Bug 41089: Add tor-browser build scripts + Makefile to tor-browser

2405f12a · Richard Pospesel · Pier Angelo Vendrame · 3bcde33b · 2405f12a · 2405f12a
Verified Commit 2405f12a authored Aug 1, 2022 by Richard Pospesel Committed by Pier Angelo Vendrame Nov 16, 2023
--- a/.eslintignore
+++ b/.eslintignore
@@ -270,3 +270,4 @@ toolkit/components/uniffi-bindgen-gecko-js/src/templates/js/
 toolkit/components/uniffi-bindgen-gecko-js/components/generated/*

 browser/app/profile/001-base-profile.js
+tools/torbrowser/bridges.js
--- a/.gitignore
+++ b/.gitignore
@@ -212,3 +212,6 @@ tools/esmify/package-lock.json

 # Ignore automatically generated mots documentation
 docs/mots/index.rst
+
+# Ignore binary base of tor browser
+.binaries
--- a/tools/torbrowser/Makefile
+++ b/tools/torbrowser/Makefile
+.DEFAULT_GOAL := all
+
+# https://stackoverflow.com/questions/18136918/how-to-get-current-relative-directory-of-your-makefile
+mkfile_path := "$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))"
+
+DEV_ROOT = "$(mkfile_path)/../.."
+BINARIES = "$(DEV_ROOT)/.binaries"
+ARCHITECTURE = "$(shell uname -m)"
+
+# Correct the architecture naming for ARM to match what mozilla has
+ifeq ($(ARCHITECTURE), "arm64")
+  ARCHITECTURE = "aarch64"
+endif
+
+# Define build output path based on the platform.
+ifeq ("$(shell uname)", "Darwin")
+  BUILD_OUTPUT = "$(DEV_ROOT)/obj-$(ARCHITECTURE)-apple-darwin$(shell uname -r)"
+else
+  BUILD_OUTPUT = "$(DEV_ROOT)/obj-$(ARCHITECTURE)-pc-linux-gnu"
+endif
+
+# Define the run command based on the platform.
+ifeq ("$(shell uname)", "Darwin")
+  RUN_CMD := cd "$(BINARIES)/Tor Browser.app/Contents/MacOS/" && ./firefox
+else
+  RUN_CMD := "$(BINARIES)/dev/Browser/start-tor-browser" -v $(ARGS)
+endif
+
+config:
+	./config.sh $(DEV_ROOT)
+
+ide-vscode:
+	./ide.sh vscode $(DEV_ROOT)
+
+ide-eclipse:
+	./ide.sh eclipse $(DEV_ROOT)
+
+ide-visualstudio:
+	./ide.sh visualstudio $(DEV_ROOT)
+
+fetch:
+	./fetch.sh $(BINARIES)
+
+build:
+	./build.sh $(DEV_ROOT)
+
+deploy:
+	./deploy.sh $(BINARIES) $(BUILD_OUTPUT)
+
+fat-aar:
+	./fataar.py $(DEV_ROOT) $(ARCHS)
+
+all: build deploy
+
+run:
+	$(RUN_CMD)
+
+jslint:
+	./jslint.sh $(DEV_ROOT) $(JS)
+
+clobber:
+	./clobber.sh $(DEV_ROOT)
+
+clean:
+	rm -rf $(BUILD_OUTPUT)
+
--- a/tools/torbrowser/bridges.js
+++ b/tools/torbrowser/bridges.js
+pref("extensions.torlauncher.default_bridge_recommended_type", "obfs4");
+
+// Default bridges.
