[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 27 19:15:10 UTC 2019
#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201908 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by mcs):
Replying to [comment:34 gk]:
> mcs/brade: could you assemble a list of minimal requirements we have to
have to get the notarization going, with the focus on what we'd need for
our signing machine (plus a script or something you used).
The only scripts we used were very simple ones that only saved us typing
the commands I mentioned in comment:11 and comment:20 (`codesign`, `xcrun
altool`, and `xcrun stapler` commands). I don't know exactly how the
notarization steps will fit into the overall Tor Browser build process,
but ideally someone would write a script to automate things and especially
to allow the submission/wait for a reply from Apple part to be done in
parallel for our .dmg files. Maybe that is something boklm could do?
Now that we have solved (most of) the build-related requirements, here are
the remaining things we need:
* An Apple Developer ID key and certificate (I think we already have this
for the existing Gatekeeper signing).
* An entitlements file. So far we have always used the one from Firefox,
e.g., https://searchfox.org/mozilla-
esr68/source/security/mac/hardenedruntime/production.entitlements.xml
* A macOS computer running 10.13.6 or later (required for the `xcrun`
notarization commands that are part of Xcode 10.1 and later). I do not
know enough about the Tor Browser signing and release process to know what
kind of computer to recommend. If we plan to buy a new computer and
portability is needed, maybe a MacBook Air. If portability is less of a
concern, maybe a Mac Mini (still somewhat portable but you need to add a
keyboard, mouse, and display).
* A copy of Xcode 10.1 or later (note that 10.3 is the highest stable
release, but 10.2 and up require macOS 10.14.3 or later).
* Connectivity to the Internet (at least to reach Apple's timestamping and
notarization servers).
* A script or set of scripts to automated things some, especially for the
part where we have to wait for Apple to respond to the a notarization
request. This and the network connectivity requirement are the most
annoying parts of the entire process.
> Another thought I had: can we buy us some time if we pretend we have
signed our stuff _before_ June 2019? IIRC the notarization requirement is
only a requirement for binaries signed _after_ that threshold.
This is an interesting idea, but it seems like a loophole that Apple would
have closed by now. But maybe it would work. I don't have any experience
with running a timestamping server; can we easily set one up that uses a
time prior to June 2019?
Kathy and I would like to install the macOS 10.15 beta and see what the
behavior is if someone tries to run an app that has not been notarized
(and also to see how difficult it is for people to work around a lack of
notarization). But other ESR68 work seems more important given the fact
that items such as the updater and meek affect all platforms/all OS
versions.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:42>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list