Updating the make script to reflect changes in the CRX signing process

Hainish · Hainish · commit bd19c462a86c · 2018-09-18T19:12:55.000-07:00
diff --git a/.build_exclusions b/.build_exclusions
@@ -10,11 +10,7 @@ chrome/content/rules/validity-*
 chrome/content/rules/make-*
 *.xcf.gz
 .gitignore
-webextension/.gitignore
-chrome-resources/update-from-chrome-svn.sh
-webextension/chrome-resources/update-from-chrome-svn.sh
 .eslintrc.json
-webextension/.eslintrc.json
 .eslintignore
 node_modules
 package-lock.json
diff --git a/chromium/manifest.json b/chromium/manifest.json
@@ -55,4 +55,4 @@
     "web_accessible_resources": [
         "/pages/cancel/index.html"
     ]
-}
+}
diff --git a/chromium/updates-master.xml b/chromium/updates-master.xml
diff --git a/dummy-chromium.pem b/dummy-chromium.pem
@@ -1,27 +1,13 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAt4ew59KRXh6f9/sk4gbt5LqO5+yOGwEw6kwZxZl66BdZZyg5
-lFIt7je6s/OmEPpq4pHZ7cROfckYnOacFHYng68ZvYY2/0l7iBY1CjKMwe9TFoYv
-uqG6dCC2h4sbzikTO2dvarxptnSVm5Zbuw6mQTmCRKUzcey/njPq49nu0RcKvm+c
-NVRZCLofKHrioQcVt+9ig9I390Z9sF7l1uNy7IVdRw4B8KMJT22ghEGusYmFioHR
-jzVpTSetxcEfznJVzZWLfKqU45CY+ggDy2MhNVRFvTlFkENJoOtKRj/Xp6/0FqY4
-FqhglMdQI6cmhQibmQdzv9Q39P3lGRU3AEVJawIDAQABAoIBADEk75UUCIMIdlOD
-95tiuZ8O6adm66KFjiCfIiOMdqHhZro9xjVWUCBC4ga/zo8rTyW+YnnNoCsEh0e0
-ZMUB4pDbeWwLnXx8o8yMDcXeRVzFBh247tzt46ym+dmPwXFSBGlayDXvn+sQiuMv
-vv527MP4b06MYhs2hxUI1/QNbmqkaZNlJVaXlVjdNGjbdsEy8rVQIxdKkEG0qVKN
-4wH7aVmRTAYDJedDc+8eePviCYfthr1/1qX7Wj/sY+rKQFoxwTRhTs2hRwV0U0Wl
-1Gmk2Gz07l1M2mY+cImowOPYZT1jwiFSwoOczJNEmupH/F1VLomH12bkcb2l2lwi
-Ne1JubECgYEA5zYUfdm1/5SBnAmONcReos6w3CjzxlD7dcaFx1XIaGSfGU+H7MO7
-tdQfMVsAq+6SoO+DRBDS3Dn/2/imFxQ+2dYpuJvbQOzNKLqLU9M7LF8kBJFxP35C
-8GVhe6l+c8Csl4nK/bllzLsxtCatzL+cs7TNCvZUeQD6G86PoM1zH8MCgYEAyzTu
-y0UgG67a+MFcVdngRwcFIX06YeQSxAEkRFULaa/Yh6KEwaeYhTPv8rGIPJLAS8T7
-5UVJ4T3yVCPQBZ0Y11tLvh7onRTeEKevihBEDSSIsf020mYwgX5F3TD6JlwjVIpV
-k96AtDRcd27Y5eznCu94QyPbjUQbegWHNH9LfTkCgYBvIHwK3PfvpmYBJEqYpxBB
-OgyhVIGOQOALhGZKH33aRvp9BM+0yYLP6usvIqkY+eq5tUSnE1r1hF7oUAMsNova
-0WduFmL0OpyExdwvZuga9INwOqNuu/Xaay/GavmfEu0hTJYnCtPV6ecCylBgh3v+
-l5ixeyGwovqTIN3BkN2TVwKBgDighJcCqWLthDnj8G5AK/6/Fw/xDM7wtsYGJ2wf
-YvHNvgJ2KJaqtJcSFSDFlliC8LFssGGAwIjTMW9/F14pHB4PY/kUNfBoO0Xa5NEN
-nVkoQCuRi7BwJ74+SQvNtTfxXysU7aoqTCVrngTuT+Uq8muatiHHoUwpmZqUZcwc
-WRYJAoGACI3XKiDqhbVoDOvyTkDP1Fo651OH6z/6XTBEYB4ICoY7O2kL4BUwnUkh
-uzDVkAi5XrztUKZPE/HISTgq09umkrw4taFAXs3cBbLSns0C32SggNZGUCSfFScx
-hys49ypF5iddhaMBD5WtUMhrWTc1rUUQGaOlQ10xmAy1yCA2VK0=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEA3BZGOZsEWGEc82Yz
+Ddrey4Vp8dV4AQZPu2tM32Z6ZEx2538G3bWu5g0OPzX8Oqvzqr8ZRIvxcBbL3kgZ
+5wnhjVRTlWy0jxZDHCvVsATzhbhAt505zljHaRS1PrCYfV/nAgMBAAECYCQpRMCS
+R9R9oFQdpqXQIGswMIgbmuwQLWmN58ONAu8X4TGIHYiwIVyLKJwaMqcxOTn753Us
+7vFbGwoMnO3Krzh1Xn9z6uKnB7dDotgc9ZIQ5Ja8ExjJhl5iBMSWePYWAQIxAPRo
+yZ+JdWu+/y+/F6KsiCDx8EmdV8Dd09BogXH31S2VtSUEfZd/UDUPgbRgo+c9dwIx
+AOaGNJyJbHY4UCxC2hRBRZGNlic8SaFKEQAtN28gMWMDMgAh0ik8YtrPffBed+bN
+EQIxAOwTAx0MItTt6YLu6x9/0wUva89PIWHzYhKdvtqcbdbYEd4tljntCUYXMktO
+RUKoRQIxAL/3PHKqoc6kwGbLWO2LGVLHNCYCN1J/6j5aaRI6HcZVD9s6TteV+MA8
+D6UOFgz18QIxAJKXHDXXF+LXGsOwRMcp8nqg9Ri9daWW74JWyozFRqIsRhnhDhw9
+8f4cUAPw7BquBw==
+-----END PRIVATE KEY-----
diff --git a/make.sh b/make.sh
@@ -19,9 +19,63 @@
 # but these .crx files won't detect and upgrade to official HTTPS Everywhere
 # releases signed by EFF :/.  We should find a more elegant arrangement.
 
