[tor-bugs] #19001 [Obfuscation/Snowflake]: Tor Browser with Snowflake

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jul 1 00:15:12 UTC 2017 

#19001: Tor Browser with Snowflake
-----------------------------------+------------------------------
 Reporter:  dcf                    |          Owner:
     Type:  project                |         Status:  needs_review
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------
Changes (by dcf):

 * status:  new => needs_review


Comment:

 == mac reproducible build ==

 I've ported the mac build to the GN build system and solved some
 reproducibility problems. For the first time, I got two consecutive
 identical working mac builds. I would like someone to please try building
   https://gitweb.torproject.org/user/dcf/tor-browser-
 bundle.git/log/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7
 and comparing the sha256sums to
   https://people.torproject.org/~dcf/pt-
 bundle/snowflake/20170630-7.5a1-e084e834184d/

 Here is the cumulative diff:
   https://gitweb.torproject.org/user/dcf/tor-browser-
 bundle.git/diff/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7&id2=36808fe250f4c1de115fc200e1eb9294cbcdc2c0

 This is roughly the procedure to build. For more details, see
 [[doc/Snowflake#IntegrationwithTorBrowser]].
 {{{
 $ git clone https://git.torproject.org/builders/tor-browser-bundle.git
 $ cd tor-browser-bundle
 tor-browser-bundle$ git remote add dcf https://git.torproject.org/user/dcf
 /tor-browser-bundle.git
 tor-browser-bundle$ git fetch dcf
 tor-browser-bundle$ git checkout -b snowflake --track dcf/snowflake
 tor-browser-bundle$ git checkout e084e834184d5ff61aef4c7f172ec883e266bdf7
 tor-browser-bundle$ make clean
 tor-browser-bundle$ ./mkbundle-mac.sh versions.alpha
 }}}

 I'm also using two locally uncommitted patches, which you may or may not
 need. The first applies to gitian-builder and works around #22467. The
 second applies to tor-browser-bundle and works around #20757. These
 patches are not specific to snowflake at all; I need them whenever I build
 Tor Browser.
 {{{
 diff --git a/target-bin/upgrade-system.sh b/target-bin/upgrade-system.sh
 index 9384229..795c3b9 100644
 --- a/target-bin/upgrade-system.sh
 +++ b/target-bin/upgrade-system.sh
 @@ -6,6 +6,9 @@ set -e

  mkdir -p /var/cache/gitian

 +DEBIAN_FRONTEND=noninteractive apt-get -y install grub
 +DEBIAN_FRONTEND=noninteractive apt-get -y install linux-image-$(uname -r)
 +
  # remove obsolete grub, it causes package dependency issues
  apt-get -q -y purge grub > /dev/null 2>&1 || true

 }}}
 {{{
 diff --git a/gitian/git-gpg-wrapper b/gitian/git-gpg-wrapper
 index f137d6d4..d3dcdf2c 100755
 --- a/gitian/git-gpg-wrapper
 +++ b/gitian/git-gpg-wrapper
 @@ -3,10 +3,10 @@
  # an expired key.
  # https://bugs.torproject.org/19737
  set -e
 -if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
 -        && [ "$2" = '--verify' ]
 +if [ $# -eq 5 ] && [ "$1" = '--status-fd=1' ] \
 +        && [ "$3" = '--verify' ]
  then
 -    gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
 GOODSIG /'
 +    gpgv "$1" "$4" "$5" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
 GOODSIG /'
      exit ${PIPESTATUS[0]}
  else
      exec gpg "$@"
 }}}

 The hacks needed to get the mac version to cross-compile, and build
 reproducibly, are not terrible--definitely not as bad as they were back in
 comment:15. Building with Clang and GN helped a lot. Of the
 [https://gitweb.torproject.org/user/dcf/tor-browser-
 bundle.git/tree/gitian/patches/webrtc-
 mac.patch?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7 8 small
 patches] applied to the webrtc source code, 4 of them have to do with our
 use of the 10.7 macOS SDK (instead of a more recent SDK).

 The only potentially sketchy patch, which I invite comment on,
 [https://gitweb.torproject.org/user/dcf/tor-browser-
 bundle.git/tree/gitian/patches/webrtc-
 mac.patch?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7#n139
 disables a call to a function that is not present in the 10.7 SDK]. The
 function is not called on non-mac platforms, so it seems safe, but I am
 not sure.

 tl;dr: please try building [https://gitweb.torproject.org/user/dcf/tor-
 browser-
 bundle.git/log/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7
 e084e834184d5ff61aef4c7f172ec883e266bdf7] and check it against
 [https://people.torproject.org/~dcf/pt-
 bundle/snowflake/20170630-7.5a1-e084e834184d/ these sha256sums].

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19001#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list