eliott/desktop
1
0
Fork 0
mirror of https://github.com/zen-browser/desktop synced 2026-04-25 17:15:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
270db6d6713d2c6c14d9df0b4bc7662843d3d54e
desktop/.github/workflows/linux-release-build.yml
JDX50S 270db6d671 Merge commit from fork 
* security: enable MAR signature verification for updates

Remove `--enable-unverified-updates` from the common mozconfig. This flag
was disabling all MAR (Mozilla ARchive) signature verification in the
updater binary, meaning update packages were applied without any
cryptographic authenticity check.

With this flag removed, the Mozilla build system will:
- Link NSS and signmar into the updater binary
- Enable SecVerifyTransformCreate-based signature verification on macOS
- Require MAR files to contain valid signatures before applying

REQUIRED FOLLOW-UP (maintainer action):
1. Generate a Zen-specific MAR signing keypair (RSA-PKCS1-SHA384)
   See: https://firefox-source-docs.mozilla.org/build/buildsystem/mar.html
2. Place the public key DER file(s) in the source tree at
   toolkit/mozapps/update/updater/release_primary.der
3. Sign MAR files during the release build with the private key
4. Set ACCEPTED_MAR_CHANNEL_IDS in update-settings.ini to restrict
   which update channels the updater will accept

Ref: GHSA-qpj9-m8jc-mw6q

* no-bug: Added signature steps

* no-bug: Export browser/installer/package-manifest.in

---------

Co-authored-by: Maliq Barnard <maliqbarnard@Maliqs-MacBook-Air.local>
Co-authored-by: Mr. M <mr.m@tuta.com>
2026-04-09 19:28:31 +02:00

184 lines
5.6 KiB
YAML
Raw Blame History

name: Linux Release Build
on:
workflow_call:
inputs:
build-version:
description: "The version to build"
required: true
type: string
release-branch:
description: "The branch to build"
required: true
type: string
MOZ_BUILD_DATE:
type: string
required: true
default: ""
use-sccache:
description: "Use sccache"
required: true
type: boolean
default: false
jobs:
build-linux:
permissions:
contents: write
# aarch64 does not need full 16x
runs-on: ${{ (inputs.release-branch == 'release' && matrix.arch == 'x86_64') && 'self-hosted' || 'blacksmith-8vcpu-ubuntu-2404' }}
strategy:
fail-fast: false
matrix:
arch: [x86_64, aarch64]
env:
SCCACHE_GHA_ENABLED: ${{ inputs.use-sccache && 'true' || 'false' }}
CARGO_TERM_COLOR: always
RUSTC_WRAPPER: ${{ inputs.use-sccache && 'sccache' || '' }}
CARGO_INCREMENTAL: 0
name: Build Linux - ${{ matrix.arch }}
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ secrets.DEPLOY_KEY }}
- name: Setup Node.js
uses: useblacksmith/setup-node@v5
with:
node-version-file: ".nvmrc"
- name: Run sccache-cache
uses: mozilla-actions/sccache-action@main
if: ${{ inputs.use-sccache }}
with:
disable_annotations: true
- name: Expose actions cache variables
uses: actions/github-script@v6
with:
script: |
core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'])
core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'])
- name: Setup Git
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
- name: Install system dependencies
run: |
set -x
sudo apt-get update --fix-missing
sudo apt-get update
sudo apt-get install -y python3 python3-pip dos2unix yasm nasm build-essential libgtk2.0-dev libpython3-dev m4 uuid libasound2-dev libcurl4-openssl-dev libdbus-1-dev libdrm-dev libdbus-glib-1-dev libgtk-3-dev libpulse-dev libx11-xcb-dev libxt-dev xvfb lld llvm
- name: Install dependencies
run: |
npm ci
- name: Load Surfer CI setup
run: npm run surfer -- ci --brand ${{ inputs.release-branch }} --display-version ${{ inputs.build-version }}
- name: Download Firefox source and dependencies
run: npm run download
- name: Fix Rust version
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $(cat .rust-toolchain)
source $HOME/.cargo/env
if test "${{ matrix.arch }}" = "aarch64"; then
rustup target add aarch64-unknown-linux-gnu
else
rustup target add x86_64-unknown-linux-gnu
fi
- name: Import
env:
SURFER_COMPAT: ${{ matrix.arch }}
run: |
. "$HOME/.cargo/env"
npm run import
- name: Build language packs
run: sh scripts/download-language-packs.sh
- name: Bootstrap
run: |
cd engine
export SURFER_PLATFORM="linux"
./mach --no-interactive bootstrap --application-choice browser
cd ..
- name: Insert API Keys
run: |
mkdir -p ~/.zen-keys
echo "${{ secrets.ZEN_SAFEBROWSING_API_KEY }}" > ~/.zen-keys/safebrowsing.dat
- name: Build
env:
SURFER_COMPAT: ${{ matrix.arch }}
ZEN_RELEASE_BRANCH: ${{ inputs.release-branch }}
continue-on-error: true
run: |
export SURFER_PLATFORM="linux"
if [[ -n ${{ inputs.MOZ_BUILD_DATE }} ]];then
export MOZ_BUILD_DATE=${{ inputs.MOZ_BUILD_DATE }}
fi
bash .github/workflows/src/release-build.sh
- name: Package
env:
SURFER_COMPAT: ${{ matrix.arch }}
ZEN_GA_DISABLE_PGO: true
run: |
export SURFER_PLATFORM="linux"
export ZEN_RELEASE=1
npm run package
- name: Remove API Keys
run: |
rm -rf ~/.zen-keys
- name: Rename artifacts
run: |
mv dist/zen-*.tar.xz "zen.linux-${{ matrix.arch }}.tar.xz"
mv dist/output.mar linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
- name: Upload build artifact (binary)
uses: actions/upload-artifact@v4
with:
retention-days: 5
name: zen.linux-${{ matrix.arch }}.tar.xz
path: ./zen.linux-${{ matrix.arch }}.tar.xz
- name: Upload build artifact (.mar)
uses: actions/upload-artifact@v4
with:
retention-days: 5
name: linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
path: ./linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
- name: Upload build artifact (update manifests)
uses: actions/upload-artifact@v4
with:
retention-days: 5
name: linux_update_manifest_${{ matrix.arch }}
path: ./dist/update
- name: Upload signmar
if: ${{ matrix.arch == 'x86_64' }}
uses: actions/upload-artifact@v4
with:
retention-days: 2
name: signmar-linux-x86_64
path: engine/obj-x86_64-pc-linux-gnu/dist/bin/signmar
Reference in New Issue View Git Blame Copy Permalink