[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 10 21:44:18 UTC 2019
#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201909 | Actual Points:
Parent ID: | Points: 2
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by mcs):
Replying to [comment:51 mcs]:
> But I just realized there is a much bigger difference between what you
are doing and our earlier experiments: because we did not have ESR68 macOS
builds at that time, Kathy and I used an ESR60-based nightly build. We
will try to re-create our experiment using a current nightly build.
I did the ESR68-based experiment using browser bits that I extracted from
your comment:48 build. My notarized and stapled `Tor Browser.app` opens
correctly on macOS 10.15. I used the entitlements file from
https://gitweb.torproject.org/tor-
browser.git/plain/security/mac/hardenedruntime/production.entitlements.xml?h
=tor-browser-68.1.0esr-9.0-2-build2
In detail, here are the steps I followed (all on a macOS 10.14.6
computer):
Opened your .dmg in Finder and copied Tor Browser.app to a new folder.
Removed your signatures:
{{{
rm -rf Tor\ Browser.app/Contents/CodeResources Tor\
Browser.app/Contents/_CodeSignature
}}}
Signed it and created `tb.zip` which contains `Tor Browser.app` at the top
level:
{{{
CERT="Developer ID Application: Pearl Crescent LLC (Z4N9W47D2U)"
ENTITLEMENTS=entitlements/production.entitlements.xml
codesign -vvv --deep -o runtime --entitlements "$ENTITLEMENTS" \
--timestamp -f -s "$CERT" "Tor Browser.app/"
zip -qr tb.zip "Tor Browser.app"
}}}
Submitted the zip file for notarization:
{{{
BUNDLEID="org.torproject.torbrowser"
xcrun altool --notarize-app -t osx -f tb.zip --primary-bundle-id
"$BUNDLEID" \
-u REDACTED -p @env:PW --output-format xml
}}}
Checked status until it was done:
{{{
xcrun altool --notarization-info GUID \
-u REDACTED -p @env:PW --output-format xml
}}}
Stapled the notarization ticket to the app bundle and created a new zip
file:
{{{
xcrun stapler staple Tor\ Browser.app
zip -r tb-stapled.zip Tor\ Browser.app
}}}
Then I put `tb-stapled.zip` on an HTTP server and downloaded it to macOS
for testing.
There were three things that surprised me on macOS 10.15:
1. The "Tor Browser is an app downloaded from the Internet. Are you sure
you want to open it?" prompt did not mention that the app had been checked
by Apple for malicious software. But that message does not appear for
Firefox 68.1.0 ESR either
2. Even though I had the app on the desktop, wjen I clicked `Open` and
allowed Tor Browser to start up, it placed its `TorBrowser-Data` folder
under `~/Library/Application Support/TorBrowser-Data/` instead of next to
the app. Apparently notarized applications do not have access to the
desktop by default, because this problem occurs on macOS 10.14.6 as well.
3. A more serious problem is that on macOS 10.15 but not on 10.14.6, all
tabs seem to crash (content process crash). This problem and 2. both
disappear if I run `./Tor Browser.app/Contents/MacOS/firefox` from bash.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:52>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list