Commit 896f33a9 authored by sajolida's avatar sajolida
Browse files

Migrate release process to verification JavaScript

parent 4967e834
[[!meta title="Verification extension maintainers"]]
The maintenance of the [[verification
extension|design/verification_extension]] falls slightly outside of our
current skill set and it's hard to find a person who can take over all
its maintenance. So the work is split among different people according
to their skills and availability:
- The maintainer:
- Tracks the release of third-party libraries and updates them.
- Tests the extension on beta versions of Firefox and Chrome.
- Tests and releases new versions of the extension.
- Maintains the corresponding HTML and JavaScript on our website.
- Manages the yearly budget for the maintenance of the extension and
allocate the work to be done to other contributors.
- Other contributors:
- Ports the code of the extension to new versions of Firefox, Chrome,
and the third-party libraries.
- Our secret JavaScript expert when we have no other option or when we
require more security expertise.
[[!meta title="Verification JavaScript maintainers"]]
The maintenance of the [[verification
JavaScript|design/download_verification]] falls slightly outside of our
current skill set and it's hard to find a person who can take over all
its maintenance. So the work is split among different people according
to their skills and availability:
- The maintainer:
- Tracks the release of third-party libraries and updates them.
- Tests the extension on beta versions of Firefox and Chrome.
- Tests and releases new versions of the extension.
- Maintains the corresponding HTML and JavaScript on our website.
- Manages the yearly budget for the maintenance of the extension and
allocate the work to be done to other contributors.
- Other contributors:
- Ports the code of the extension to new versions of Firefox, Chrome,
and the third-party libraries.
- Our secret JavaScript expert when we have no other option or when we
require more security expertise.
Release process
===============
We run this release process before releasing a new version of Forge or a change
in the verification extension.
<div class="caution">
<p>During the release process, you will download several pieces of software over
TLS only which is not trustworthy enough to be compliant with the "third-party
software" requirement of the security policy of some of our internal teams.</p>
<p>You should isolate these pieces of software, for example by only running them
in a dedicated Tails.</p>
</div>
Updating Forge
--------------
Website: <https://github.com/digitalbazaar/forge/>
Release feed: <https://github.com/digitalbazaar/forge/releases.atom>
1. Check which is the current version:
head -n 1 wiki/src/install/inc/js/forge.sha256.js
1. Check the upstream Changelog for new versions:
<https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md>
1. Clone the upstream repository:
git clone https://github.com/digitalbazaar/forge.git
1. Install the build dependencies:
apt install -t unstable npm webpack
1. Build Forge:
export FORGE_VERSION=
wget -O forge/webpack.config.js https://tails.boum.org/contribute/working_together/roles/verification_javascript/forge.webpack.config.js
cd forge
git reset --hard $FORGE_VERSION
torsocks npm install
npm run build
cd ..
1. Copy into our repo:
cp forge/dist/forge.sha256.js wiki/src/install/inc/js/forge.sha256.js
1. Add copyright information:
sed -i "1s/^/\/*! Forge v$FORGE_VERSION | (c) Digital Bazaar, Inc. *\/\n/" wiki/src/install/inc/js/forge.sha256.js
Which browsers to test
----------------------
Perform the following steps for each of:
- Tor Browser in the latest Tails, in a non-English locale of your choice:
LANG=pt_BR.UTF-8 tor-browser
- The version of Firefox available in Debian stable:
sudo apt install firefox-esr
firefox-esr
- The latest beta version of Firefox:
<https://www.mozilla.org/en-US/firefox/beta/all/>
wget -cO firefox.tar.bz2 "https://download.mozilla.org/?product=firefox-beta-latest-ssl&os=linux64&lang=en-US"
tar jxvf firefox.tar.bz2
firefox/firefox --new-instance
- The version of Chromium available in Debian stable:
sudo apt install chromium
chromium
- The latest beta version of Chrome:
<https://www.google.com/chrome/browser/beta.html>
wget -cO google-chrome-beta_current_amd64.deb https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb
sudo dpkg -i google-chrome-beta_current_amd64.deb
sudo apt-get -f install
google-chrome-beta
Steps
-----
1. In Tails, configure a system proxy:
Settings → Network → Network proxy → Manual
Socks Host: 127.0.0.1 9050
1. Check that verifying the USB image of the last Tails version works in all browsers.
1. Check that verifying a truncated USB image fails in all browsers:
dd if=tails-amd64-3.14.img of=tails-amd64-3.14-truncated.img bs=1M count=100
1. Check that verifying a rogue USB image fails in all browser:
sed 's/\x54\x61\x69\x6c\x73/\x46\x61\x69\x6c\x73/' tails-amd64-3.14.img > tails-amd64-3.14-rogue.img
Checklist
---------
- [ ] Tor Browser
- [ ] IMG
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Firefox ESR
- [ ] IMG
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Firefox Beta
- [ ] IMG
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Chromium
- [ ] IMG
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Chrome Beta
- [ ] IMG
- [ ] Good
- [ ] Truncated
- [ ] Rogue
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment