- contribute
- release process
- Releasing updates to the verification JavaScript
We run this release process before releasing a new version of Forge or a change in the verification JavaScript that is used on our download pages.
During the release process, you will download several pieces of software over TLS only which is not trustworthy enough to be compliant with the "third-party software" requirement of the security policy of some of our internal teams.
You should isolate these pieces of software, for example by only running them in a dedicated Tails.
Updating Forge
Website: https://github.com/digitalbazaar/forge/
Release feed: https://github.com/digitalbazaar/forge/releases.atom
Check which is the current version:
head -n 1 wiki/src/install/inc/js/forge.sha256.js
Check the upstream Changelog for new versions:
https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Clone the upstream repository:
git clone https://github.com/digitalbazaar/forge.git
Install the build dependencies:
apt install -t unstable npm webpack
Build Forge:
export FORGE_VERSION= wget -O forge/webpack.config.js https://tails.net/contribute/release_process/verification_javascript/forge.webpack.config.js cd forge git reset --hard $FORGE_VERSION rm dist/* torsocks npm install npm run build cd ..
Copy into our repo:
cp forge/dist/forge.sha256.js wiki/src/install/inc/js/forge.sha256.js
Add copyright information:
sed -i "1s/^/\/*! Forge v$FORGE_VERSION | (c) Digital Bazaar, Inc. *\/\n/" wiki/src/install/inc/js/forge.sha256.js
Which browsers to test
Perform the following steps for each of:
Tor Browser in the latest Tails, in a non-English locale of your choice:
LANG=pt_BR.UTF-8 tor-browser
The version of Firefox available in Debian stable:
sudo apt install firefox-esr firefox-esr
The version of Chromium available in Debian stable:
sudo apt install chromium chromium --no-sandbox
Steps
In Tails, configure a system proxy:
Settings → Network → Network proxy → Manual
Socks Host: 127.0.0.1 9050
Check that verifying the USB image of the last Tails version works in all browsers.
Check that verifying a truncated USB image fails in all browsers:
dd if=tails-amd64-3.14.img of=tails-amd64-3.14-truncated.img bs=1M count=100
Check that verifying a rogue USB image fails in all browser:
sed 's/\x54\x61\x69\x6c\x73/\x46\x61\x69\x6c\x73/' tails-amd64-3.14.img > tails-amd64-3.14-rogue.img
To detect backward incompatible changes, if any changes were made to the HTML or CSS, verify that the new download page works with the previous version of the
wiki/src/install/inc/js/download.js
.Otherwise, fix the incompatibility or rename the new JavaScript file as
wiki/src/install/inc/js/download-2.js
.See our discussion about deploying backward incompatible changes on GitLab.
Checklist
- [ ] Tor Browser
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Firefox ESR
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Chromium
- [ ] Good
- [ ] Truncated
- [ ] Rogue
- [ ] Backward incompatibility