├── .gitignore ├── DEPS_MONITORING.md ├── Dockerfile-linux ├── Dockerfile-linux-arm64 ├── Dockerfile-mingw ├── Jenkinsfile ├── README.md ├── build_darwin.sh ├── build_darwin_arm64.sh ├── build_darwin_x86_64.sh ├── build_linux.sh ├── build_linux_arm64.sh ├── build_mingw.sh ├── darwin_deps.sh ├── env.sh ├── gpg-keys ├── libevent.gpg ├── openssl.gpg ├── tor.gpg └── zlib.gpg ├── patch ├── libevent │ ├── regress.c.patch │ └── regress_dns.c.patch └── tor │ └── test_slow.c.patch └── renovate.json /.gitignore: -------------------------------------------------------------------------------- 1 | /build/ 2 | /gpg-keys/*.gpg~ 3 | /gnupg-*/ 4 | /gnupg-*.tar.bz2 5 | -------------------------------------------------------------------------------- /DEPS_MONITORING.md: -------------------------------------------------------------------------------- 1 | Since we can't use Dependabot to monitor these C packages/libraries automatically, 2 | we rely on the folllowing sources: 3 | 4 | - Libevent: [GitHub repo tags](https://github.com/libevent/libevent/tags.atom) 5 | - OpenSSL: [upstream changelog](https://www.openssl.org/news/cl111.txt) 6 | - Tor: [packager mailing list](https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-packagers) and [annoucements forum topic](https://forum.torproject.org/c/news/tor-release-announcement/28) 7 | - Zlib: [upstream changeLog](https://zlib.net/ChangeLog.txt) 8 | 9 | Libevent is monitored using an RSS reader. 10 | 11 | OpenSSL and Zlib are monitored using a local git repo which keeps a copy of the 12 | latest version of the changelog and a daily cronjob to update it: 13 | 14 | ``` 15 | #!/bin/bash 16 | 17 | pushd ~/openssl-changelog > /dev/null 18 | wget --quiet -O cl111.txt https://www.openssl.org/news/cl111.txt || exit 1 19 | git diff 20 | git commit -a -m "Updated changelog" > /dev/null 21 | popd > /dev/null 22 | ``` 23 | -------------------------------------------------------------------------------- /Dockerfile-linux: -------------------------------------------------------------------------------- 1 | FROM ubuntu:noble 2 | 3 | ARG zlib_version 4 | ARG zlib_hash 5 | 6 | ARG libevent_version 7 | ARG libevent_hash 8 | 9 | ARG openssl_version 10 | ARG openssl_hash 11 | 12 | ARG tor_version 13 | ARG tor_hash 14 | 15 | ARG jobs 16 | 17 | COPY gpg-keys/* / 18 | COPY patch /patch 19 | 20 | RUN \ 21 | DEBIAN_FRONTEND=noninteractive \ 22 | apt-get update -qq && apt-get install --no-install-recommends -qq \ 23 | automake \ 24 | autotools-dev \ 25 | build-essential \ 26 | curl \ 27 | ca-certificates \ 28 | file \ 29 | gnupg \ 30 | libcap-dev \ 31 | python-is-python3 \ 32 | ; # end of apt-get install 33 | 34 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 35 | 36 | # Download and verify all tarballs 37 | 38 | RUN \ 39 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz" -o "zlib-$zlib_version.tar.gz" && \ 40 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz.asc" -o "zlib-$zlib_version.tar.gz.asc" && \ 41 | gpg --keyring /zlib.gpg --verify "zlib-$zlib_version.tar.gz.asc" "zlib-$zlib_version.tar.gz" && \ 42 | echo "$zlib_hash zlib-$zlib_version.tar.gz" | shasum -a 256 -c - && \ 43 | tar -zxvf "zlib-$zlib_version.tar.gz" 44 | 45 | RUN \ 46 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz" -o "openssl-$openssl_version.tar.gz" && \ 47 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz.asc" -o "openssl-$openssl_version.tar.gz.asc" && \ 48 | gpg --keyring /openssl.gpg --verify "openssl-$openssl_version.tar.gz.asc" "openssl-$openssl_version.tar.gz" && \ 49 | echo "$openssl_hash openssl-$openssl_version.tar.gz" | shasum -a 256 -c - && \ 50 | tar -xvzf "openssl-$openssl_version.tar.gz" 51 | 52 | RUN \ 53 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz" -o "libevent-$libevent_version.tar.gz" && \ 54 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz.asc" -o "libevent-$libevent_version.tar.gz.asc" && \ 55 | gpg --keyring /libevent.gpg --verify "libevent-$libevent_version.tar.gz.asc" "libevent-$libevent_version.tar.gz" && \ 56 | echo "$libevent_hash libevent-$libevent_version.tar.gz" | shasum -a 256 -c - && \ 57 | tar -zxvf "libevent-$libevent_version.tar.gz" 58 | 59 | RUN \ 60 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz" -o "tor-$tor_version.tar.gz" && \ 61 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz.sha256sum.asc" -o "tor-$tor_version.tar.gz.sha256sum.asc" && \ 62 | echo "$tor_hash tor-$tor_version.tar.gz" > "tor-$tor_version.tar.gz.sha256sum" && \ 63 | gpg --keyring /tor.gpg --verify "tor-$tor_version.tar.gz.sha256sum.asc" "tor-$tor_version.tar.gz.sha256sum" && \ 64 | sha256sum -c "tor-$tor_version.tar.gz.sha256sum" && \ 65 | tar -xvzf "tor-$tor_version.tar.gz" 66 | 67 | # Configure and compile everything 68 | 69 | RUN \ 70 | cd "zlib-$zlib_version" && \ 71 | ./configure --prefix="$PWD/root" --static && \ 72 | make ${jobs:+-j${jobs}} && \ 73 | make ${jobs:+-j${jobs}} check && \ 74 | make install 75 | 76 | RUN \ 77 | cd "openssl-$openssl_version" && \ 78 | ./config --prefix="$PWD/root" --libdir=lib \ 79 | no-apps \ 80 | no-cmp \ 81 | no-cms \ 82 | no-comp \ 83 | no-ct \ 84 | no-dgram \ 85 | no-docs \ 86 | no-dso \ 87 | no-ec2m \ 88 | no-engine \ 89 | no-http \ 90 | no-legacy \ 91 | no-module \ 92 | no-nextprotoneg \ 93 | no-ocsp \ 94 | no-padlockeng \ 95 | no-psk \ 96 | no-quic \ 97 | no-rfc3779 \ 98 | no-shared \ 99 | no-srp \ 100 | no-srtp \ 101 | no-ssl-trace \ 102 | no-static-engine \ 103 | no-ts \ 104 | no-ui-console \ 105 | no-uplink && \ 106 | make ${jobs:+-j${jobs}} && \ 107 | make test && \ 108 | make install 109 | 110 | RUN \ 111 | cd "libevent-$libevent_version" && \ 112 | patch -p0 < /patch/libevent/regress_dns.c.patch && \ 113 | ./configure \ 114 | --disable-openssl \ 115 | --prefix="$PWD/install" \ 116 | --disable-shared \ 117 | --enable-gcc-hardening \ 118 | --enable-static \ 119 | --with-pic && \ 120 | ulimit -n 65536 && \ 121 | make ${jobs:+-j${jobs}} && \ 122 | make ${jobs:+-j${jobs}} check && \ 123 | make install 124 | 125 | RUN \ 126 | cd "tor-$tor_version" && \ 127 | ./configure --prefix="$PWD/install" \ 128 | --enable-static-tor \ 129 | --with-libevent-dir="$PWD/../libevent-$libevent_version/install" \ 130 | --with-openssl-dir="$PWD/../openssl-$openssl_version/root" \ 131 | --with-zlib-dir="$PWD/../zlib-$zlib_version/root" \ 132 | --disable-asciidoc \ 133 | --disable-html-manual \ 134 | --disable-lzma \ 135 | --disable-manpage \ 136 | --disable-zstd \ 137 | --disable-module-relay \ 138 | --disable-module-dirauth \ 139 | && \ 140 | make ${jobs:+-j${jobs}} && \ 141 | make ${jobs:+-j${jobs}} check && \ 142 | make install 143 | 144 | ENTRYPOINT ["sh", "-c", "while true; do sleep 2; done"] 145 | -------------------------------------------------------------------------------- /Dockerfile-linux-arm64: -------------------------------------------------------------------------------- 1 | FROM ubuntu:noble 2 | 3 | ARG zlib_version 4 | ARG zlib_hash 5 | 6 | ARG libevent_version 7 | ARG libevent_hash 8 | 9 | ARG openssl_version 10 | ARG openssl_hash 11 | 12 | ARG tor_version 13 | ARG tor_hash 14 | 15 | ARG jobs 16 | 17 | COPY gpg-keys/* / 18 | COPY patch /patch 19 | 20 | RUN \ 21 | DEBIAN_FRONTEND=noninteractive \ 22 | apt-get update -qq && apt-get install --no-install-recommends -qq \ 23 | binutils-aarch64-linux-gnu \ 24 | build-essential \ 25 | curl \ 26 | ca-certificates \ 27 | file \ 28 | gcc-aarch64-linux-gnu \ 29 | gnupg \ 30 | libc6-dev-arm64-cross \ 31 | libcap-dev \ 32 | python-is-python3 \ 33 | ; # end of apt-get install 34 | 35 | SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"] 36 | 37 | # Download and verify all tarballs 38 | 39 | RUN \ 40 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz" -o "zlib-$zlib_version.tar.gz" && \ 41 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz.asc" -o "zlib-$zlib_version.tar.gz.asc" && \ 42 | gpg --keyring /zlib.gpg --verify "zlib-$zlib_version.tar.gz.asc" "zlib-$zlib_version.tar.gz" && \ 43 | echo "$zlib_hash zlib-$zlib_version.tar.gz" | shasum -a 256 -c - && \ 44 | tar -zxvf "zlib-$zlib_version.tar.gz" 45 | 46 | RUN \ 47 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz" -o "openssl-$openssl_version.tar.gz" && \ 48 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz.asc" -o "openssl-$openssl_version.tar.gz.asc" && \ 49 | gpg --keyring /openssl.gpg --verify "openssl-$openssl_version.tar.gz.asc" "openssl-$openssl_version.tar.gz" && \ 50 | echo "$openssl_hash openssl-$openssl_version.tar.gz" | shasum -a 256 -c - && \ 51 | tar -xvzf "openssl-$openssl_version.tar.gz" 52 | 53 | RUN \ 54 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz" -o "libevent-$libevent_version.tar.gz" && \ 55 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz.asc" -o "libevent-$libevent_version.tar.gz.asc" && \ 56 | gpg --keyring /libevent.gpg --verify "libevent-$libevent_version.tar.gz.asc" "libevent-$libevent_version.tar.gz" && \ 57 | echo "$libevent_hash libevent-$libevent_version.tar.gz" | shasum -a 256 -c - && \ 58 | tar -zxvf "libevent-$libevent_version.tar.gz" 59 | 60 | RUN \ 61 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz" -o "tor-$tor_version.tar.gz" && \ 62 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz.sha256sum.asc" -o "tor-$tor_version.tar.gz.sha256sum.asc" && \ 63 | echo "$tor_hash tor-$tor_version.tar.gz" > "tor-$tor_version.tar.gz.sha256sum" && \ 64 | gpg --keyring /tor.gpg --verify "tor-$tor_version.tar.gz.sha256sum.asc" "tor-$tor_version.tar.gz.sha256sum" && \ 65 | sha256sum -c "tor-$tor_version.tar.gz.sha256sum" && \ 66 | tar -xvzf "tor-$tor_version.tar.gz" 67 | 68 | # Configure and compile everything 69 | 70 | RUN \ 71 | cd "zlib-$zlib_version" && \ 72 | CC=aarch64-linux-gnu-gcc \ 73 | ./configure --prefix="$PWD/root" --static && \ 74 | make ${jobs:+-j${jobs}} && \ 75 | make install 76 | 77 | RUN \ 78 | cd "openssl-$openssl_version" && \ 79 | ./Configure --prefix="$PWD/root" \ 80 | --cross-compile-prefix=aarch64-linux-gnu- \ 81 | linux-aarch64 \ 82 | no-apps \ 83 | no-cmp \ 84 | no-cms \ 85 | no-comp \ 86 | no-ct \ 87 | no-dgram \ 88 | no-docs \ 89 | no-dso \ 90 | no-ec2m \ 91 | no-engine \ 92 | no-http \ 93 | no-legacy \ 94 | no-module \ 95 | no-nextprotoneg \ 96 | no-ocsp \ 97 | no-padlockeng \ 98 | no-psk \ 99 | no-quic \ 100 | no-rfc3779 \ 101 | no-shared \ 102 | no-srp \ 103 | no-srtp \ 104 | no-ssl-trace \ 105 | no-static-engine \ 106 | no-ts \ 107 | no-ui-console \ 108 | no-uplink && \ 109 | make ${jobs:+-j${jobs}} && \ 110 | make install_sw 111 | 112 | RUN \ 113 | cd "libevent-$libevent_version" && \ 114 | ./configure \ 115 | --host=aarch64-linux-gnu \ 116 | --disable-openssl \ 117 | --prefix="$PWD/install" \ 118 | --disable-shared \ 119 | --enable-gcc-hardening \ 120 | --enable-static \ 121 | --with-pic && \ 122 | CC=aarch64-linux-gnu-gcc CXX=aarch64-linux-gnu-g++ && \ 123 | make ${jobs:+-j${jobs}} && \ 124 | make install 125 | 126 | RUN \ 127 | cd "tor-$tor_version" && \ 128 | ./configure --prefix="$PWD/install" \ 129 | --host=aarch64-linux-gnu \ 130 | --enable-static-tor \ 131 | --with-libevent-dir="$PWD/../libevent-$libevent_version/install" \ 132 | --with-openssl-dir="$PWD/../openssl-$openssl_version/root" \ 133 | --with-zlib-dir="$PWD/../zlib-$zlib_version/root" \ 134 | --disable-asciidoc \ 135 | --disable-html-manual \ 136 | --disable-lzma \ 137 | --disable-manpage \ 138 | --disable-zstd \ 139 | --disable-module-relay \ 140 | --disable-module-dirauth \ 141 | CC=aarch64-linux-gnu-gcc CXX=aarch64-linux-gnu-g++ && \ 142 | make ${jobs:+-j${jobs}} && \ 143 | make install 144 | 145 | ENTRYPOINT ["sh", "-c", "while true; do sleep 2; done"] 146 | -------------------------------------------------------------------------------- /Dockerfile-mingw: -------------------------------------------------------------------------------- 1 | FROM ubuntu:noble 2 | 3 | ARG zlib_version 4 | ARG zlib_hash 5 | 6 | ARG libevent_version 7 | ARG libevent_hash 8 | 9 | ARG openssl_version 10 | ARG openssl_hash 11 | 12 | ARG tor_version 13 | ARG tor_hash 14 | 15 | ARG jobs 16 | 17 | COPY gpg-keys/* / 18 | COPY patch /patch 19 | 20 | RUN \ 21 | DEBIAN_FRONTEND=noninteractive \ 22 | apt-get update -qq && apt-get install --no-install-recommends -qq \ 23 | build-essential \ 24 | curl \ 25 | ca-certificates \ 26 | file \ 27 | gnupg \ 28 | mingw-w64 \ 29 | python-is-python3 \ 30 | ; # end of apt-get install 31 | 32 | ENV PATH="/usr/i686-w64-mingw32/bin:$PATH" 33 | 34 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 35 | 36 | # Download and verify all tarballs 37 | 38 | RUN \ 39 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz" -o "zlib-$zlib_version.tar.gz" && \ 40 | curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz.asc" -o "zlib-$zlib_version.tar.gz.asc" && \ 41 | gpg --keyring /zlib.gpg --verify "zlib-$zlib_version.tar.gz.asc" "zlib-$zlib_version.tar.gz" && \ 42 | echo "$zlib_hash zlib-$zlib_version.tar.gz" | shasum -a 256 -c - && \ 43 | tar -zxvf "zlib-$zlib_version.tar.gz" 44 | 45 | RUN \ 46 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz" -o "openssl-$openssl_version.tar.gz" && \ 47 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz.asc" -o "openssl-$openssl_version.tar.gz.asc" && \ 48 | gpg --keyring /openssl.gpg --verify "openssl-$openssl_version.tar.gz.asc" "openssl-$openssl_version.tar.gz" && \ 49 | echo "$openssl_hash openssl-$openssl_version.tar.gz" | shasum -a 256 -c - && \ 50 | tar -xvzf "openssl-$openssl_version.tar.gz" 51 | 52 | RUN \ 53 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz" -o "libevent-$libevent_version.tar.gz" && \ 54 | curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz.asc" -o "libevent-$libevent_version.tar.gz.asc" && \ 55 | gpg --keyring /libevent.gpg --verify "libevent-$libevent_version.tar.gz.asc" "libevent-$libevent_version.tar.gz" && \ 56 | echo "$libevent_hash libevent-$libevent_version.tar.gz" | shasum -a 256 -c - && \ 57 | tar -zxvf "libevent-$libevent_version.tar.gz" 58 | 59 | RUN \ 60 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz" -o "tor-$tor_version.tar.gz" && \ 61 | curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz.sha256sum.asc" -o "tor-$tor_version.tar.gz.sha256sum.asc" && \ 62 | echo "$tor_hash tor-$tor_version.tar.gz" > "tor-$tor_version.tar.gz.sha256sum" && \ 63 | gpg --keyring /tor.gpg --verify "tor-$tor_version.tar.gz.sha256sum.asc" "tor-$tor_version.tar.gz.sha256sum" && \ 64 | sha256sum -c "tor-$tor_version.tar.gz.sha256sum" && \ 65 | tar -xvzf "tor-$tor_version.tar.gz" 66 | 67 | # Configure and compile everything 68 | 69 | RUN \ 70 | cd "zlib-$zlib_version" && \ 71 | make ${jobs:+-j${jobs}} -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- && \ 72 | make ${jobs:+-j${jobs}} -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- \ 73 | BINARY_PATH="$PWD/install/bin" \ 74 | INCLUDE_PATH="$PWD/install/include" \ 75 | LIBRARY_PATH="$PWD/install/lib" \ 76 | install 77 | 78 | RUN \ 79 | cd "openssl-$openssl_version" && \ 80 | ./Configure --prefix="$PWD/root" \ 81 | --cross-compile-prefix=i686-w64-mingw32- \ 82 | mingw \ 83 | no-apps \ 84 | no-cmp \ 85 | no-cms \ 86 | no-comp \ 87 | no-ct \ 88 | no-dgram \ 89 | no-docs \ 90 | no-dso \ 91 | no-ec2m \ 92 | no-engine \ 93 | no-http \ 94 | no-legacy \ 95 | no-module \ 96 | no-nextprotoneg \ 97 | no-ocsp \ 98 | no-padlockeng \ 99 | no-psk \ 100 | no-quic \ 101 | no-rfc3779 \ 102 | no-shared \ 103 | no-srp \ 104 | no-srtp \ 105 | no-ssl-trace \ 106 | no-static-engine \ 107 | no-ts \ 108 | no-ui-console \ 109 | no-uplink && \ 110 | make ${jobs:+-j${jobs}} && \ 111 | make install_sw 112 | 113 | RUN \ 114 | cd "libevent-$libevent_version" && \ 115 | ./configure \ 116 | --host=i686-w64-mingw32 \ 117 | --disable-openssl \ 118 | --prefix="$PWD/install" \ 119 | --disable-shared \ 120 | --enable-static \ 121 | --with-pic && \ 122 | make ${jobs:+-j${jobs}} && \ 123 | make install 124 | 125 | RUN \ 126 | cd "tor-$tor_version" && \ 127 | ./configure --prefix="$PWD/install" \ 128 | --host=i686-w64-mingw32 \ 129 | --enable-static-tor \ 130 | --with-libevent-dir="$PWD/../libevent-$libevent_version/install" \ 131 | --with-openssl-dir="$PWD/../openssl-$openssl_version/root" \ 132 | --with-zlib-dir="$PWD/../zlib-$zlib_version/install" \ 133 | --disable-asciidoc \ 134 | --disable-html-manual \ 135 | --disable-lzma \ 136 | --disable-manpage \ 137 | --disable-zstd \ 138 | --disable-module-relay \ 139 | --disable-module-dirauth \ 140 | LIBS=-lcrypt32 && \ 141 | make ${jobs:+-j${jobs}} && \ 142 | make install 143 | 144 | ENTRYPOINT ["sh", "-c", "while true; do sleep 2; done"] 145 | -------------------------------------------------------------------------------- /Jenkinsfile: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent none 3 | options { 4 | ansiColor('xterm') 5 | timeout(time: 2, unit: 'HOURS') 6 | timestamps() 7 | } 8 | stages { 9 | stage('build') { 10 | agent { label 'master' } 11 | steps { 12 | script { 13 | GITHUB_API = 'https://api.github.com/repos/brave' 14 | PIPELINE_NAME = 'pr-brave-tor-client-build-pr-test-' + CHANGE_BRANCH.replace('/', '-') 15 | 16 | withCredentials([usernamePassword(credentialsId: 'brave-builds-github-token-for-pr-builder', usernameVariable: 'PR_BUILDER_USER', passwordVariable: 'PR_BUILDER_TOKEN')]) { 17 | def prDetails = readJSON(text: httpRequest(url: GITHUB_API + '/tor_build_scripts/pulls?head=brave:' + CHANGE_BRANCH, customHeaders: [[name: 'Authorization', value: 'token ' + PR_BUILDER_TOKEN]]).content)[0] 18 | SKIP = prDetails.labels.count { label -> label.name.equalsIgnoreCase('CI/skip') }.equals(1) 19 | } 20 | 21 | if (SKIP) { 22 | echo "Aborting build as PRs are either in draft or have a skip label (CI/skip)" 23 | currentBuild.result = 'ABORTED' 24 | return 25 | } 26 | 27 | for (build in Jenkins.instance.getItemByFullName(JOB_NAME).builds) { 28 | if (build.isBuilding() && build.getNumber() < BUILD_NUMBER.toInteger()) { 29 | echo 'Aborting older running build ' + build 30 | build.doStop() 31 | } 32 | } 33 | 34 | jobDsl(scriptText: """ 35 | pipelineJob('${PIPELINE_NAME}') { 36 | // this list has to match the parameters in the Jenkinsfile from devops repo 37 | parameters { 38 | stringParam('BRANCH', '${CHANGE_BRANCH}') 39 | } 40 | definition { 41 | cpsScm { 42 | scm { 43 | git { 44 | remote { 45 | credentials('brave-builds-github-token-for-pr-builder') 46 | github('brave/devops', 'https') 47 | } 48 | branch('master') 49 | } 50 | } 51 | scriptPath("jenkins/jobs/extensions/dev/brave-tor-client-build-pr-test.Jenkinsfile") 52 | } 53 | } 54 | } 55 | """) 56 | 57 | params = [ 58 | string(name: 'BRANCH', value: CHANGE_BRANCH) 59 | ] 60 | 61 | currentBuild.result = build(job: PIPELINE_NAME, parameters: params, propagate: false).result 62 | } 63 | } 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Build scripts for tor binary 2 | 3 | ### GPG keys 4 | 5 | GPG keyservers are known to be flaky so we include the keys in the repo: 6 | 7 | 1. Tor: 8 | 9 | Generating `tor.gpg`: 10 | ``` 11 | $ rm -f gpg-keys/tor.gpg 12 | $ touch gpg-keys/tor.gpg 13 | $ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 514102454D0A87DB0767A1EBBE6A0531C18A9179 14 | $ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys B74417EDDF22AC9F9E90F49142E86A2A11F48D36 15 | $ gpg --no-default-keyring --keyring gpg-keys/tor.gpg --keyserver hkps://keys.openpgp.org --recv-keys 2133BC600AB133E1D826D173FE43009C4607B1FB 16 | ``` 17 | 18 | The fingerprints should match those listed on https://support.torproject.org/little-t-tor/verify-little-t-tor/. 19 | 20 | 2. Libevent: 21 | 22 | Generating `libevent.gpg`: 23 | ``` 24 | $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 9E3AC83A27974B84D1B3401DB86086848EF8686D 25 | $ gpg --output gpg-keys/libevent.gpg --export 9E3AC83A27974B84D1B3401DB86086848EF8686D 26 | ``` 27 | 28 | ``` 29 | $ gpg --fingerprint 9E3AC83A27974B84D1B3401DB86086848EF8686D 30 | pub rsa2048 2010-06-10 [SC] 31 | 9E3A C83A 2797 4B84 D1B3 401D B860 8684 8EF8 686D 32 | uid [ unknown] Azat Khuzhin 33 | uid [ unknown] Azat Khuzhin 34 | uid [ unknown] Azat Khuzhin 35 | sub rsa2048 2010-06-10 [E] 36 | ``` 37 | 38 | 3. OpenSSL 39 | 40 | Generating `openssl.gpg`: 41 | ``` 42 | $ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 8657ABB260F056B1E5190839D9C4D26D0E604491 43 | $ gpg --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key B7C1C14360F353A36862E4D5231C84CDDCC69C45 44 | $ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 5B2545DAB21995F4088CEFAA36CEE4DEB00CFE33 45 | $ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key C1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 46 | $ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 47 | $ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key E5E52560DD91C556DDBDA5D02064C53641C25E5D 48 | $ gpg --keyserver hkps://keyserver.ubuntu.com --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key DC7032662AF885E2F47F243F527466A21CA79E6D 49 | $ gpg --keyserver hkps://keys.openpgp.org --no-default-keyring --keyring gpg-keys/openssl.gpg --recv-key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 50 | ``` 51 | 52 | The keys are listed on https://www.openssl.org/community/omc.html. 53 | 54 | ### Generating binaries 55 | 56 | 1. Increment the Brave version number for each published build. 57 | 2. Run `source env.sh` to set the correct environment variables. 58 | 3. Run `build_.sh` to generate the binary. 59 | 4. Confirm all signature and hash checks passed. 60 | 61 | The generated binary is of the form `tor---brave-` 62 | 63 | ### Updates: 64 | 65 | In case of updates for `tor` | `libevent` | `zlib` | `openssl` 66 | 67 | 1. Increment the brave version number in env.sh if needed. 68 | 2. Update the upstream distfile version in env.sh. 69 | 3. Attempt a build. It should fail. 70 | 4. Confirm that the _signature_ passes and the _hash_ fails. 71 | 5. Confirm the upstream distribution is plausible. 72 | - Confirm a README or NEWS or ChangeLog says the right version. 73 | (Otherwise we are subject to version rollback attacks.) 74 | 6. Update the hash in env.sh. 75 | 7. Attempt a build. It should pass. 76 | 8. Prepare a PR for your branch. 77 | 9. To test building on other platforms, build the *brave-tor-client-build* project in Jenkins using your branch instead of `master` (the "Upload" build option must be ON). The build output will give you URLs on S3 of all of the generated binaries (one per platform). 78 | 10. Download each binary and run `sha512sum` on them. Make sure you use the **post-signing** Windows binary since both signed and unsigned will be in the output. 79 | 11. Merge your `brave/tor_build_scripts` PR once it's been reviewed. 80 | 12. Prepare a PR for the `brave/brave-core-crx-packager` repo bumping the version numbers and hashes (e.g. brave/brave-core-crx-packager#390). 81 | 13. Build a new version of the component on **dev** by building the *brave-core-ext-tor-client-update-publish-dev* project in Jenkins using your branch (in the `brave/brave-core-crx-packager` repo) instead of `master`. 82 | 14. Once the build has finished, check that the correct version of the tor daemon is downloaded when running `brave-browser --use-dev-goupdater-url` (check the terminal log messages). 83 | 15. Ask QA to create a milestone like https://github.com/brave/brave-browser/milestone/281 and do a manual test pass on each platform with the dev builds. 84 | 16. Merge the `brave/brave-core-crx-packager` PR once it's been reviewed and QA has approved. 85 | 17. Build a new version of the component on **prod** by building the *brave-core-ext-tor-client-update-publish* project in Jenkins using the `master` branch. 86 | 18. Update to the latest version of the *Brave Tor Client Updater* component in your browser by triggering an update in `brave://components` and test that https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/index.html loads fine. 87 | 19. Ask QA to repeat this test on all platforms. 88 | -------------------------------------------------------------------------------- /build_darwin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | # Download and verify dependencies 4 | curl --proto '=https' --tlsv1.2 -fsSL "https://zlib.net/zlib-$ZLIB_VERSION.tar.gz" -o "zlib-$ZLIB_VERSION.tar.gz" 5 | curl --proto '=https' --tlsv1.2 -fsSL "https://zlib.net/zlib-$ZLIB_VERSION.tar.gz.asc" -o "zlib-$ZLIB_VERSION.tar.gz.asc" 6 | GNUPGHOME="$PWD" gpg --keyring gpg-keys/zlib.gpg --verify "zlib-$ZLIB_VERSION.tar.gz.asc" "zlib-$ZLIB_VERSION.tar.gz" 7 | echo "$ZLIB_HASH zlib-$ZLIB_VERSION.tar.gz" | shasum -a 256 -c - 8 | 9 | curl --proto '=https' --tlsv1.2 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VERSION/openssl-$OPENSSL_VERSION.tar.gz" -o "openssl-$OPENSSL_VERSION.tar.gz" 10 | curl --proto '=https' --tlsv1.2 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VERSION/openssl-$OPENSSL_VERSION.tar.gz.asc" -o "openssl-$OPENSSL_VERSION.tar.gz.asc" 11 | GNUPGHOME="$PWD" gpg --keyring gpg-keys/openssl.gpg --verify "openssl-$OPENSSL_VERSION.tar.gz.asc" "openssl-$OPENSSL_VERSION.tar.gz" 12 | echo "$OPENSSL_HASH openssl-$OPENSSL_VERSION.tar.gz" | shasum -a 256 -c - 13 | 14 | curl --proto '=https' --tlsv1.2 -fsSL "https://github.com/libevent/libevent/releases/download/release-$LIBEVENT_VERSION/libevent-$LIBEVENT_VERSION.tar.gz" -o "libevent-$LIBEVENT_VERSION.tar.gz" 15 | curl --proto '=https' --tlsv1.2 -fsSL "https://github.com/libevent/libevent/releases/download/release-$LIBEVENT_VERSION/libevent-$LIBEVENT_VERSION.tar.gz.asc" -o "libevent-$LIBEVENT_VERSION.tar.gz.asc" 16 | GNUPGHOME="$PWD" gpg --keyring gpg-keys/libevent.gpg --verify "libevent-$LIBEVENT_VERSION.tar.gz.asc" "libevent-$LIBEVENT_VERSION.tar.gz" 17 | echo "$LIBEVENT_HASH libevent-$LIBEVENT_VERSION.tar.gz" | shasum -a 256 -c - 18 | 19 | curl --proto '=https' --tlsv1.2 -fsSL "https://dist.torproject.org/tor-$TOR_VERSION.tar.gz" -o "tor-$TOR_VERSION.tar.gz" 20 | curl --proto '=https' --tlsv1.2 -fsSL "https://dist.torproject.org/tor-$TOR_VERSION.tar.gz.sha256sum.asc" -o "tor-$TOR_VERSION.tar.gz.sha256sum.asc" 21 | echo "$TOR_HASH tor-$TOR_VERSION.tar.gz" > "tor-$TOR_VERSION.tar.gz.sha256sum" 22 | GNUPGHOME="$PWD" gpg --keyring gpg-keys/tor.gpg --verify "tor-$TOR_VERSION.tar.gz.sha256sum.asc" "tor-$TOR_VERSION.tar.gz.sha256sum" 23 | shasum -a 256 -c "tor-$TOR_VERSION.tar.gz.sha256sum" 24 | 25 | if [ "$(uname)" = 'Linux' ] 26 | then 27 | echo "Cannot build the Mac binaries on Linux." 