Skip to content

brave/tor_build_scripts

BranchesTags

Repository files navigation

Build scripts for tor binary

GPG keys

GPG keyservers are known to be flaky so we include the keys in the repo:

  1. Tor:

Generating tor.gpg:

$ rm -f gpg-keys/tor.gpg
$ touch gpg-keys/tor.gpg
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 514102454D0A87DB0767A1EBBE6A0531C18A9179
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys B74417EDDF22AC9F9E90F49142E86A2A11F48D36
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 2133BC600AB133E1D826D173FE43009C4607B1FB

The fingerprints should match those listed on https://support.torproject.org/little-t-tor/verify-little-t-tor/.

  1. Libevent:

Generating libevent.gpg:

$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 9E3AC83A27974B84D1B3401DB86086848EF8686D
$ gpg --output gpg-keys/libevent.gpg --export 9E3AC83A27974B84D1B3401DB86086848EF8686D

$ gpg --fingerprint 9E3AC83A27974B84D1B3401DB86086848EF8686D
pub   rsa2048 2010-06-10 [SC]
      9E3A C83A 2797 4B84 D1B3  401D B860 8684 8EF8 686D
uid           [ unknown] Azat Khuzhin <a3at.mail@gmail.com>
uid           [ unknown] Azat Khuzhin <bin@azat.sh>
uid           [ unknown] Azat Khuzhin <azat@libevent.org>
sub   rsa2048 2010-06-10 [E]
  1. OpenSSL

Generating openssl.gpg:

$ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 8657ABB260F056B1E5190839D9C4D26D0E604491
$ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key B7C1C14360F353A36862E4D5231C84CDDCC69C45
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 5B2545DAB21995F4088CEFAA36CEE4DEB00CFE33
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key C1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key E5E52560DD91C556DDBDA5D02064C53641C25E5D
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key DC7032662AF885E2F47F243F527466A21CA79E6D
$ gpg --keyserver hkps://keys.openpgp.org --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5

The keys are listed on https://www.openssl.org/community/omc.html.

Generating binaries

  1. Increment the Brave version number for each published build.
  2. Run source env.sh to set the correct environment variables.
  3. Run build_<os>.sh to generate the binary.
  4. Confirm all signature and hash checks passed.

The generated binary is of the form tor-<tor-version>-<os>-brave-<brave-version>

Updates

Follow these steps in case of updates for tor | libevent | zlib | openssl.

This process is now almost fully automated in CI. Start with automation and switch to the manual process if automation fails for some reason.

Automated process

  1. Start a new Build with Parameters on https://ci.brave.com/job/brave-tor-client-release/ (branch = master) specifying the versions and hashes of the components to update, let the others empty to keep the existing versions. To get the hash, download the tarball and run sha256sum on it.
  2. Look for a PR like #171, review and merge.
  3. Look for a PR like brave/brave-core-crx-packager#1192 and review, but do NOT merge.
  4. Look for a thread on #testers like https://bravesoftware.slack.com/archives/C0YL5KMA8/p1780427378323769 to know when the new tor daemon is available in dev.
  5. Check that the correct version of the tor daemon is downloaded when running brave-browser --use-dev-goupdater-url (check the terminal log messages, or check the Tor binary version under cldoidikboihgcjfkhdeidbpclkineef/ in your app data directory). Open https://brave.com and then its onion URL to check that the tor daemon is working.
  6. Wait for QA's verification to be complete before merging the brave/brave-core-crx-packager PR
  7. Kick off a Build with Parameters on https://ci.brave.com/job/brave-core-ext-tor-client-update-publish/ (branch = master) to upload the new tor daemon to the prod server. Test it like in step 5 but using the prod url for goupdater.
  8. Go back to the QA Slack thread and ask for a quick check on all platforms.

Manual process

  1. Increment the brave version number in env.sh if needed.
  2. Update the upstream distfile version in env.sh.
  3. Attempt a build. It should fail.
  4. Confirm that the signature passes and the hash fails.
  5. Confirm the upstream distribution is plausible.
    • Confirm a README or NEWS or ChangeLog says the right version. (Otherwise we are subject to version rollback attacks.)
  6. Update the hash in env.sh.
  7. Attempt a build. It should pass.
  8. Prepare a PR for your branch.
  9. To test building on other platforms, build the brave-tor-client-build project in Jenkins using your branch instead of master (the "Upload" build option must be ON). The build output will give you URLs on S3 of all of the generated binaries (one per platform).
  10. Download each binary and run sha512sum on them. Make sure you use the post-signing Windows binary since both signed and unsigned will be in the output.
  11. Merge your brave/tor_build_scripts PR once it's been reviewed.
  12. Prepare a PR for the brave/brave-core-crx-packager repo bumping the version numbers and hashes (e.g. brave/brave-core-crx-packager#390).
  13. Build a new version of the component on dev by building the brave-core-ext-tor-client-update-publish-dev project in Jenkins using your branch (in the brave/brave-core-crx-packager repo) instead of master.
  14. Once the build has finished, check that the correct version of the tor daemon is downloaded when running brave-browser --use-dev-goupdater-url (check the terminal log messages).
  15. Ask QA to create a milestone like https://github.com/brave/brave-browser/milestone/281 and do a manual test pass on each platform with the dev builds.
  16. Merge the brave/brave-core-crx-packager PR once it's been reviewed and QA has approved.
  17. Build a new version of the component on prod by building the brave-core-ext-tor-client-update-publish project in Jenkins using the master branch.
  18. Update to the latest version of the Brave Tor Client Updater component in your browser by triggering an update in brave://components and test that https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html loads fine.
  19. Ask QA to repeat this test on all platforms.

About

Build scripts for tor binary

Resources

Readme
Activity
Custom properties

Stars

24 stars

Watchers

10 watching

Forks

20 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages