rebooting, so after a reboot its time is wrong.
To avoid signing with an incorrect time, we can have a step in
`do-all-signing` to set the time on the signing machine.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41031Add command to unsign .mar files and compare with sha256sums-unsigned-build.txt2023-12-04T13:32:27ZboklmAdd command to unsign .mar files and compare with sha256sums-unsigned-build.txtSimilar to #41030, we should add some commands to remove signature from
mar files, and compare them with sha256sums-unsigned-build.txt.
Except for macos, until we find some solution to remove macos code signing.Similar to #41030, we should add some commands to remove signature from
mar files, and compare them with sha256sums-unsigned-build.txt.
Except for macos, until we find some solution to remove macos code signing.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41030Add command to unsign .exe files and compare with sha256sums-unsigned-build.txt2023-11-30T12:49:19ZboklmAdd command to unsign .exe files and compare with sha256sums-unsigned-build.txtTo make it easier to check that a signed `.exe` file contains the same
program as the unsigned one, we should add some commands like `make
torbrowser-compare-windows-signed-unsigned-release` that will unsign
tor-browser exe files (in a t...To make it easier to check that a signed `.exe` file contains the same
program as the unsigned one, we should add some commands like `make
torbrowser-compare-windows-signed-unsigned-release` that will unsign
tor-browser exe files (in a temporary directory) and check that they
match the ones from `sha256sums-unsigned-build.txt`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41007gatekeeper-bundling.sh refers to old .tar.gz archive2023-11-06T20:55:15Zrichardgatekeeper-bundling.sh refers to old .tar.gz archiveNeed to update `hfstool_file` var to point to new .tar.zst fileNeed to update `hfstool_file` var to point to new .tar.zst filerichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41006Fix typo in finished-signing-clean-linux signer2023-11-06T20:55:22ZrichardFix typo in finished-signing-clean-linux signerThis script is missing a `"` character which prevents it from completingThis script is missing a `"` character which prevents it from completingrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41005Unpack macOS bundle to /var/tmp instead of /tmp in rcodesign-notary-submit step2023-11-06T21:10:52ZrichardUnpack macOS bundle to /var/tmp instead of /tmp in rcodesign-notary-submit step/tmp doesn't have enough space on the machine I use to notarise, so locally I had to switch this directory to /var/tmp intead/tmp doesn't have enough space on the machine I use to notarise, so locally I had to switch this directory to /var/tmp inteadrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40995Use cdn.stagemole.eu instead of cdn.devmole.eu in download-unsigned-sha256sum...2023-11-28T09:35:40ZboklmUse cdn.stagemole.eu instead of cdn.devmole.eu in download-unsigned-sha256sums-gpg-signatures-from-people-tpoThe mullvad build hashes are now in
https://cdn.stagemole.eu/hashes/mullvadbrowser/The mullvad build hashes are now in
https://cdn.stagemole.eu/hashes/mullvadbrowser/boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40970Missing symlink create-blog-post.torbrowser -> create-blog-post symlink2023-11-22T19:22:52ZboklmMissing symlink create-blog-post.torbrowser -> create-blog-post symlinkIn directory `tools/signing` we are missing a symlink
`create-blog-post.torbrowser -> create-blog-post`.In directory `tools/signing` we are missing a symlink
`create-blog-post.torbrowser -> create-blog-post`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40969Improve authenticode-timestamping.sh for when timestamping fails2024-03-20T16:47:09ZboklmImprove authenticode-timestamping.sh for when timestamping failsWhen timestamping fails (for example because of temporary error connecting to http://timestamp.digicert.com), restarting this step fails because the tmp directory `"$signed_dir/$tbb_version/tmp-timestamp"` already exists.
We can replace...When timestamping fails (for example because of temporary error connecting to http://timestamp.digicert.com), restarting this step fails because the tmp directory `"$signed_dir/$tbb_version/tmp-timestamp"` already exists.
