tor-browser-build issueshttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues2024-03-26T20:08:31Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41097authenticode-timestamping.sh fails to run again because tmp-timestamp already...2024-03-26T20:08:31Zboklmauthenticode-timestamping.sh fails to run again because tmp-timestamp already existsIf running `authenticode-timestamping.sh` fails for some reason, running
it again will fail because directory `tmp-timestamp` already exists.
We should use a directory created with `mktemp` to avoid this.If running `authenticode-timestamping.sh` fails for some reason, running
it again will fail because directory `tmp-timestamp` already exists.
We should use a directory created with `mktemp` to avoid this.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40553Move to different entitlements files for parent and child processes2024-03-21T07:58:03ZGeorg KoppenMove to different entitlements files for parent and child processesMozilla started to provide/use different entitlements files for parent and child processes to be able to provide a finer-grained ruleset for the hardening depending on process type:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593071
h...Mozilla started to provide/use different entitlements files for parent and child processes to be able to provide a finer-grained ruleset for the hardening depending on process type:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593071
https://bugzilla.mozilla.org/show_bug.cgi?id=1593072
We should do the same for Tor Browser.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40036Make signed .mar files for nightly builds available (instead of unsigned ones)2024-03-20T17:25:34ZGeorg KoppenMake signed .mar files for nightly builds available (instead of unsigned ones)Our nightly download directories contain .mar files, too. But those are
the unsigned ones. Ideally, however, the signed ones would be available
instead (e.g. for applying a manual update in case of bugs like #40033).
@boklm: not sure if...Our nightly download directories contain .mar files, too. But those are
the unsigned ones. Ideally, however, the signed ones would be available
instead (e.g. for applying a manual update in case of bugs like #40033).
@boklm: not sure if that's the right place to file this bug but I guess
`tor-browser-build` is the least wrong one. :)https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40496linux-signer-signmars expects mar-tools in ~/gitian-builder/inputs/mar-tools-...2024-03-20T16:51:18Zboklmlinux-signer-signmars expects mar-tools in ~/gitian-builder/inputs/mar-tools-new-linux32.zipThe `linux-signer-signmars` script that we run on the linux signing machine currently expects to find the mar tools in `~/gitian-builder/inputs/mar-tools-new-linux32.zip`.
We should probably change that path. Maybe move it to the `~/sig...The `linux-signer-signmars` script that we run on the linux signing machine currently expects to find the mar tools in `~/gitian-builder/inputs/mar-tools-new-linux32.zip`.
We should probably change that path. Maybe move it to the `~/signing-release` (or `~/signing-alpha`) directory, and have `sync-scripts-to-linux-signer` downloading and verifying checksum of the mar-tools we want to use.Sponsor 131 - Phase 5 - Ongoing Maintenanceboklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40969Improve authenticode-timestamping.sh for when timestamping fails2024-03-20T16:47:09ZboklmImprove authenticode-timestamping.sh for when timestamping failsWhen timestamping fails (for example because of temporary error connecting to http://timestamp.digicert.com), restarting this step fails because the tmp directory `"$signed_dir/$tbb_version/tmp-timestamp"` already exists.
We can replace...When timestamping fails (for example because of temporary error connecting to http://timestamp.digicert.com), restarting this step fails because the tmp directory `"$signed_dir/$tbb_version/tmp-timestamp"` already exists.
We can replace this directory with some temporary directory created with `mktemp -d`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41093Sign unsigned APKs instead of the QA-signed ones2024-02-28T15:29:59ZPier Angelo VendrameSign unsigned APKs instead of the QA-signed onesIf I understand correctly, we start from the QA-signed APKs.
Then we re-align them and apply the new signature.
However, this doesn't allow to use `apksigcopier` to copy our official signatures to APK independently built.
It would be v...If I understand correctly, we start from the QA-signed APKs.
Then we re-align them and apply the new signature.
However, this doesn't allow to use `apksigcopier` to copy our official signatures to APK independently built.
It would be very nice to be able to do so, as the final step of reproducing the builds.
`apksigcopier` complains about metadata being already in the APK, but it would work with unsigned APKs.