+! getopt --test > /dev/null
+if [[ ${PIPESTATUS[0]} -ne 4 ]]; then
+  echo 'I’m sorry, `getopt --test` failed in this environment.'
+  exit 1
+fi
+
+OPTIONS=eck:
+LONGOPTS=remove-extension-update,remove-update-channels,key:
+! PARSED=$(getopt --options=$OPTIONS --longoptions=$LONGOPTS --name "$0" -- "$@")
+if [[ ${PIPESTATUS[0]} -ne 0 ]]; then
+  # e.g. return value is 1
+  #  then getopt has complained about wrong arguments to stdout
+  exit 2
+fi
+
+# read getopt’s output this way to handle the quoting right:
+eval set -- "$PARSED"
+
+REMOVE_EXTENSION_UPDATE=false
+REMOVE_UPDATE_CHANNELS=false
+KEY=$(pwd)/dummy-chromium.pem
+while true; do
+  case "$1" in
+    -e|--remove-extension-update)
+      REMOVE_EXTENSION_UPDATE=true
+      shift
+      ;;
+    -c|--remove-update-channels)
+      REMOVE_UPDATE_CHANNELS=true
+      shift
+      ;;
+    -k|--key)
+      KEY="$2"
+      shift 2
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "Programming error"
+      exit 3
+      ;;
+  esac
+done
+
+if [ "${KEY:0:1}" != "/" ]; then
+  echo "Key must be specified as an absolute path."
+  exit 4
+fi
+
+
+
+
 cd $(dirname $0)
 
-if [ -n "$1" -a "$1" != "--remove-extension-update" -a "$1" != "--remove-update-channels" ]; then
+if [ -n "$1" ]; then
   BRANCH=`git branch | head -n 1 | cut -d \  -f 2-`
   SUBDIR=checkout
   [ -d $SUBDIR ] || mkdir $SUBDIR
@@ -36,17 +90,16 @@ VERSION=`python3.6 -c "import json ; print(json.loads(open('chromium/manifest.js
 echo "Building version" $VERSION
 
