Skip to content

Adapt our signing scripts to be able to sign the VPN app

I think we can adapt the signing script we have in tor-browser-build/tools/signing to support signing the VPN app.

Currently the signing scripts can be called with ./do-all-signing.torbrowser or ./do-all-signing.mullvadbrowser. I think we can add a ./do-all-signing.vpn which will re-use the following signing steps from Tor/Mullvad Browser signing:

  • set-time-on-signing-machine: preparing the signing machine
  • sync-builder-unsigned-to-local-signed: get the unsigned build from the build machine. This script might need to be adapted depending on where we get the build done.
  • sync-scripts-to-linux-signer: upload signing scripts to signing machine
  • sync-before-linux-signer-signmars: upload unsigned build to the signing machine
  • linux-signer-sign-android-apks: do the apk signing
  • sync-after-sign-android-apks: get the signed apk files from the signing machine
  • hash_signed_bundles: create sha256sums-signed-build.txt file
  • linux-signer-gpg-sign: sign the build with gpg
  • download-unsigned-sha256sums-gpg-signatures-from-people-tpo: get sha256sums-unsigned-build.txt.gpg file from multiple builders, for verifying that the build has been reproduced
  • sync-local-to-staticiforme: upload the signed build to staticiforme, to make it available in https://dist.torproject.org/vpn/.

And we need to add this new step:

  • linux-signer-sign-android-aar: for signing the .aar file that we will publish on googleplay

/cc @dan

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information