`apksigner` instead couldn't care less of a signature being already there.
Moreover, us running zipalign again makes everything more complicated.
I think the changes would to the signing script could be trivial, but it depends on the way we want to address this.
Exporting a signed APK for QA is very useful in my opinion, because it avoids testers the step to self-sign the APK, which requires some tools, a computer (whereas with an already signed APK you can even download it on the Android device) etc...
However, exporting both the signed and unsigned APKs (the easiest solution) would increase the size taken by each build by 400MB for minimal changes.
Stripping the signature seems to be very difficult.
So, as a solution, I think we could try to run `bsdiff`:
```
time bsdiff signed.apk aligned.apk unsign.bspatch
________________________________________________________
Executed in 14.29 secs fish external
usr time 14.24 secs 177.00 micros 14.24 secs
sys time 0.04 secs 153.00 micros 0.04 secs
ll unsign.bspatch
-rw-r--r-- 1 piero piero 282 27 feb 09.41 unsign.bspatch
time bspatch signed.apk unsigned.apk unsign.bspatch
________________________________________________________
Executed in 213.61 millis fish external
usr time 177.25 millis 145.00 micros 177.11 millis
sys time 36.37 millis 143.00 micros 36.23 millis
```
So, it adds 15 seconds to the build (which is more than I expected, but still extremely feasible), but with 282 bytes we'd be okay.
It will also require us to add the `bsdiff` package to the signing machines, but I guess it's fine.
I could do the build part, but maybe it's better if someone who can also sign does everything together.
/cc @Mynacolhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41037Set time on signing machine before starting signing2024-01-18T10:33:28ZboklmSet time on signing machine before starting signingIt seems our signing machine is not storing the current time before
rebooting, so after a reboot its time is wrong.
To avoid signing with an incorrect time, we can have a step in
`do-all-signing` to set the time on the signing machine.It seems our signing machine is not storing the current time before
rebooting, so after a reboot its time is wrong.
To avoid signing with an incorrect time, we can have a step in
`do-all-signing` to set the time on the signing machine.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41059Update keyring/torbrowser.gpg with updated key2024-01-10T15:56:40ZboklmUpdate keyring/torbrowser.gpg with updated keyTor Browser gpg key has been updated with new expiration date, so we
should update `keyring/torbrowser.gpg`.Tor Browser gpg key has been updated with new expiration date, so we
should update `keyring/torbrowser.gpg`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41019Sign dmg files2024-01-09T14:56:01ZboklmSign dmg filesWe are currently signing the content of dmg files, but not the dmg file
itself.We are currently signing the content of dmg files, but not the dmg file
itself.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41039Update tools/signing/upload-update_responses-to-staticiforme to keep download...2023-12-12T09:55:30Zmeskiomeskio@torproject.orgUpdate tools/signing/upload-update_responses-to-staticiforme to keep download-*json files from previous release when new release does not include themhttps://aus1.torproject.org/torbrowser/update_3/release/ doesn't have android-aarch64 and android-armv7.https://aus1.torproject.org/torbrowser/update_3/release/ doesn't have android-aarch64 and android-armv7.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41031Add command to unsign .mar files and compare with sha256sums-unsigned-build.txt2023-12-04T13:32:27ZboklmAdd command to unsign .mar files and compare with sha256sums-unsigned-build.txtSimilar to #41030, we should add some commands to remove signature from
mar files, and compare them with sha256sums-unsigned-build.txt.
Except for macos, until we find some solution to remove macos code signing.Similar to #41030, we should add some commands to remove signature from
mar files, and compare them with sha256sums-unsigned-build.txt.
Except for macos, until we find some solution to remove macos code signing.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/29815Sign our macOS bundles on Linux2023-12-04T13:27:05ZGeorg KoppenSign our macOS bundles on LinuxI've wanted that for a long time and did not find an already open ticket, but we should leverage our hardened Linux box to sign our .dmg files as well, like we do for our .exe files. One part that makes it harder as the macOS signing is ...I've wanted that for a long time and did not find an already open ticket, but we should leverage our hardened Linux box to sign our .dmg files as well, like we do for our .exe files. One part that makes it harder as the macOS signing is content signing while the authenticode signing is not. Another hard part is that there is no such thing as `osslsigncode` which we could use with (minimal) patching.