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.1",
+  "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.2",
+  "obfs4 37.218.245.14:38224 D9A82D2F9C2F65A18407B1D2B764F130847F8B5D cert=bjRaMrr1BRiAW8IE9U5z27fQaYgOhX1UCmOpg2pFpoMvo6ZgQMzLsaTzzQNTlm7hNcb+Sg iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.3",
+  "obfs4 85.31.186.98:443 011F2599C0E9B27EE74B353155E244813763C3E5 cert=ayq0XzCwhpdysn5o0EyDUbmSOx3X/oTEbzDMvczHOdBJKlvIdHHLJGkZARtT4dcBFArPPg iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.4",
+  "obfs4 85.31.186.26:443 91A6354697E6B02A386312F68D82CF86824D3606 cert=PBwr+S8JTVZo6MPdHnkTwXJPILWADLqfMGoVvhZClMq/Urndyd42BwX9YFJHZnBB3H0XCw iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.5",
+  "obfs4 193.11.166.194:27015 2D82C2E354D531A68469ADF7F878FA6060C6BACA cert=4TLQPJrTSaDffMK7Nbao6LC7G9OW/NHkUwIdjLSS3KYf0Nv4/nQiiI8dY2TcsQx01NniOg iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.6",
+  "obfs4 193.11.166.194:27020 86AC7B8D430DAC4117E9F42C9EAED18133863AAF cert=0LDeJH4JzMDtkJJrFphJCiPqKx7loozKN7VNfuukMGfHO0Z8OGdzHVkhVAOfo1mUdv9cMg iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.7",
+  "obfs4 193.11.166.194:27025 1AE2C08904527FEA90C4C4F8C1083EA59FBC6FAF cert=ItvYZzW5tn6v3G4UnQa6Qz04Npro6e81AP70YujmK/KXwDFPTs3aHXcHp4n8Vt6w/bv8cA iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.8",
+  "obfs4 209.148.46.65:443 74FAD13168806246602538555B5521A0383A1875 cert=ssH+9rP8dG2NLDN2XuFw63hIO/9MNNinLmxQDpVa+7kTOa9/m+tGWT1SmSYpQ9uTBGa6Hw iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.9",
+  "obfs4 146.57.248.225:22 10A6CD36A537FCE513A322361547444B393989F0 cert=K1gDtDAIcUfeLqbstggjIw2rtgIKqdIhUlHp82XRqNSq/mtAjp1BIC9vHKJ2FAEpGssTPw iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.10",
+  "obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0"
+);
+pref(
+  "extensions.torlauncher.default_bridge.obfs4.11",
+  "obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0"
+);
+
+pref(
+  "extensions.torlauncher.default_bridge.meek-azure.1",
+  "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com"
+);
+
+pref(
+  "extensions.torlauncher.default_bridge.snowflake.1",
+  "snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn"
+);
+
+pref(
+  "extensions.torlauncher.default_bridge.snowflake.2",
+  "snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=cdn.sstatic.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn"
+);
--- a/tools/torbrowser/browser-self-sign-macos.sh
+++ b/tools/torbrowser/browser-self-sign-macos.sh
+#!/bin/bash
+
+CERTNAME=my-codesign-cert-tor
+BROWSERPATH=.
+
+if [ $# -ge 1 ]
+then
+  BROWSERPATH=$1
+fi
+
+
+security find-certificate -c $CERTNAME > /dev/null
+
+if [ $? -ne 0 ]
+then
+  echo ""
+  echo "ERROR: Self Signing Certificate not found, please create:"
+  echo "  1. In the Keychain Access app on your Mac, choose Keychain Access > Certificate Assistant > Create a Certificate."
+  echo "  2. Enter the name '$CERTNAME' for the certificate"
+  echo "  3. Choose an identity type:  Self Signed Root"
+  echo "  4. Certificate Type > Code Signing"
+  echo "  5. Check 'Let me override defaults' & click Continue."
+  echo "  6. Enter a unique Serial Number. (123 is fine)"
+  echo "  7. Enter a big Validity Period (days), like 3560 & click Continue."
+  echo "  8. Fill in your personal information & click Continue."
+  echo "  9. Accept defaults for the rest of the dialog boxes. (Continue several times)"
+  echo "  10. Certificate Created! Click Done."