We can replace this directory with some temporary directory created with `mktemp -d`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40957Expired subkey warning on Tor Browser GPG verification2023-10-03T15:38:20Zma1Expired subkey warning on Tor Browser GPG verificationgpg verification on tor-browser warns about expired subkey:
```
gpg --verify tor-browser-linux64-12.5.4_ALL.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-12.5.4_ALL.tar.xz'
gpg: Signature made mer 13 set 2023, 20:27:50 CES...gpg verification on tor-browser warns about expired subkey:
```
gpg --verify tor-browser-linux64-12.5.4_ALL.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-12.5.4_ALL.tar.xz'
gpg: Signature made mer 13 set 2023, 20:27:50 CEST
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF
```richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40935Fix fallout from build target rename in signing scripts2023-10-03T15:38:09ZrichardFix fallout from build target rename in signing scriptsWe have various problem in the signing scripts I had to fix for the 13.0a3 release to be fixed in a subsequent MR.We have various problem in the signing scripts I had to fix for the 13.0a3 release to be fixed in a subsequent MR.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40934Remove $bundle_locales from signing scripts now that we're on ALL for everything2023-11-06T23:33:53ZrichardRemove $bundle_locales from signing scripts now that we're on ALL for everythingWe have a lot of loops over all of the locales, but the only locale is now 'ALL' so thing can be simplified.We have a lot of loops over all of the locales, but the only locale is now 'ALL' so thing can be simplified.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40921staticiforme-prepare-cdn-dist-upload uses hardcoded torbrowser path for .htac...2023-08-17T20:17:27Zrichardstaticiforme-prepare-cdn-dist-upload uses hardcoded torbrowser path for .htacess file generationThis script generates .htaccess file to redirect sha256sum.txt and sha256sum.incremental.txt to the sha256sum.unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt. However the files are currently being written to the `/srv/d...This script generates .htaccess file to redirect sha256sum.txt and sha256sum.incremental.txt to the sha256sum.unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt. However the files are currently being written to the `/srv/dist-master.torproject.org/htdocs/torbrowser/$tbb_version`
Historically, we have always signed Mullvad Browser *after* Tor Browser (which has the same vesion) so during Mullvad Browser signing we would re-write the Tor Browser htaccess rules rather then generate them for Mullvad Browser.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40913add boklm back to list of taggers in relevant projects2023-08-03T16:52:44Zrichardadd boklm back to list of taggers in relevant projects@boklm used to be part of the old torbutton.gpg, but we switched over to separate key-rings per dev to make it a bit less opaque *who* was a valid signer. GPG keying files aren't necessarily the easiest thing to look at compared to a lis...@boklm used to be part of the old torbutton.gpg, but we switched over to separate key-rings per dev to make it a bit less opaque *who* was a valid signer. GPG keying files aren't necessarily the easiest thing to look at compared to a list in the build. We should add him to the list, even though he doesn't have any neeed commits tagged, which is the rubric I originally used when building that list.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40909Add dan_b and ma1 to list of taggers in relevant projects2023-07-31T20:17:23ZrichardAdd dan_b and ma1 to list of taggers in relevant projectsAdd to:
- geckoview
- firefox
- android-components
- fenixAdd to:
- geckoview
- firefox
- android-components
- fenixrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40889Add mullvad sha256sums URL to tools/signing/download-unsigned-sha256sums-gpg-...2023-10-05T17:18:08ZboklmAdd mullvad sha256sums URL to tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpoPeople from Mullvad are publishing sha256sums of their builds on
https://cdn.devmole.eu/hashes/, although there is no gpg signatures yet.
When there are gpg signatures, we should add this location to
`download-unsigned-sha256sums-gpg-si...People from Mullvad are publishing sha256sums of their builds on
https://cdn.devmole.eu/hashes/, although there is no gpg signatures yet.
When there are gpg signatures, we should add this location to
`download-unsigned-sha256sums-gpg-signatures-from-people-tpo`, to
publish them with the releases.boklmboklm