From c1f52b2705509e0446a0be2ccdf068c35a58033a Mon Sep 17 00:00:00 2001 From: Alexis Hancock Date: Fri, 31 Jul 2020 16:55:02 -0700 Subject: [PATCH 1/3] Add CRX verification to the process - Adding Node utility to verify crx file - Add transparency for edge packaging process - Add node to dependencies list --- edge.sh | 22 ++++++++++++++++++++++ install-dev-dependencies.sh | 11 +++++++++++ make.sh | 15 ++++++++++----- 3 files changed, 43 insertions(+), 5 deletions(-) create mode 100755 edge.sh diff --git a/edge.sh b/edge.sh new file mode 100755 index 000000000000..f0ad7e22f21e --- /dev/null +++ b/edge.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +#Verify CRX file +VERSION=`python3.6 -c "import json ; print(json.loads(open('chromium/manifest.json').read())['version'])"` +crx_cws="pkg/https-everywhere-$VERSION-cws.crx" +crx_eff="pkg/https-everywhere-$VERSION-eff.crx" + +crx3-info rsa 0 < $crx_cws > public.pem +crx3-verify rsa 0 public.pem < $crx_cws +echo "CRX verified" + +#Build Edge Zip File +echo "Building Edge Zip" +crx3-info < $crx_eff | awk '/^header/ {print $2}' \ + | xargs -I% dd if=$crx_eff iflag=skip_bytes skip=% > https-everywhere-$VERSION-edge.zip + +echo >&2 "Edge zip package has sha256sum: `openssl dgst -sha256 -binary "https-everywhere-$VERSION-edge.zip" | xxd -p`" + +mv https-everywhere-$VERSION-edge.zip pkg/https-everywhere-$VERSION-edge.zip + +echo "Created pkg/https-everywhere-$VERSION-edge.zip" +rm public.pem \ No newline at end of file diff --git a/install-dev-dependencies.sh b/install-dev-dependencies.sh index db3a50063790..112d82f13a72 100755 --- a/install-dev-dependencies.sh +++ b/install-dev-dependencies.sh @@ -43,6 +43,7 @@ if type apt-get>/dev/null 2>&1; then fi $SUDO_SHIM apt-get install -y libxml2-dev libxml2-utils libxslt1-dev \ python3.6-dev $BROWSERS zip sqlite3 python3-pip libcurl4-openssl-dev xvfb \ + nodejs \ libssl-dev git curl $CHROMEDRIVER if ! type geckodriver >/dev/null 2>&1; then curl -LO "https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckodriver-v0.24.0-linux$ARCH.tar.gz" @@ -61,6 +62,7 @@ elif type brew >/dev/null 2>&1; then brew list python &>/dev/null || brew install python brew cask install chromedriver brew install libxml2 gnu-sed + brew install node if ! echo $PATH | grep -ql /usr/local/bin ; then echo '/usr/local/bin not found in $PATH, please add it.' fi @@ -86,12 +88,18 @@ elif type dnf >/dev/null 2>&1; then $SUDO_SHIM chown root /usr/bin/geckodriver $SUDO_SHIM chmod 755 /usr/bin/geckodriver fi + # This is needed for Firefox on some systems. See here for more information: # https://github.com/EFForg/https-everywhere/pull/5584#issuecomment-238655443 if [ ! -f /var/lib/dbus/machine-id ]; then $SUDO_SHIM sh -c 'dbus-uuidgen > /var/lib/dbus/machine-id' fi export PYCURL_SSL_LIBRARY=openssl + + #Node + $SUDO_SHIM curl -sL https://rpm.nodesource.com/setup_12.x | bash - + $SUDO_SHIM dnf install -y gcc-c++ make + $SUDO_SHIM dnf install -y nodejs else echo \ "Your distro isn't supported by this script yet!"\ @@ -112,5 +120,8 @@ cd test/chromium pip3 install --user -r requirements.txt cd - +# Install Node Package for CRX Verification +$SUDO_SHIM npm -g i crx3-utils + # Install git hook to run tests before pushing. ln -sf ../../test.sh .git/hooks/pre-push diff --git a/make.sh b/make.sh index 26fdc688c9c8..ae19cbd8715d 100755 --- a/make.sh +++ b/make.sh @@ -159,6 +159,7 @@ if [ -n "$BRANCH" ] ; then crx_eff="pkg/https-everywhere-$VERSION-eff.crx" xpi_amo="pkg/https-everywhere-$VERSION-amo.xpi" xpi_eff="pkg/https-everywhere-$VERSION-eff.xpi" + else crx_cws="pkg/https-everywhere-$VERSION~pre-cws.crx" crx_eff="pkg/https-everywhere-$VERSION~pre-eff.crx" @@ -180,10 +181,18 @@ $BROWSER --no-message-box --pack-extension="pkg/crx-cws" --pack-extension-key="$ $BROWSER --no-message-box --pack-extension="pkg/crx-eff" --pack-extension-key="$KEY" 2> /dev/null mv pkg/crx-cws.crx $crx_cws mv pkg/crx-eff.crx $crx_eff + +#Verify CRX file +crx3-info rsa 0 < $crx_cws > public.pem +crx3-verify rsa 0 public.pem < $crx_cws +echo "CRX verified" + +#Now remove unneeded pem file +rm public.pem + echo >&2 "CWS crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_cws" | xxd -p`" echo >&2 "EFF crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_eff" | xxd -p`" - # now zip up the xpi AMO dir name=pkg/xpi-amo dir=pkg/xpi-amo @@ -195,8 +204,6 @@ echo >&2 "AMO xpi package has sha256sum: `openssl dgst -sha256 -binary "$cwd/$zi cp $zip $xpi_amo - - # now zip up the xpi EFF dir name=pkg/xpi-eff dir=pkg/xpi-eff @@ -208,8 +215,6 @@ echo >&2 "EFF xpi package has sha256sum: `openssl dgst -sha256 -binary "$cwd/$zi cp $zip $xpi_eff - - bash utils/android-push.sh "$xpi_eff" echo >&2 "Total included rules: `find src/chrome/content/rules -name "*.xml" | wc -l`" From aac4341584b479a712f52fa6f8915a6a59bf255a Mon Sep 17 00:00:00 2001 From: Alexis Hancock Date: Mon, 10 Aug 2020 17:39:16 -0700 Subject: [PATCH 2/3] Update comments in edge script --- edge.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/edge.sh b/edge.sh index f0ad7e22f21e..60f79414b816 100755 --- a/edge.sh +++ b/edge.sh @@ -1,5 +1,5 @@ #!/bin/bash - +# Written for transparency and reproducibility on Edge upload #Verify CRX file VERSION=`python3.6 -c "import json ; print(json.loads(open('chromium/manifest.json').read())['version'])"` crx_cws="pkg/https-everywhere-$VERSION-cws.crx" From 2d88548b0fb7bd3663ca3f5d1a006c2ac1190e0a Mon Sep 17 00:00:00 2001 From: Alexis Hancock Date: Mon, 24 Aug 2020 16:48:25 -0700 Subject: [PATCH 3/3] Amend node install --- edge.sh | 14 ++++++++++++-- install-dev-dependencies.sh | 7 ++++--- make.sh | 8 -------- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/edge.sh b/edge.sh index 60f79414b816..63b3f16abbec 100755 --- a/edge.sh +++ b/edge.sh @@ -1,12 +1,22 @@ #!/bin/bash # Written for transparency and reproducibility on Edge upload -#Verify CRX file + +# Install Node Package for CRX Verification via NPM +# [sudo] npm -g i crx3-utils + +# Verify CRX file +# crx3-info rsa 0 < $crx_cws > public.pem +# crx3-verify rsa 0 public.pem < $crx_cws +# echo "CRX verified" + +#Now remove unneeded pem file +rm public.pem VERSION=`python3.6 -c "import json ; print(json.loads(open('chromium/manifest.json').read())['version'])"` crx_cws="pkg/https-everywhere-$VERSION-cws.crx" crx_eff="pkg/https-everywhere-$VERSION-eff.crx" crx3-info rsa 0 < $crx_cws > public.pem -crx3-verify rsa 0 public.pem < $crx_cws + rsa 0 public.pem < $crx_cws echo "CRX verified" #Build Edge Zip File diff --git a/install-dev-dependencies.sh b/install-dev-dependencies.sh index 112d82f13a72..8a9023efb654 100755 --- a/install-dev-dependencies.sh +++ b/install-dev-dependencies.sh @@ -44,6 +44,7 @@ if type apt-get>/dev/null 2>&1; then $SUDO_SHIM apt-get install -y libxml2-dev libxml2-utils libxslt1-dev \ python3.6-dev $BROWSERS zip sqlite3 python3-pip libcurl4-openssl-dev xvfb \ nodejs \ + npm \ libssl-dev git curl $CHROMEDRIVER if ! type geckodriver >/dev/null 2>&1; then curl -LO "https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckodriver-v0.24.0-linux$ARCH.tar.gz" @@ -97,9 +98,9 @@ elif type dnf >/dev/null 2>&1; then export PYCURL_SSL_LIBRARY=openssl #Node - $SUDO_SHIM curl -sL https://rpm.nodesource.com/setup_12.x | bash - - $SUDO_SHIM dnf install -y gcc-c++ make - $SUDO_SHIM dnf install -y nodejs + curl -sL https://rpm.nodesource.com/setup_12.x | $SUDO_SHIM bash - + $SUDO_SHIM yum install -y nodejs + $SUDO_SHIM yum install gcc-c++ make else echo \ "Your distro isn't supported by this script yet!"\ diff --git a/make.sh b/make.sh index ae19cbd8715d..18ee4a20a21e 100755 --- a/make.sh +++ b/make.sh @@ -182,14 +182,6 @@ $BROWSER --no-message-box --pack-extension="pkg/crx-eff" --pack-extension-key="$ mv pkg/crx-cws.crx $crx_cws mv pkg/crx-eff.crx $crx_eff -#Verify CRX file -crx3-info rsa 0 < $crx_cws > public.pem -crx3-verify rsa 0 public.pem < $crx_cws -echo "CRX verified" - -#Now remove unneeded pem file -rm public.pem - echo >&2 "CWS crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_cws" | xxd -p`" echo >&2 "EFF crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_eff" | xxd -p`"