Or maybe there is? See: https://github.com/saucelabs/isign. However, there is still (much) work to do, see: https://github.com/saucelabs/isign/issues/88.Sponsor 131 - Phase 4 - Browser Release Managementrichardrichard2023-10-10https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41030Add command to unsign .exe files and compare with sha256sums-unsigned-build.txt2023-11-30T12:49:19ZboklmAdd command to unsign .exe files and compare with sha256sums-unsigned-build.txtTo make it easier to check that a signed `.exe` file contains the same
program as the unsigned one, we should add some commands like `make
torbrowser-compare-windows-signed-unsigned-release` that will unsign
tor-browser exe files (in a t...To make it easier to check that a signed `.exe` file contains the same
program as the unsigned one, we should add some commands like `make
torbrowser-compare-windows-signed-unsigned-release` that will unsign
tor-browser exe files (in a temporary directory) and check that they
match the ones from `sha256sums-unsigned-build.txt`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40995Use cdn.stagemole.eu instead of cdn.devmole.eu in download-unsigned-sha256sum...2023-11-28T09:35:40ZboklmUse cdn.stagemole.eu instead of cdn.devmole.eu in download-unsigned-sha256sums-gpg-signatures-from-people-tpoThe mullvad build hashes are now in
https://cdn.stagemole.eu/hashes/mullvadbrowser/The mullvad build hashes are now in
https://cdn.stagemole.eu/hashes/mullvadbrowser/boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40970Missing symlink create-blog-post.torbrowser -> create-blog-post symlink2023-11-22T19:22:52ZboklmMissing symlink create-blog-post.torbrowser -> create-blog-post symlinkIn directory `tools/signing` we are missing a symlink
`create-blog-post.torbrowser -> create-blog-post`.In directory `tools/signing` we are missing a symlink
`create-blog-post.torbrowser -> create-blog-post`.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40934Remove $bundle_locales from signing scripts now that we're on ALL for everything2023-11-06T23:33:53ZrichardRemove $bundle_locales from signing scripts now that we're on ALL for everythingWe have a lot of loops over all of the locales, but the only locale is now 'ALL' so thing can be simplified.We have a lot of loops over all of the locales, but the only locale is now 'ALL' so thing can be simplified.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41005Unpack macOS bundle to /var/tmp instead of /tmp in rcodesign-notary-submit step2023-11-06T21:10:52ZrichardUnpack macOS bundle to /var/tmp instead of /tmp in rcodesign-notary-submit step/tmp doesn't have enough space on the machine I use to notarise, so locally I had to switch this directory to /var/tmp intead/tmp doesn't have enough space on the machine I use to notarise, so locally I had to switch this directory to /var/tmp inteadrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41006Fix typo in finished-signing-clean-linux signer2023-11-06T20:55:22ZrichardFix typo in finished-signing-clean-linux signerThis script is missing a `"` character which prevents it from completingThis script is missing a `"` character which prevents it from completingrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41007gatekeeper-bundling.sh refers to old .tar.gz archive2023-11-06T20:55:15Zrichardgatekeeper-bundling.sh refers to old .tar.gz archiveNeed to update `hfstool_file` var to point to new .tar.zst fileNeed to update `hfstool_file` var to point to new .tar.zst filerichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40926Make use of the Drone CI public GPG key for Mullvad Browser sha256sum verific...2023-11-02T10:47:48ZjbjorkangMake use of the Drone CI public GPG key for Mullvad Browser sha256sum verificationThe GPG public key for Drone, [located here](https://se-got-releases-001.devmole.eu/hashes/public-keys/) should be used in place of any other public GPG keys for verification of the hashes uploaded.The GPG public key for Drone, [located here](https://se-got-releases-001.devmole.eu/hashes/public-keys/) should be used in place of any other public GPG keys for verification of the hashes uploaded.boklmboklm