GPG keyservers are known to be flaky so we include the keys in the repo:
- Tor:
Generating tor.gpg
:
$ rm -f gpg-keys/tor.gpg
$ touch gpg-keys/tor.gpg
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 514102454D0A87DB0767A1EBBE6A0531C18A9179
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys B74417EDDF22AC9F9E90F49142E86A2A11F48D36
$ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 2133BC600AB133E1D826D173FE43009C4607B1FB
The fingerprints should match those listed on https://support.torproject.org/little-t-tor/verify-little-t-tor/.
- Libevent:
Generating libevent.gpg
:
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 9E3AC83A27974B84D1B3401DB86086848EF8686D
$ gpg --output gpg-keys/libevent.gpg --export 9E3AC83A27974B84D1B3401DB86086848EF8686D
$ gpg --fingerprint 9E3AC83A27974B84D1B3401DB86086848EF8686D
pub rsa2048 2010-06-10 [SC]
9E3A C83A 2797 4B84 D1B3 401D B860 8684 8EF8 686D
uid [ unknown] Azat Khuzhin <a3at.mail@gmail.com>
uid [ unknown] Azat Khuzhin <bin@azat.sh>
uid [ unknown] Azat Khuzhin <azat@libevent.org>
sub rsa2048 2010-06-10 [E]
- OpenSSL
Generating openssl.gpg
:
$ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 8657ABB260F056B1E5190839D9C4D26D0E604491
$ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key B7C1C14360F353A36862E4D5231C84CDDCC69C45
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 5B2545DAB21995F4088CEFAA36CEE4DEB00CFE33
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key C1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key E5E52560DD91C556DDBDA5D02064C53641C25E5D
$ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key DC7032662AF885E2F47F243F527466A21CA79E6D
The keys are listed on https://www.openssl.org/community/omc.html.
- Increment the Brave version number for each published build.
- Run
source env.sh
to set the correct environment variables. - Run
build_<os>.sh
to generate the binary. - Confirm all signature and hash checks passed.
The generated binary is of the form tor-<tor-version>-<os>-brave-<brave-version>
In case of updates for tor
| libevent
| zlib
| openssl
- Increment the brave version number in env.sh.
- Update the upstream distfile version in env.sh.
- Attempt a build. It should fail.
- Confirm that the signature passes and the hash fails.
- Confirm the upstream distribution is plausible.
- Confirm a README or NEWS or ChangeLog says the right version. (Otherwise we are subject to version rollback attacks.)
- Update the hash in env.sh.
- Attempt a build. It should pass.
- Prepare a PR for your branch.
- To test building on other platforms, build the brave-tor-client-build project in Jenkins using your branch instead of
master
. The build output will give you URLs on S3 of all of the generated binaries (one per platform). - Download each binary and run
sha512sum
on them. Make sure you use the post-signing Windows binary since both signed and unsigned will be in the output. - Merge your
brave/tor_build_scripts
PR once it's been reviewed. - Prepare a PR for the
brave/brave-core-crx-packager
repo bumping the version numbers and hashes (e.g. brave/brave-core-crx-packager#390). - Build a new version of the component on dev by building the brave-core-ext-tor-client-update-publish-dev project in Jenkins using your branch (in the
brave/brave-core-crx-packager
repo) instead ofmaster
. - Once the build has finished, check that the correct version of the tor daemon is downloaded when running
brave-browser --use-dev-goupdater-url
(check the terminal log messages). - Ask QA to create a milestone like https://github.com/brave/brave-browser/milestone/281 and do a manual test pass on each platform with the dev builds.
- Merge the
brave/brave-core-crx-packager
PR once it's been reviewed and QA has approved. - Build a new version of the component on prod by building the brave-core-ext-tor-client-update-publish project in Jenkins using the
master
branch. - Update to the latest version of the Brave Tor Client Updater component in your browser by triggering an update in
brave://components
and test that https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html loads fine. - Ask QA to repeat this test on all platforms.