mirror of
https://github.com/zen-browser/desktop
synced 2026-04-25 17:15:00 +02:00
270db6d671
* security: enable MAR signature verification for updates Remove `--enable-unverified-updates` from the common mozconfig. This flag was disabling all MAR (Mozilla ARchive) signature verification in the updater binary, meaning update packages were applied without any cryptographic authenticity check. With this flag removed, the Mozilla build system will: - Link NSS and signmar into the updater binary - Enable SecVerifyTransformCreate-based signature verification on macOS - Require MAR files to contain valid signatures before applying REQUIRED FOLLOW-UP (maintainer action): 1. Generate a Zen-specific MAR signing keypair (RSA-PKCS1-SHA384) See: https://firefox-source-docs.mozilla.org/build/buildsystem/mar.html 2. Place the public key DER file(s) in the source tree at toolkit/mozapps/update/updater/release_primary.der 3. Sign MAR files during the release build with the private key 4. Set ACCEPTED_MAR_CHANNEL_IDS in update-settings.ini to restrict which update channels the updater will accept Ref: GHSA-qpj9-m8jc-mw6q * no-bug: Added signature steps * no-bug: Export browser/installer/package-manifest.in --------- Co-authored-by: Maliq Barnard <maliqbarnard@Maliqs-MacBook-Air.local> Co-authored-by: Mr. M <mr.m@tuta.com>
108 lines
3.1 KiB
Plaintext
108 lines
3.1 KiB
Plaintext
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
# Browser branding
|
|
ac_add_options --with-app-name=${binName}
|
|
ac_add_options --with-app-basename=Zen
|
|
|
|
# Localization (Must be an absolute path)
|
|
ac_add_options --with-l10n-base="${topsrcdir}/browser/locales"
|
|
|
|
export MOZ_APP_BASENAME=Zen
|
|
export MOZ_BRANDING_DIRECTORY=${brandingDir}
|
|
export MOZ_OFFICIAL_BRANDING_DIRECTORY=${brandingDir}
|
|
|
|
ac_add_options --with-distribution-id=app.zen-browser
|
|
|
|
# Uncomment if builds are too resource hungry
|
|
# mk_add_options MOZ_MAKE_FLAGS="-j4"
|
|
# ac_add_options --enable-linker=gold
|
|
|
|
# Misc
|
|
export MOZ_SOURCE_REPO=https://github.com/zen-browser/desktop
|
|
export MOZ_SOURCE_CHANGESET=${changeset}
|
|
export MOZ_INCLUDE_SOURCE_INFO=1
|
|
|
|
ac_add_options --enable-application=browser
|
|
|
|
# Anything except 'SCCACHE_GHA_ENABLED == false'
|
|
if ! test "$SCCACHE_GHA_ENABLED" = "false"; then
|
|
if test -x "$(command -v sccache)"; then
|
|
ac_add_options --with-ccache=sccache
|
|
elif test -f "$HOME/.mozbuild/sccache/sccache"; then
|
|
ac_add_options --with-ccache="$HOME"/.mozbuild/sccache/sccache
|
|
fi
|
|
fi
|
|
|
|
# add safe browsing key if it exists on a file
|
|
if test -f "$HOME/.zen-keys/safebrowsing.dat"; then
|
|
ac_add_options --with-google-safebrowsing-api-keyfile="$HOME/.zen-keys/safebrowsing.dat"
|
|
fi
|
|
|
|
if test "$ZEN_RELEASE"; then
|
|
|
|
# TODO: Make this successful in builds
|
|
# ac_add_options --enable-clang-plugin
|
|
ac_add_options --enable-bootstrap=-sccache
|
|
|
|
ac_add_options --enable-optimize
|
|
|
|
ac_add_options --enable-verify-mar
|
|
|
|
ac_add_options --enable-release
|
|
ac_add_options --disable-debug
|
|
ac_add_options --disable-debug-symbols
|
|
ac_add_options --disable-debug-js-modules
|
|
ac_add_options --disable-tests
|
|
|
|
ac_add_options --enable-rust-simd
|
|
ac_add_options --enable-wasm-simd
|
|
|
|
ac_add_options --disable-geckodriver
|
|
ac_add_options --disable-rust-tests
|
|
|
|
if ! test "$ZEN_DISABLE_LTO"; then
|
|
# only enable full LTO when ZEN_RELEASE_BRANCH is 'release'
|
|
if test "$ZEN_RELEASE_BRANCH" = "release"; then
|
|
# TODO: make it "full" once we have the resources to build it
|
|
export MOZ_LTO=cross,full
|
|
ac_add_options --enable-lto=cross,full
|
|
else
|
|
export MOZ_LTO=cross,thin
|
|
ac_add_options --enable-lto=cross,thin
|
|
fi
|
|
fi
|
|
|
|
mk_add_options MOZILLA_OFFICIAL=1
|
|
MOZILLA_OFFICIAL=1
|
|
export MOZILLA_OFFICIAL=1
|
|
|
|
mk_add_options AUTOCLOBBER=1
|
|
export AUTOCLOBBER=1
|
|
|
|
export MOZ_PACKAGE_JSSHELL=1
|
|
|
|
ac_add_options --disable-crashreporter
|
|
|
|
# Experimental flag, enabled only on nightly for Firefox.
|
|
# Should bring in some nice performance improvements,
|
|
# but may cause stability issues.
|
|
ac_add_options --enable-replace-malloc
|
|
fi
|
|
|
|
ac_add_options --enable-jxl
|
|
|
|
ac_add_options --with-unsigned-addon-scopes=app,system
|
|
|
|
mk_add_options MOZ_DATA_REPORTING=
|
|
mk_add_options MOZ_SERVICES_HEALTHREPORT=
|
|
mk_add_options MOZ_TELEMETRY_REPORTING=
|
|
|
|
ac_add_options MOZ_DATA_REPORTING=
|
|
ac_add_options MOZ_TELEMETRY_REPORTING=
|
|
|
|
# Allow loading unsigned extensions
|
|
export MOZ_REQUIRE_SIGNING=
|
|
mk_add_options MOZ_REQUIRE_SIGNING=
|