 [ -d pkg ] || mkdir -p pkg
-[ -e pkg/crx ] && rm -rf pkg/crx
+[ -e pkg/crx-cws ] && rm -rf pkg/crx-cws
+[ -e pkg/crx-eff ] && rm -rf pkg/crx-eff
 [ -e pkg/xpi-amo ] && rm -rf pkg/xpi-amo
 [ -e pkg/xpi-eff ] && rm -rf pkg/xpi-eff
 
 # Clean up obsolete ruleset databases, just in case they still exist.
 rm -f src/chrome/content/rules/default.rulesets src/defaults/rulesets.sqlite
 
-sed -e "s/VERSION/$VERSION/g" chromium/updates-master.xml > chromium/updates.xml
-
-mkdir -p pkg/crx/rules
-cd pkg/crx
+mkdir -p pkg/crx-cws/rules
+cd pkg/crx-cws
 cp -a ../../chromium/* ./
 # Turn the Firefox translations into the appropriate Chrome format:
 rm -rf _locales/
@@ -57,97 +110,73 @@ do_not_ship="*.py *.xml"
 rm -f $do_not_ship
 cd ../..
 
-python3.6 ./utils/merge-rulesets.py || exit 1
+python3.6 ./utils/merge-rulesets.py || exit 5
+
+cp src/chrome/content/rules/default.rulesets pkg/crx-cws/rules/default.rulesets
 
-cp src/chrome/content/rules/default.rulesets pkg/crx/rules/default.rulesets
+sed -i -e "s/VERSION/$VERSION/g" pkg/crx-cws/manifest.json
 
-sed -i -e "s/VERSION/$VERSION/g" pkg/crx/manifest.json
+for x in `cat .build_exclusions`; do
+  rm -rf pkg/crx-cws/$x
+done
 
-cp -a pkg/crx pkg/xpi-amo
-cp -a pkg/crx pkg/xpi-eff
+cp -a pkg/crx-cws pkg/crx-eff
+cp -a pkg/crx-cws pkg/xpi-amo
+cp -a pkg/crx-cws pkg/xpi-eff
 cp -a src/META-INF pkg/xpi-amo
 cp -a src/META-INF pkg/xpi-eff
 
 # Remove the 'applications' manifest key from the crx version of the extension, change the 'author' string to a hash, and add the "update_url" manifest key
 # "update_url" needs to be present to avoid problems reported in https://bugs.chromium.org/p/chromium/issues/detail?id=805755
-python3.6 -c "import json; m=json.loads(open('pkg/crx/manifest.json').read()); m['author']={'email': 'eff.software.projects@gmail.com'}; del m['applications']; m['update_url'] = 'https://clients2.google.com/service/update2/crx'; open('pkg/crx/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
+python3.6 -c "import json; m=json.loads(open('pkg/crx-cws/manifest.json').read()); m['author']={'email': 'eff.software.projects@gmail.com'}; del m['applications']; m['update_url'] = 'https://clients2.google.com/service/update2/crx'; open('pkg/crx-cws/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
+python3.6 -c "import json; m=json.loads(open('pkg/crx-eff/manifest.json').read()); m['author']={'email': 'eff.software.projects@gmail.com'}; del m['applications']; open('pkg/crx-eff/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
 # Remove the 'update_url' manifest key from the xpi version of the extension delivered to AMO
 python3.6 -c "import json; m=json.loads(open('pkg/xpi-amo/manifest.json').read()); del m['applications']['gecko']['update_url']; m['applications']['gecko']['id'] = 'https-everywhere@eff.org'; open('pkg/xpi-amo/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
 
 # If the --remove-extension-update flag is set, ensure the extension is unable to update
-if [ "$1" == "--remove-extension-update" -o "$2" == "--remove-extension-update" -o "$3" == "--remove-extension-update" ]; then
+if $REMOVE_EXTENSION_UPDATE; then
   echo "Flag --remove-extension-update specified.  Removing the XPI extensions' ability to update."
   python3.6 -c "import json; m=json.loads(open('pkg/xpi-amo/manifest.json').read()); m['applications']['gecko']['update_url'] = 'data:text/plain,'; open('pkg/xpi-amo/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
   python3.6 -c "import json; m=json.loads(open('pkg/xpi-eff/manifest.json').read()); m['applications']['gecko']['update_url'] = 'data:text/plain,'; open('pkg/xpi-eff/manifest.json','w').write(json.dumps(m,indent=4,sort_keys=True))"
 fi
 
