[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 10 18:12:32 UTC 2019 

#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201909  |  Actual Points:
Parent ID:                                      |         Points:  2
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by mcs):

 Replying to [comment:50 gk]:
 > Okay, here comes the zipped up .app dir:
 >
 > https://people.torproject.org/~gk/testbuilds/tbb-30126.zip
 > https://people.torproject.org/~gk/testbuilds/tbb-30126.zip.asc

 Using this results in the same behavior (works fine on macOS 10.14.6,
 Gatekeeper error on 10.15 beta).

 > When I unzip the archive after doing all the codesigning things I just
 end up with a `Contents` folder. I need to (re-)create `Tor Browser.app`
 and move that one into it. Not sure whether that's expected. Another thing
 I probably did differently: I looked at the `codesign.bash` file in
 security/mac/hardenedruntime and used an adapted
 > `ditto -c -k "${BUNDLE}" "${OUTPUT_ZIP_FILE}"` for zipping the bundle up
 after signing but before notarization.

 What did you submit to Apple? As described in comment:11, Kathy and I ran
 the codesign command on `Tor Browser.app` and then we created a .zip that
 contained `Tor Browser.app`, which we then submitted via the `xcrun altool
 --notarize-app ...` command.

 But I just realized there is a much bigger difference between what you are
 doing and our earlier experiments: because we did not have ESR68 macOS
 builds at that time, Kathy and I used an ESR60-based nightly build. We
 will try to re-create our experiment using a current nightly build.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:51>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list