Prepare Tor Browser Legacy 13.5.9
Release Prep Tor Browser Legacy
-
NOTE It is assumed the
tor-browser
release rebase and security backport tasks have been completed
Explanation of variables
-
${BUILD_SERVER}
: the server the main builder is using to build a browser release -
${BUILDER}
: whomever is building the release on the ${BUILD_SERVER}-
example:
pierov
-
example:
-
${STAGING_SERVER}
: the server the signer is using to to run the signing process -
${ESR_VERSION}
: the Mozilla defined ESR version, used in various places for building browser tags, labels, etc-
example:
91.6.0
-
example:
-
${TOR_BROWSER_MAJOR}
: the Tor Browser major version-
example:
11
-
example:
-
${TOR_BROWSER_MINOR}
: the Tor Browser minor version-
example: either
0
or5
; Alpha's is always(Stable + 5) % 10
-
example: either
-
${TOR_BROWSER_VERSION}
: the Tor Browser version in the format-
example:
12.5a3
,12.0.3
-
example:
-
${BUILD_N}
: a project's build revision within a its branch; this is separate from the${TOR_BROWSER_BUILD_N}
value; many of the Firefox-related projects have a${BUILD_N}
suffix and may differ between projects even when they contribute to the same build.-
example:
build1
-
example:
-
${TOR_BROWSER_BUILD_N}
: the tor-browser build revision for a given Tor Browser release; used in tagging git commits-
example:
build2
-
⚠ ️ WARNING: A project's${BUILD_N}
and${TOR_BROWSER_BUILD_N}
may be the same, but it is possible for them to diverge. For example :- if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the
${BUILD_N}
value will increase, while the${TOR_BROWSER_BUILD_N}
value may stay atbuild1
(but the${TOR_BROWSER_VERSION}
will increase) - if we have build failures unrelated to
tor-browser
, the${TOR_BROWSER_BUILD_N}
value will increase while the${BUILD_N}
will stay the same.
- if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the
-
example:
-
${TOR_BROWSER_VERSION}
: the published Tor Browser version-
example:
11.5a6
,11.0.7
-
example:
-
${TBB_BUILD_TAG}
: thetor-browser-build
build tag used to build a given Tor Browser version-
example:
tbb-12.5a7-build1
-
example:
-
${RELEASE_DATE}
: the intended release date of this browser release; for ESR schedule-driven releases, this should match the upstream Firefox release date-
example:
2024-10-29
-
example:
Build Configuration
https://gitlab.torproject.org/tpo/applications/tor-browser.git
tor-browser:-
Tag tor-browser
in tor-browser.git-
example:
tor-browser-115.17.0esr-13.5-1-build1
-
example:
https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
tor-browser-build:Tor Browser Legacy is on the maint-13.5
branch
-
Changelog bookkeeping: -
Ensure all commits to tor-browser
andtor-browser-build
for this release have an associated issue linked to this release preparation issue -
Ensure each issue has a platform (Windows, MacOS, Desktop, All Platforms) and potentially Build System labels
-
-
Create a release preparation branch from the maint-13.5
branch -
Run release preparation script: -
⚠ ️ WARNING: You may need to manually update thefirefox/config
file'sbrowser_build
field iftor-browser.git
has not yet been tagged (e.g. if security backports have not yet been merged and tagged)
./tools/relprep.py --tor-browser --date ${RELEASE_DATE} ${TOR_BROWSER_VERSION}
-
-
Review build configuration changes: -
rbm.conf
-
var/torbrowser_version
: updated to next browser version -
var/torbrowser_build
: updated to${TOR_BROWSER_BUILD_N}
-
var/browser_release_date
: updated to build date. For the build to be reproducible, the date should be in the past when building.-
⚠ ️ WARNING: If we have updatedvar/torbrowser_build
without updating thefirefox
, then we can leave this unchanged to avoid forcing a firefox re-build (e.g. when bumpingvar/torbrwoser_build
to build2, build3, etc due to non-firefox related build issues)
-
-
(Desktop Only) var/torbrowser_incremental_from
: updated to previous Desktop version- NOTE: We try to build incrementals for the previous 3 desktop versions