+  echo ""
+  echo "For additional help see:"
+  echo "  https://support.apple.com/en-ca/guide/keychain-access/kyca8916/mac"
+  echo "  https://stackoverflow.com/questions/58356844/what-are-the-ways-or-technologies-to-sign-an-executable-application-file-in-mac"
+  
+  echo ""
+  read -n 1 -r -s -p $'Press enter to launch "Keychain Access"...\n'
+  open /System/Applications/Utilities/Keychain\ Access.app
+
+  exit -1
+fi
+
+echo "Found $CERTNAME, looking for browser to sign..."
+
+if [ ! -f "$BROWSERPATH/XUL" ]
+then
+  TESTPATH="$BROWSERPATH/Contents/MacOS"
+  if [ -f "$TESTPATH/XUL" ]
+  then
+      BROWSERPATH=$TESTPATH
+  else
+    echo "Error: browser files not detected in $BROWSERPATH!"
+    echo "  This script needs to be run in the 'Contents/MacOS' directory of a SomeBrowser.app directory"
+    exit -1
+  fi
+fi
+
+echo "Mozilla based browser found, signing..."
+echo '  Will be asked for password to certificate for all the things that need to be signed. Click "Always Allow" to automate'
+
+cd "$BROWSERPATH"
+
+codesign -s $CERTNAME *.dylib
+codesign -s $CERTNAME plugin-container.app
+
+if [ -d Tor ]
+then
+  codesign -s $CERTNAME Tor/PluggableTransports/*
+  codesign -s $CERTNAME Tor/libevent-2.1.7.dylib
+  if [ -f Tor/tor.real ]
+  then
+    codesign -s $CERTNAME Tor/tor.real
+  fi
+  if [ -f Tor/tor ]
+  then
+    codesign -s $CERTNAME Tor/tor
+  fi
+fi
+
+codesign -s $CERTNAME XUL
+
+if [ -d updater.app ]
+then
+  codesign -s $CERTNAME updater.app
+fi
+
+# mullvadbrowser
+if [ -f mullvadbrowser ]
+then
+  codesign -s $CERTNAME mullvadbrowser
+fi
+
+# BB or TB
+if [ -f firefox ]
+then
+  codesign -s $CERTNAME firefox
+fi
+
+echo ""
+echo "Browser signing step done!"
+echo ""
+
+echo "App still needs one more override to be easily opened with double click in Finder"
+echo "Alternatively you can right click it, select 'Open' and then select 'Open' from the override popup"
+echo "Or to enable it to be double clicked to open perform the following"
+echo ""
+echo "Double click the app and select either 'Ok' or 'Cancel' from the warning popup depending on which you get (Do Not 'Move to Trash')"
+echo 'Go to Preferences -> Security & Privacy and click on padlock to allow changes. '
+echo '  Then in "Allow appications downloaded from" select either:'
+echo '    - App Store and identified developers'
+echo '    - Anywhere'
+echo '  Below that may be a notice about your specific app saying it was blocked because it was not from an identified developer. Click "Open Anyways" and "Open"'
+
--- a/tools/torbrowser/build.sh
+++ b/tools/torbrowser/build.sh
+#!/bin/bash
+set -e
+DEV_ROOT=$1
+
+cd $DEV_ROOT
+./mach build
+
+if [ -z "$LOCALES" ]; then
+  ./mach build stage-package
+else
+  export MOZ_CHROME_MULTILOCALE=$LOCALES
+  # No quotes on purpose
+  ./mach package-multi-locale --locales en-US $MOZ_CHROME_MULTILOCALE