28 | exit 1 29 | fi 30 | 31 | # Build 32 | sh build_darwin_arm64.sh 33 | sh build_darwin_x86_64.sh 34 | 35 | lipo -create -output "tor-$TOR_VERSION-darwin-brave-$BRAVE_TOR_VERSION" "arm64/tor-$TOR_VERSION/root/bin/tor" "x86_64/tor-$TOR_VERSION/root/bin/tor" 36 | -------------------------------------------------------------------------------- /build_darwin_arm64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | echo "running build_darwin_arm64.sh..." 4 | 5 | SDK_PATH=$(xcrun --show-sdk-path) 6 | XCODE_LIB="$SDK_PATH/usr/lib/" 7 | XCODE_INCLUDE="$SDK_PATH/usr/include/" 8 | 9 | if [ $# -eq 1 ]; then 10 | re='^[0-9]+$' 11 | if ! echo "$1" | grep -Eq "$re" ; then 12 | echo "Invalid number of cores" >&2; exit 1 13 | fi 14 | jobs=$1 15 | else 16 | jobs=$(sysctl -n hw.logicalcpu_max) 17 | fi 18 | 19 | rm -rf arm64 && mkdir arm64 20 | 21 | tar -xvzf "zlib-$ZLIB_VERSION.tar.gz" -C arm64 22 | cd "arm64/zlib-$ZLIB_VERSION" 23 | CFLAGS="-target arm64-apple-macos11" LDFLAGS="-target arm64-apple-macos11" ./configure --prefix="$PWD/root" 24 | make ${jobs:+-j${jobs}} && make install 25 | cd ../../ 26 | 27 | tar -xvzf "openssl-$OPENSSL_VERSION.tar.gz" -C arm64 28 | cd "arm64/openssl-$OPENSSL_VERSION" 29 | ./Configure --prefix="$PWD/root" \ 30 | darwin64-arm64-cc \ 31 | no-apps \ 32 | no-cmp \ 33 | no-cms \ 34 | no-comp \ 35 | no-ct \ 36 | no-dgram \ 37 | no-docs \ 38 | no-dso \ 39 | no-ec2m \ 40 | no-engine \ 41 | no-http \ 42 | no-legacy \ 43 | no-module \ 44 | no-nextprotoneg \ 45 | no-ocsp \ 46 | no-padlockeng \ 47 | no-psk \ 48 | no-quic \ 49 | no-rfc3779 \ 50 | no-shared \ 51 | no-srp \ 52 | no-srtp \ 53 | no-ssl-trace \ 54 | no-static-engine \ 55 | no-ts \ 56 | no-ui-console \ 57 | no-uplink 58 | 59 | make ${jobs:+-j${jobs}} && make install 60 | cd ../../ 61 | 62 | #Apple messed up getentropy and clock_gettimesymbols when they added two functions in Sierra: 63 | #they forgot to decorate them with appropriate AVAILABLE_MAC_OS_VERSION checks. 64 | #So we have to explicitly disable them for binaries to work on MacOS 10.11. 65 | 66 | tar -zxvf "libevent-$LIBEVENT_VERSION.tar.gz" -C arm64 67 | cd "arm64/libevent-$LIBEVENT_VERSION" 68 | patch -p0 < ../../patch/libevent/regress.c.patch 69 | ./configure \ 70 | LDFLAGS="-L$PWD/../openssl-$OPENSSL_VERSION/root/lib --target=arm64-apple-macos11" \ 71 | CPPFLAGS="-I$PWD/../openssl-$OPENSSL_VERSION/include --target=arm64-apple-macos11" \ 72 | --prefix="$PWD/install" \ 73 | --disable-openssl \ 74 | --disable-shared \ 75 | --enable-static \ 76 | --host=arm-apple-darwin \ 77 | --disable-clock-gettime \ 78 | --with-pic 79 | make ${jobs:+-j${jobs}} && make ${jobs:+-j${jobs}} check && make install 80 | cd ../../ 81 | 82 | tar -xvzf "tor-$TOR_VERSION.tar.gz" -C arm64 83 | cd "arm64/tor-$TOR_VERSION" 84 | patch -p0 < ../../patch/tor/test_slow.c.patch 85 | ./configure \ 86 | LDFLAGS="--target=arm64-apple-macos11 -L$XCODE_LIB" \ 87 | CPPFLAGS="--target=arm64-apple-macos11 -I$XCODE_INCLUDE" \ 88 | --prefix="$PWD/root" \ 89 | --enable-static-libevent \ 90 | --enable-static-openssl \ 91 | --enable-static-zlib \ 92 | --with-libevent-dir="$PWD/../libevent-$LIBEVENT_VERSION/install" \ 93 | --with-openssl-dir="$PWD/../openssl-$OPENSSL_VERSION/root" \ 94 | --with-zlib-dir="$PWD/../zlib-$ZLIB_VERSION/root" \ 95 | --disable-asciidoc \ 96 | --disable-html-manual \ 97 | --disable-lzma \ 98 | --disable-manpage \ 99 | --disable-zstd \ 100 | --disable-module-relay \ 101 | --disable-module-dirauth \ 102 | --host=arm-apple-darwin \ 103 | --disable-tool-name-check \ 104 | ac_cv_func_getentropy=no \ 105 | ac_cv_func_clock_gettime=no 106 | make ${jobs:+-j${jobs}} && make install 107 | cd ../../ 108 | -------------------------------------------------------------------------------- /build_darwin_x86_64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | echo "running build_darwin_x86_64.sh..." 4 | 5 | SDK_PATH=$(xcrun --show-sdk-path) 6 | XCODE_LIB="$SDK_PATH/usr/lib/" 7 | XCODE_INCLUDE="$SDK_PATH/usr/include/" 8 | 9 | if [ $# -eq 1 ]; then 10 | re='^[0-9]+$' 11 | if ! echo "$1" | grep -Eq "$re" ; then 12 | echo "Invalid number of cores" >&2; exit 1 13 | fi 14 | jobs=$1 15 | else 16 | jobs=$(sysctl -n hw.logicalcpu_max) 17 | fi 18 | 19 | rm -rf x86_64 && mkdir x86_64 20 | 21 | tar -xvzf "zlib-$ZLIB_VERSION.tar.gz" -C x86_64 22 | cd "x86_64/zlib-$ZLIB_VERSION" 23 | ./configure --prefix="$PWD/root" 24 | make ${jobs:+-j${jobs}} && make ${jobs:+-j$jobs} check && make install 25 | cd ../../ 26 | 27 | tar -xvzf "openssl-$OPENSSL_VERSION.tar.gz" -C x86_64 28 | cd "x86_64/openssl-$OPENSSL_VERSION" 29 | ./Configure --prefix="$PWD/root" \ 30 | darwin64-x86_64-cc \ 31 | no-apps \ 32 | no-cmp \ 33 | no-cms \ 34 | no-comp \ 35 | no-ct \ 36 | no-dgram \ 37 | no-docs \ 38 | no-dso \ 39 | no-ec2m \ 40 | no-engine \ 41 | no-http \ 42 | no-legacy \ 43 | no-module \ 44 | no-nextprotoneg \ 45 | no-ocsp \ 46 | no-padlockeng \ 47 | no-psk \ 48 | no-quic \ 49 | no-rfc3779 \ 50 | no-shared \ 51 | no-srp \ 52 | no-srtp \ 53 | no-ssl-trace \ 54 | no-static-engine \ 55 | no-ts \ 56 | no-ui-console \ 57 | no-uplink 58 | make ${jobs:+-j${jobs}} && make test && make install 59 | cd ../../ 60 | 61 | #Apple messed up getentropy and clock_gettimesymbols when they added two functions in Sierra: 62 | #they forgot to decorate them with appropriate AVAILABLE_MAC_OS_VERSION checks. 63 | #So we have to explicitly disable them for binaries to work on MacOS 10.11. 64 | 65 | tar -zxvf "libevent-$LIBEVENT_VERSION.tar.gz" -C x86_64 66 | cd "x86_64/libevent-$LIBEVENT_VERSION" 67 | patch -p0 < ../../patch/libevent/regress.c.patch 68 | ./configure \ 69 | LDFLAGS="-L$PWD/../openssl-$OPENSSL_VERSION/root/lib" \ 70 | CPPFLAGS="-I$PWD/../openssl-$OPENSSL_VERSION/include" \ 71 | --prefix="$PWD/install" \ 72 | --disable-openssl \ 73 | --disable-shared \ 74 | --enable-static \ 75 | --disable-clock-gettime \ 76 | --with-pic 77 | make ${jobs:+-j${jobs}} && make ${jobs:+-j${jobs}} check && make install 78 | cd ../../ 79 | 80 | tar -xvzf "tor-$TOR_VERSION.tar.gz" -C x86_64 81 | cd "x86_64/tor-$TOR_VERSION" 82 | patch -p0 < ../../patch/tor/test_slow.c.patch 83 | ./configure \ 84 | LDFLAGS="-L$XCODE_LIB" \ 85 | CPPFLAGS="-I$XCODE_INCLUDE" \ 86 | --prefix="$PWD/root" \ 87 | --enable-static-libevent \ 88 | --enable-static-openssl \ 89 | --enable-static-zlib \ 90 | --with-libevent-dir="$PWD/../libevent-$LIBEVENT_VERSION/install" \ 91 | --with-openssl-dir="$PWD/../openssl-$OPENSSL_VERSION/root" \ 92 | --with-zlib-dir="$PWD/../zlib-$ZLIB_VERSION/root" \ 93 | --disable-asciidoc \ 94 | --disable-html-manual \ 95 | --disable-lzma \ 96 | --disable-manpage \ 97 | --disable-zstd \ 98 | --disable-module-relay \ 99 | --disable-module-dirauth \ 100 | ac_cv_func_getentropy=no \ 101 | ac_cv_func_clock_gettime=no 102 | make ${jobs:+-j${jobs}} && make ${jobs:+-j${jobs}} check && make install 103 | cd ../../ 104 | -------------------------------------------------------------------------------- /build_linux.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | IMAGE_NAME="tor-brave" 4 | DOCKERFILE="Dockerfile-linux" 5 | 6 | cleanup () { 7 | echo "cleaning up docker containers/images" 8 | "$DOCKER" rm -f "$IMAGE_NAME" || true 9 | "$DOCKER" rmi -f "$IMAGE_NAME" || true 10 | } 11 | 12 | cleanup 13 | "$DOCKER" build --no-cache -t "$IMAGE_NAME" -f "$DOCKERFILE" \ 14 | --build-arg "tor_version=$TOR_VERSION" \ 15 | --build-arg "zlib_version=$ZLIB_VERSION" \ 16 | --build-arg "libevent_version=$LIBEVENT_VERSION" \ 17 | --build-arg "openssl_version=$OPENSSL_VERSION" \ 18 | --build-arg "zlib_hash=$ZLIB_HASH" \ 19 | --build-arg "libevent_hash=$LIBEVENT_HASH" \ 20 | --build-arg "openssl_hash=$OPENSSL_HASH" \ 21 | --build-arg "tor_hash=$TOR_HASH" \ 22 | ${1+"$@"} . 23 | "$DOCKER" run --init --rm --name "$IMAGE_NAME" -d "$IMAGE_NAME" 24 | "$DOCKER" cp "$IMAGE_NAME:/tor-$TOR_VERSION/install/bin/tor" "tor-$TOR_VERSION-linux-brave-$BRAVE_TOR_VERSION" 25 | 26 | if ! ldd "tor-$TOR_VERSION-linux-brave-$BRAVE_TOR_VERSION" 2>&1 \ 27 | | grep -F -q 'not a dynamic executable'; then 28 | printf >&2 'failed to make a statically linked tor executable' 29 | exit 1 30 | fi 31 | -------------------------------------------------------------------------------- /build_linux_arm64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | IMAGE_NAME="tor-brave-arm64" 4 | DOCKERFILE="Dockerfile-linux-arm64" 5 | 6 | cleanup () { 7 | echo "cleaning up docker containers/images" 8 | "$DOCKER" rm -f "$IMAGE_NAME" || true 9 | "$DOCKER" rmi -f "$IMAGE_NAME" || true 10 | } 11 | 12 | cleanup 13 | "$DOCKER" build --no-cache -t "$IMAGE_NAME" -f "$DOCKERFILE" \ 14 | --build-arg "tor_version=$TOR_VERSION" \ 15 | --build-arg "zlib_version=$ZLIB_VERSION" \ 16 | --build-arg "libevent_version=$LIBEVENT_VERSION" \ 17 | --build-arg "openssl_version=$OPENSSL_VERSION" \ 18 | --build-arg "zlib_hash=$ZLIB_HASH" \ 19 | --build-arg "libevent_hash=$LIBEVENT_HASH" \ 20 | --build-arg "openssl_hash=$OPENSSL_HASH" \ 21 | --build-arg "tor_hash=$TOR_HASH" \ 22 | ${1+"$@"} . 23 | "$DOCKER" run --init --rm --name "$IMAGE_NAME" -d "$IMAGE_NAME" 24 | "$DOCKER" cp "$IMAGE_NAME:/tor-$TOR_VERSION/install/bin/tor" "tor-$TOR_VERSION-linux-arm64-brave-$BRAVE_TOR_VERSION" 25 | 26 | if ! ldd "tor-$TOR_VERSION-linux-arm64-brave-$BRAVE_TOR_VERSION" 2>&1 \ 27 | | grep -F -q 'not a dynamic executable'; then 28 | printf >&2 'failed to make a statically linked tor executable' 29 | exit 1 30 | fi 31 | -------------------------------------------------------------------------------- /build_mingw.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | IMAGE_NAME="tor-brave-mingw" 4 | DOCKERFILE="Dockerfile-mingw" 5 | 6 | cleanup () { 7 | echo "cleaning up docker containers/images" 8 | "$DOCKER" rm -f "$IMAGE_NAME" || true 9 | "$DOCKER" rmi -f "$IMAGE_NAME" || true 10 | } 11 | 12 | cleanup 13 | "$DOCKER" build --no-cache -t "$IMAGE_NAME" -f "$DOCKERFILE" \ 14 | --build-arg "tor_version=$TOR_VERSION" \ 15 | --build-arg "zlib_version=$ZLIB_VERSION" \ 16 | --build-arg "libevent_version=$LIBEVENT_VERSION" \ 17 | --build-arg "openssl_version=$OPENSSL_VERSION" \ 18 | --build-arg "zlib_hash=$ZLIB_HASH" \ 19 | --build-arg "libevent_hash=$LIBEVENT_HASH" \ 20 | --build-arg "openssl_hash=$OPENSSL_HASH" \ 21 | --build-arg "tor_hash=$TOR_HASH" \ 22 | ${1+"$@"} . 