 # If the --remove-update-channels flag is set, remove all out-of-band update channels
-if [ "$1" == "--remove-update-channels" -o "$2" == "--remove-update-channels" -o "$3" == "--remove-update-channels" ]; then
+if $REMOVE_UPDATE_CHANNELS; then
   echo "Flag --remove-update-channels specified.  Removing all out-of-band update channels."
-  echo "require.scopes.update_channels.update_channels = [];" >> pkg/crx/background-scripts/update_channels.js
+  echo "require.scopes.update_channels.update_channels = [];" >> pkg/crx-cws/background-scripts/update_channels.js
+  echo "require.scopes.update_channels.update_channels = [];" >> pkg/crx-eff/background-scripts/update_channels.js
   echo "require.scopes.update_channels.update_channels = [];" >> pkg/xpi-amo/background-scripts/update_channels.js
   echo "require.scopes.update_channels.update_channels = [];" >> pkg/xpi-eff/background-scripts/update_channels.js
 fi
 
 if [ -n "$BRANCH" ] ; then
-  crx="pkg/https-everywhere-$VERSION.crx"
+  crx_cws="pkg/https-everywhere-$VERSION-cws.crx"
+  crx_eff="pkg/https-everywhere-$VERSION-eff.crx"
   xpi_amo="pkg/https-everywhere-$VERSION-amo.xpi"
   xpi_eff="pkg/https-everywhere-$VERSION-eff.xpi"
-  key=../dummy-chromium.pem
 else
-  crx="pkg/https-everywhere-$VERSION~pre.crx"
+  crx_cws="pkg/https-everywhere-$VERSION~pre-cws.crx"
+  crx_eff="pkg/https-everywhere-$VERSION~pre-eff.crx"
   xpi_amo="pkg/https-everywhere-$VERSION~pre-amo.xpi"
   xpi_eff="pkg/https-everywhere-$VERSION~pre-eff.xpi"
-  key=dummy-chromium.pem
 fi
-if ! [ -f "$key" ] ; then
+if ! [ -f "$KEY" ] ; then
   echo "Making a dummy signing key for local build purposes"
-  openssl genrsa 2048 > "$key"
+  openssl genrsa -out /tmp/dummy-chromium.pem 768
+  openssl pkcs8 -topk8 -nocrypt -in /tmp/dummy-chromium.pem -out $KEY
 fi
 
 
-## Based on https://code.google.com/chrome/extensions/crx.html
-
-dir=pkg/crx
-name=pkg/crx
-pub="$name.pub"
-sig="$name.sig"
-zip="$name.zip"
-trap 'rm -f "$pub" "$sig" "$zip"' EXIT
-
-# zip up the crx dir
-cwd=$(pwd -P)
-(cd "$dir" && ../../utils/create_zip.py -n "$cwd/$zip" -x "../../.build_exclusions" .)
-echo >&2 "CWS crx package has sha256sum: `openssl dgst -sha256 -binary "$cwd/$zip" | xxd -p`"
-
-# signature
-openssl sha1 -sha1 -binary -sign "$key" < "$zip" > "$sig"
-
-# public key
-openssl rsa -pubout -outform DER < "$key" > "$pub" 2>/dev/null
-
-byte_swap () {
-  # Take "abcdefgh" and return it as "ghefcdab"
-  echo "${1:6:2}${1:4:2}${1:2:2}${1:0:2}"
-}
-
-crmagic_hex="4372 3234" # Cr24
-version_hex="0200 0000" # 2
-pub_len_hex=$(byte_swap $(printf '%08x\n' $(ls -l "$pub" | awk '{print $5}')))
-sig_len_hex=$(byte_swap $(printf '%08x\n' $(ls -l "$sig" | awk '{print $5}')))
-
-# Case-insensitive matching is a GNU extension unavailable when using BSD sed.
-if [[ "$(sed --version 2>&1)" =~ "GNU" ]]; then
-  sed="sed"
-elif [[ "$(gsed --version 2>&1)" =~ "GNU" ]]; then
-  sed="gsed"
-fi
-
-(
-  echo "$crmagic_hex $version_hex $pub_len_hex $sig_len_hex" | $sed -e 's/\s//g' -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf
-  cat "$pub" "$sig" "$zip"
-) > "$crx"
+# now pack the crx'es
+BROWSER="chromium-browser"
+which $BROWSER || BROWSER="chromium"
 
+$BROWSER --no-message-box --pack-extension="pkg/crx-cws" --pack-extension-key="$KEY" 2> /dev/null
+$BROWSER --no-message-box --pack-extension="pkg/crx-eff" --pack-extension-key="$KEY" 2> /dev/null
+mv pkg/crx-cws.crx $crx_cws
+mv pkg/crx-eff.crx $crx_eff
+echo >&2 "CWS crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_cws" | xxd -p`"
+echo >&2 "EFF crx package has sha256sum: `openssl dgst -sha256 -binary "$crx_eff" | xxd -p`"
 
 
 # now zip up the xpi AMO dir
@@ -185,11 +214,13 @@ echo >&2 "Rules disabled by default: `find src/chrome/content/rules -name "*.xml
 # see test/selenium/shim.py
 echo "Created $xpi_amo"
 echo "Created $xpi_eff"
-echo "Created $crx"
+echo "Created $crx_cws"
+echo "Created $crx_eff"
 
 if [ -n "$BRANCH" ]; then
   cd ..
-  cp $SUBDIR/$crx pkg
+  cp $SUBDIR/$crx_cws pkg
+  cp $SUBDIR/$crx_eff pkg
   cp $SUBDIR/$xpi_amo pkg
   cp $SUBDIR/$xpi_eff pkg
   rm -rf $SUBDIR
diff --git a/test/chromium.sh b/test/chromium.sh
@@ -31,7 +31,7 @@ if [ "$1" == "--justrun" ]; then
 	which $BROWSER || BROWSER="chromium"
 	$BROWSER \
 		--user-data-dir="$PROFILE_DIRECTORY" \
-		--load-extension=pkg/crx/ \
+		--load-extension=pkg/crx-cws/ \
 		"$@"
 else
 	./make.sh
diff --git a/test/selenium/shim.py b/test/selenium/shim.py
@@ -3,13 +3,14 @@
 from collections import namedtuple
 import subprocess
 import time
+import shutil
 
 from selenium import webdriver
 from selenium.webdriver import DesiredCapabilities
 from selenium.webdriver.chrome.options import Options
 
 firefox_info = {'extension_id': 'https-everywhere-eff@eff.org', 'uuid': 'd56a5b99-51b6-4e83-ab23-796216679614'}
-chrome_info = {'extension_id': 'nmleinhehnmmepmdbjddclicgpfhbdjo'}
+chrome_info = {'extension_id': 'kofalhllfompobhklifpbealgeckijek'}
 
 
 BROWSER_TYPES = ['chrome', 'firefox']
@@ -53,12 +54,21 @@ def get_browser_name(string):
 def build_crx():
     '''Builds the .crx file for Chrome and returns the path to it'''
     cmd = [os.path.join(get_git_root(), 'make.sh'), '--remove-update-channels']
-    return os.path.join(get_git_root(), run_shell_command(cmd).split()[-1])
+    run_shell_command(cmd)
+
+    # Since this is an unpacked extension we're loading, the extension ID is
+    # determined by the below `crx_dir` path alone. Don't alter it without
+    # changing the corresponding ID at the top of this file.
+
+    crx_dir = os.path.join(os.sep, 'tmp','https-everywhere-test')
+    shutil.rmtree(crx_dir, True)
+    shutil.copytree(os.path.join(get_git_root(), 'pkg', 'crx-cws'), crx_dir)
+    return crx_dir
 
 
 def build_xpi():
     cmd = [os.path.join(get_git_root(), 'make.sh'), '--remove-update-channels']
-    return os.path.join(get_git_root(), run_shell_command(cmd).split()[-3])
+    return os.path.join(get_git_root(), run_shell_command(cmd).split()[-5])
 
 
 def install_ext_on_ff(driver, extension_path):
@@ -149,7 +159,7 @@ def chrome_manager(self):
         opts = Options()
         if self.on_travis:  # github.com/travis-ci/travis-ci/issues/938
             opts.add_argument("--no-sandbox")
-        opts.add_extension(self.extension_path)
+        opts.add_argument("--load-extension=" + self.extension_path)
         opts.binary_location = self.browser_path
         opts.add_experimental_option("prefs", {"profile.block_third_party_cookies": False})
 

Original file line number	Diff line number	Diff line change
`@@ -55,4 +55,4 @@`
`55`	`55`	`"web_accessible_resources": [`
`56`	`56`	`"/pages/cancel/index.html"`
`57`	`57`	`]`
`58`		`-}`
	`58`	`+}`