+  AB_CD=multi ./mach build stage-package
+fi
--- a/tools/torbrowser/clobber.sh
+++ b/tools/torbrowser/clobber.sh
+#!/bin/bash
+set -e
+DEV_ROOT=$1
+
+cd $DEV_ROOT
+./mach clobber
--- a/tools/torbrowser/config.sh
+++ b/tools/torbrowser/config.sh
+#!/bin/bash
+set -e
+DEV_ROOT=$1
+
+cd $DEV_ROOT
+./mach configure
--- a/tools/torbrowser/deploy.sh
+++ b/tools/torbrowser/deploy.sh
+#!/bin/bash
+set -e
+
+BINARIES="$1"
+BUILD_OUTPUT="$2"
+SCRIPT_DIR="$(realpath "$(dirname "$0")")"
+
+RESDIR="$BUILD_OUTPUT/dist/firefox"
+if [ "$(uname)" = "Darwin" ]; then 
+    RESDIR="$RESDIR/Tor Browser.app/Contents/Resources"
+fi
+
+# Add built-in bridges
+mkdir -p "$BUILD_OUTPUT/_omni/defaults/preferences"
+cat "$BUILD_OUTPUT/dist/bin/browser/defaults/preferences/000-tor-browser.js" "$SCRIPT_DIR/bridges.js" >> "$BUILD_OUTPUT/_omni/defaults/preferences/000-tor-browser.js"
+cd "$BUILD_OUTPUT/_omni"
+zip -Xmr "$RESDIR/browser/omni.ja" "defaults/preferences/000-tor-browser.js"
+rm -rf "$BUILD_OUTPUT/_omni"
+
+# Repackage the manual
+# rm -rf $BUILD_OUTPUT/_omni
+# mkdir $BUILD_OUTPUT/_omni
+# unzip $BINARIES/dev/Browser/browser/omni.ja -d $BUILD_OUTPUT/_omni
+# cd $BUILD_OUTPUT/_omni && zip -Xmr $RESDIR/browser/omni.ja chrome/browser/content/browser/manual
+# rm -rf $BUILD_OUTPUT/_omni
+
+if [ "$(uname)" = "Darwin" ]; then
+
+    # copy binaries
+    cp -r "$BUILD_OUTPUT/dist/firefox/Tor Browser.app/Contents/"* "$BINARIES/Tor Browser.app/Contents/"
+    rm -rf "$BINARIES/TorBrowser-Data/Browser/Caches/*.default/startupCache"
+
+    # Self sign the Binaries
+    cd "$BINARIES/Tor Browser.app/Contents/MacOS"
+    "$SCRIPT_DIR/browser-self-sign-macos.sh"
+
+  else
+
+    # backup the startup script
+    mv "$BINARIES/dev/Browser/firefox" "$BINARIES/dev/Browser/firefox.bak"
+    
+    # copy binaries 
+    cp -r "$RESDIR/"* "$BINARIES/dev/Browser"
+    rm -rf "$BINARIES/dev/Browser/TorBrowser/Data/Browser/profile.default/startupCache"
+
+    # shuffle firefox bin around and restore script to match a real deployment
+    mv "$BINARIES/dev/Browser/firefox" "$BINARIES/dev/Browser/firefox.real"
+    mv "$BINARIES/dev/Browser/firefox.bak" "$BINARIES/dev/Browser/firefox"
+
+fi
--- a/tools/torbrowser/fataar.py
+++ b/tools/torbrowser/fataar.py
+#!/usr/bin/env python3
+import os
+import re
+import subprocess
+import sys
+
+
+dev_root = sys.argv[1]
+archs_in = re.split("\s+|,", sys.argv[2]) if len(sys.argv) >= 3 else []
+archs_out = []
+env = dict(os.environ)
+
+env["MOZCONFIG"] = "mozconfig-android-all"
+if "armv7" in archs_in:
+    env["MOZ_ANDROID_FAT_AAR_ARMEABI_V7A"] = (
+        dev_root
+        + "/obj-arm-linux-androideabi/gradle/build/mobile/android/geckoview/outputs/aar/geckoview-withGeckoBinaries-debug.aar"
+    )
+    archs_out.append("armeabi-v7a")
+if "aarch64" in archs_in:
+    env["MOZ_ANDROID_FAT_AAR_ARM64_V8A"] = (
+        dev_root