23 | "$DOCKER" run --init --rm --name "$IMAGE_NAME" -d "$IMAGE_NAME" 24 | "$DOCKER" cp "$IMAGE_NAME:/tor-$TOR_VERSION/install/bin/tor.exe" "tor-$TOR_VERSION-win32-brave-$BRAVE_TOR_VERSION.exe" 25 | -------------------------------------------------------------------------------- /darwin_deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh -eu 2 | 3 | GPG_VERSION=2.4.7 4 | GPG_HASH=7b24706e4da7e0e3b06ca068231027401f238102c41c909631349dcc3b85eb46 5 | 6 | curl --proto '=https' --tlsv1.2 -fsSL -o "gnupg-$GPG_VERSION.tar.bz2" "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-$GPG_VERSION.tar.bz2" 7 | echo "$GPG_HASH gnupg-$GPG_VERSION.tar.bz2" | shasum -a 256 -c - 8 | tar -xjf "gnupg-$GPG_VERSION.tar.bz2" 9 | cd "gnupg-$GPG_VERSION/" 10 | ./configure 11 | make && make check && sudo make install 12 | -------------------------------------------------------------------------------- /env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # shellcheck disable=SC2155 3 | 4 | export MACOSX_DEPLOYMENT_TARGET=10.15 5 | 6 | # Reset version number to zero everytime TOR_VERSION changes. 7 | export BRAVE_TOR_VERSION="0" 8 | 9 | export TOR_VERSION="0.4.8.14" 10 | 11 | export ZLIB_VERSION="1.3.1" 12 | export LIBEVENT_VERSION="2.1.12-stable" 13 | export OPENSSL_VERSION="3.4.1" 14 | 15 | export ZLIB_HASH="9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23" 16 | export LIBEVENT_HASH=92e6de1be9ec176428fd2367677e61ceffc2ee1cb119035037a27d346b0403bb 17 | export OPENSSL_HASH="002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3" 18 | export TOR_HASH="5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10" 19 | 20 | export DOCKER="$(command -v docker || command -v podman)" 21 | -------------------------------------------------------------------------------- /gpg-keys/libevent.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brave/tor_build_scripts/354a978394b2e0aea412cf49938c14cedcc7b3cb/gpg-keys/libevent.gpg -------------------------------------------------------------------------------- /gpg-keys/openssl.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brave/tor_build_scripts/354a978394b2e0aea412cf49938c14cedcc7b3cb/gpg-keys/openssl.gpg -------------------------------------------------------------------------------- /gpg-keys/tor.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brave/tor_build_scripts/354a978394b2e0aea412cf49938c14cedcc7b3cb/gpg-keys/tor.gpg -------------------------------------------------------------------------------- /gpg-keys/zlib.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brave/tor_build_scripts/354a978394b2e0aea412cf49938c14cedcc7b3cb/gpg-keys/zlib.gpg -------------------------------------------------------------------------------- /patch/libevent/regress.c.patch: -------------------------------------------------------------------------------- 1 | Bug-Brave: https://github.com/brave/tor_build_scripts/issues/86 2 | Description: Disable failing tests on Mac 3 | Last-Update: 2022-04-12 4 | 5 | --- test/regress.c 2022-04-12 21:44:28.490865843 -0700 6 | +++ test/regress.c.brave 2022-04-12 21:48:20.619344651 -0700 7 | @@ -3598,7 +3598,7 @@ 8 | }; 9 | 10 | struct testcase_t signal_testcases[] = { 11 | -#ifndef _WIN32 12 | +#if !defined(_WIN32) && !defined(__APPLE__) 13 | LEGACY(simplestsignal, TT_ISOLATED), 14 | LEGACY(simplesignal, TT_ISOLATED), 15 | LEGACY(multiplesignal, TT_ISOLATED), 16 | -------------------------------------------------------------------------------- /patch/libevent/regress_dns.c.patch: -------------------------------------------------------------------------------- 1 | Description: Disable test failing in CI on Linux 2 | Last-Update: 2022-08-02 3 | 4 | --- test/regress_dns.c.orig 2022-08-02 16:31:35.821067863 -0700 5 | +++ test/regress_dns.c 2022-08-02 16:32:46.128182960 -0700 6 | @@ -2479,8 +2479,6 @@ 7 | 8 | { "getaddrinfo_async", test_getaddrinfo_async, 9 | TT_FORK|TT_NEED_BASE, &basic_setup, (char*)"" }, 10 | - { "getaddrinfo_cancel_stress", test_getaddrinfo_async_cancel_stress, 11 | - TT_FORK, NULL, NULL }, 12 | 13 | #ifdef EVENT_SET_MEM_FUNCTIONS_IMPLEMENTED 14 | { "leak_shutdown", test_dbg_leak_shutdown, TT_FORK, &testleak_funcs, NULL }, 15 | -------------------------------------------------------------------------------- /patch/tor/test_slow.c.patch: -------------------------------------------------------------------------------- 1 | Description: Disable failing tests on Mac 2 | Last-Update: 2025-01-15 3 | 4 | --- src/test/test_slow.c 2024-10-24 07:38:41.000000000 -0700 5 | +++ src/test/test_slow.c.brave 2025-01-15 21:02:34.931958360 -0800 6 | @@ -19,11 +19,13 @@ 7 | #include "test/test.h" 8 | 9 | struct testgroup_t testgroups[] = { 10 | +#ifndef __APPLE__ 11 | { "slow/crypto/", slow_crypto_tests }, 12 | { "slow/process/", slow_process_tests }, 13 | { "slow/hs_pow/", slow_hs_pow_tests }, 14 | { "slow/prob_distr/", slow_stochastic_prob_distr_tests }, 15 | { "slow/ptr/", slow_ptr_tests }, 16 | END_OF_GROUPS 17 | +#endif 18 | }; 19 | 20 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "local>brave/renovate-config" 5 | ], 6 | "addLabels": ["CI/skip", "dependencies", "renovate"] 7 | } 8 | --------------------------------------------------------------------------------