-
⚠ ️ WARNING: Really actually make sure this is the previous Desktop version or else themake torbrowser-incrementals-*
step will fail
-
-
projects/firefox/config
-
browser_build
: updated to matchtor-browser
tag -
(Optional) var/firefox_platform_version
: updated to latest${ESR_VERSION}
if rebased
-
-
(Optional) projects/translation/config
:-
steps/base-browser/git_hash
: updated withHEAD
commit of project'sbase-browser
branch -
steps/tor-browser/git_hash
: updated withHEAD
commit of project'stor-browser
branch
-
-
(Optional) projects/browser/config
:-
NoScript: https://addons.mozilla.org/en-US/firefox/addon/noscript -
URL
updated-
⚠ ️ WARNING: If preparing the release manually, updating the version number in the url is not sufficient, as each version has a random unique id in the download url
-
-
sha256sum
updated
-
-
-
(Optional) projects/openssl/config
: https://www.openssl.org/source/- NOTE: Only if new LTS version (3.0.X currrently) available
-
version
: updated to next LTS version -
input_files/sha256sum
: updated to sha256 sum of source tarball
-
(Optional) projects/zlib/config
: https://github.com/madler/zlib/releases- NOTE: Only if new tag available
-
version
: updated to next release tag
-
(Optional) projects/zstd/config
: https://github.com/facebook/zstd/releases- NOTE: Only if new tag available
-
version
: updated to next release tag -
git_hash
: updated to the commit corresponding to the tag (we don't check signatures for Zstandard)
-
(Optional) projects/tor/config
https://gitlab.torproject.org/tpo/core/tor/-/tags-
version
: updated to latest non-alpha
tag or release tag if newer (ping dgoulet or ahf if unsure)
-
-
(Optional) projects/go/config
https://go.dev/dl-
go_1_22
: updated to latest 1.22 version -
input_files/sha256sum
forgo
: update sha256sum of archive (sha256 sums are displayed on the go download page)
-
-
(Optional) projects/manual/config
-
version
: updated to latest pipeline id -
input_files/shasum
formanual
: updated to manual hash -
Upload the downloaded manual_${PIPELINEID}.zip
file totb-build-02.torproject.org
-
Deploy to tb-builder
'spublic_html
directory:-
Run: sudo -u tb-builder cp manual_${PIPELINEID}.zip ~tb-builder/public_html/.
-
sudo
documentation for TPO machines: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/doc/accounts#changingresetting-your-passwords
-
-
-
ChangeLog-TBB.txt
: ensure correctness-
Browser name correct -
Release date correct -
No Android updates -
All issues added under correct platform -
ESR updates correct -
Component updates correct
-
-
-
Open MR with above changes, using the template for release preparations -
NOTE: target the
maint-13.5
branch
-
NOTE: target the
-
Merge -
Sign+Tag -
NOTE this must be done by one of:
- boklm
- dan
- ma1
- morgan
- pierov
-
Run: make torbrowser-signtag-release
-
Push tag to upstream
-
NOTE this must be done by one of:
-
Build the tag: -
Run: make torbrowser-release && make torbrowser-incrementals-release
-
Tor Project build machine -
Local developer machine
-
-
Submit build request to Mullvad infrastructure: - NOTE this requires a devmole authentication token
- NOTE this also requires you be connected to a Swedish Mulvad VPN exit
-
Run: make torbrowser-kick-devmole-build
-
Website
https://gitlab.torproject.org/tpo/web/tpo.git
downloads:-
databags/versions.ini
: Update the downloads versions-
torbrowser-stable/version
: catch-all for latest stable version -
torbrowser-alpha/version
: catch-all for latest alpha version -
torbrowser-legacy/version
: catch-all for latest ESR-115 version -
torbrowser-*-stable/version
: platform-specific stable versions -
torbrowser-*-alpha/version
: platform-specific alpha versions -
torbrowser-*-legacy/version
: platform-specific legacy versions -
tor-stable
,tor-alpha
: set by tor devs, do not touch
-
-
Push to origin as new branch and create MR -
Review -
Merge -
⚠ ️ WARNING: Do not deploy yet!