+        + "/obj-aarch64-linux-android/gradle/build/mobile/android/geckoview/outputs/aar/geckoview-withGeckoBinaries-debug.aar"
+    )
+    archs_out.append("arm64-v8a")
+if "x86" in archs_in or "i686" in archs_in:
+    env["MOZ_ANDROID_FAT_AAR_X86"] = (
+        dev_root
+        + "/obj-i386-linux-android/gradle/build/mobile/android/geckoview/outputs/aar/geckoview-withGeckoBinaries-debug.aar"
+    )
+    archs_out.append("x86")
+if "x86_64" in archs_in or "x86-64" in archs_in:
+    env["MOZ_ANDROID_FAT_AAR_X86_64"] = (
+        dev_root
+        + "/obj-x86_64-linux-android/gradle/build/mobile/android/geckoview/outputs/aar/geckoview-withGeckoBinaries-debug.aar"
+    )
+    archs_out.append("x86_64")
+env["MOZ_ANDROID_FAT_AAR_ARCHITECTURES"] = ",".join(archs_out)
+
+if not archs_out:
+    print(
+        "The architectures have not specified or are not valid.",
+        file=sys.stderr,
+    )
+    print('Usage: make fat-aar ARCHS="$archs"', file=sys.stderr)
+    print(
+        "Valid architectures are armv7 aarch64 x86 x86_64, and must be separated with a space.",
+        file=sys.stderr,
+    )
+    sys.exit(1)
+
+subprocess.run(["./mach", "configure"], cwd=dev_root, env=env, check=True)
+subprocess.run(["./mach", "build"], cwd=dev_root, env=env, check=True)
--- a/tools/torbrowser/fetch.sh
+++ b/tools/torbrowser/fetch.sh
+#!/bin/sh
+set -e
+
+BINARIES_DIR="$1"
+
+# download the current downloads.json
+wget https://aus1.torproject.org/torbrowser/update_3/alpha/downloads.json
+# get url for latest alpha linux package
+TOR_BROWSER_VERSION=$(grep -Eo "\"version\":\"[0-9.a]+\"" downloads.json | grep -Eo "[0-9.a]+")
+if [ "$(uname)" = "Darwin" ]; then
+    TOR_BROWSER_PACKAGE="tor-browser-macos-${TOR_BROWSER_VERSION}.dmg"
+  else
+    TOR_BROWSER_PACKAGE="tor-browser-linux-x86_64-${TOR_BROWSER_VERSION}.tar.xz"
+fi
+TOR_BROWSER_PACKAGE_URL="https://dist.torproject.org/torbrowser/${TOR_BROWSER_VERSION}/${TOR_BROWSER_PACKAGE}"
+
+# remove download manifest
+rm downloads.json
+
+# clear out previous tor-browser and previous package
+rm -rf "${BINARIES_DIR}"
+rm -f "${TOR_BROWSER_PACKAGE}"
+
+# download
+wget "${TOR_BROWSER_PACKAGE_URL}"
+mkdir -p "${BINARIES_DIR}"
+
+# and extract
+if [ "$(uname)" = "Darwin" ]
+  then
+    hdiutil attach "${TOR_BROWSER_PACKAGE}"
+    cp -R "/Volumes/Tor Browser/Tor Browser.app" "${BINARIES_DIR}"
+    hdiutil detach "/Volumes/Tor Browser"
+  else
+    tar -xf "${TOR_BROWSER_PACKAGE}" -C "${BINARIES_DIR}"
+    mv "${BINARIES_DIR}/tor-browser" "${BINARIES_DIR}/dev"
+fi
+
+# Final cleanup
+rm -f "${TOR_BROWSER_PACKAGE}"
--- a/tools/torbrowser/ide.sh
+++ b/tools/torbrowser/ide.sh
+#!/bin/bash
+set -e
+IDE=$1
+DEV_ROOT=$2
+
+cd $DEV_ROOT
+./mach ide $IDE
--- a/tools/torbrowser/jslint.sh
+++ b/tools/torbrowser/jslint.sh
+#!/bin/bash
+set -e
+DEV_ROOT=$1
+JS_FILE=$2
+
+cd $DEV_ROOT
+./mach lint -l eslint --fix $JS_FILE