-
Signing
release signing
-
Assign this issue to the signer, one of: - boklm
- ma1
- morgan
- pierov
-
Ensure all builders have matching builds -
On ${STAGING_SERVER}
, ensure updated:-
NOTE Having a local git branch with
maint-13.5
as the upstream branch with these values saved means you only need to periodicallygit pull --rebase
and update theset-config.tbb-version
file -
tor-browser-build
is on the right commit:git tag -v tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N} && git checkout tbb-${TOR_BROWSER_VERSION}-${TOR_BROWSER_BUILD_N}
-
tor-browser-build/tools/signing/set-config.hosts
-
ssh_host_builder
: ssh hostname of machine with unsigned builds -
ssh_host_linux_signer
: ssh hostname of linux signing machine -
builder_tor_browser_build_dir
: path onssh_host_builder
to root of builder'stor-browser-build
clone containing unsigned builds
-
-
tor-browser-build/tools/signing/set-config.rcodesign-appstoreconnect
-
appstoreconnect_api_key_path
: path to json file containing appstoreconnect api key infos
-
-
tor-browser-build/tools/signing/set-config.tbb-version
-
tbb_version
: tor browser version string, same asvar/torbrowser_version
inrbm.conf
(examples:11.5a12
,11.0.13
) -
tbb_version_build
: the tor-browser-build build number (ifvar/torbrowser_build
inrbm.conf
isbuildN
then this value isN
) -
tbb_version_type
: eitheralpha
for alpha releases orrelease
for stable releases
-
-
NOTE Having a local git branch with
-
On ${STAGING_SERVER}
in a separatescreen
session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050 -
On ${STAGING_SERVER}
in a separatescreen
session, run do-all-signing script:-
Run: cd tor-browser-build/tools/signing/ && ./do-all-signing.torbrowser
-
NOTE: on successful execution, the signed binaries and mars should have been copied to
staticiforme
and update responses pushed
-
Signature verification
Check whether the .exe files got properly signed and timestamped
# Point OSSLSIGNCODE to your osslsigncode binary
pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
OSSLSIGNCODE=/path/to/osslsigncode
../../../tools/authenticode_check.sh
popd
Check whether the MAR files got properly signed
# Point NSSDB to your nssdb containing the mar signing certificate
# Point SIGNMAR to your signmar binary
# Point LD_LIBRARY_PATH to your mar-tools directory
pushd tor-browser-build/${channel}/signed/$TORBROWSER_VERSION
NSSDB=/path/to/nssdb
SIGNMAR=/path/to/mar-tools/signmar
LD_LIBRARY_PATH=/path/to/mar-tools/
../../../tools/marsigning_check.sh
popd
Publishing
website
-
On staticiforme.torproject.org
, static update components:-
Run: static-update-component cdn.torproject.org && static-update-component dist.torproject.org
-
-
Deploy tor-website
MR -
On staticiforme.torproject.org
, remove old release:- NOTE: Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
-
/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser
-
/srv/dist-master.torproject.org/htdocs/torbrowser
-
Run: static-update-component cdn.torproject.org && static-update-component dist.torproject.org
-
(Optional) Generate and deploy new update responses - NOTE: This is only required if there will be no corresponding 14.0 release (i.e. this is an emergency legacy-only 13.5 release). Normally, legacy update responses are generated and deployed as part of the 14.0 release.
-
⚠ ️ WARNING: This is a little bit off the beaten track, ping boklm or morgan if you have any doubts - From the
maint-14.0
branch:-
Update rbm.conf
-
var/torbrowser_legacy_version
: update to${TOR_BROWSER_VERSION}
- NOTE this is the browser version for the legacy branch, not the 14.0 branch
-
var/torbrowser_legacy_platform_version
: update to${ESR_VERSION}
- NOTE this is ESR version for the legacy branch, not the 14.0 branch
-
-
Generate update responses: -
Run: make torbrowser-update_responses-release
-
-
- On
staticiforme.torproject.org
, deploy new update responses:- NOTE: for now this is a bit janky, we should somehow update the workflow to be a bit less hacky
-
Edit an existing deploy_update_responses-release.sh
script in yourHOME
directory with the newly pushed commit hash-
example: (hash:
d938943
)#!/bin/bash set -e echo "Deploying version 14.0" echo "update_responses_commit: d938943" cd "/srv/aus1-master.torproject.org/htdocs/torbrowser" git fetch changed_files="$(git diff --name-only HEAD d938943)" if echo "$changed_files" | grep -qv "release" then echo >&2 "Error: checking out new update_response_commit will changes" echo >&2 "some files outside of the release directory:" echo "$changed_files" | grep -v "release" >&2 echo >&2 "--" echo >&2 "If this is really what you want to do, edit this script to" echo >&2 "remove the line 'exit 1' and run it again." echo >&2 "See tor-browser-build#41168 for more details." exit 1 fi git checkout "d938943" static-update-component aus1.torproject.org
-
example: (hash:
-
Enable update responses: sudo -u tb-release ./deploy_update_responses-release.sh
Communications
tor-announce mailing list
-
Email tor-announce mailing list -
Recipients
tor-announce@lists.torproject.org
-
Subject
New Release: Tor Browser ${TOR_BROWSER_VERSION} (Windows, macOS)
-
Body
Hi everyone, Tor Browser ${TOR_BROWSER_VERSION} has now been published for legacy Windows and macOS platforms. For details please see our blog post: - ${BLOG_POST_URL} Changelog: # paste changelog as quote here
-
Recipients
Edited by morgan