[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization



#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201909  |  Actual Points:
Parent ID:                                      |         Points:  2
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by mcs):

 Replying to [comment:48 gk]:
 > Okay, mcs/brade: What about:
 >
 > https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-
 osx64_en-US_30126_signed.dmg
 > https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-
 osx64_en-US_30126_signed.dmg.asc
 >
 > It works on the 10.14 system I have and Gatekepper is telling me that
 Apple checked our package for malware (and did not find any !11!).

 As I mentioned on IRC, when we use the above build we are blocked by
 Gatekeeper on macOS 10.15 beta 7 (but everything is OK on 10.14.6). I will
 attach a screenshot of the error we see.

 Another data point is the nightly build that Kathy and I notarized a few
 weeks ago using our own Apple developer identity works fine on both OS
 versions,and so does Firefox 68.1.0 ESR.

 I wonder if there is some difference in the process you used that is
 breaking things? For example, Kathy and I did not create a DMG after
 notarizing a zipped up copy of Tor Browser.app.

 Nearly all of the command line checks we have tried indicate that
 everything is OK, e.g.,
 {{{
 % codesign -vvv --deep --strict ./Tor\ Browser.app
 ...
 ./Tor Browser.app: valid on disk
 ./Tor Browser.app: satisfies its Designated Requirement

 % spctl -vvv --assess --type exec ./Tor\ Browser.app/
 ./Tor Browser.app/: accepted
 source=Notarized Developer ID
 origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)

 % codesign -dvv ./Tor\ Browser.app
 Executable=/Applications/Tor Browser.app/Contents/MacOS/firefox
 Identifier=org.torproject.torbrowser
 Format=app bundle with Mach-O thin (x86_64)
 CodeDirectory v=20500 size=421 flags=0x10000(runtime) hashes=4+5
 location=embedded
 Signature size=9022
 Authority=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)
 Authority=Developer ID Certification Authority
 Authority=Apple Root CA
 Timestamp=Sep 10, 2019 at 7:07:40 AM
 Info.plist entries=27
 TeamIdentifier=MADPSAYN6T
 Runtime Version=10.11.0
 Sealed Resources version=2 rules=13 files=130
 Internal requirements count=1 size=188

 % xcrun stapler validate ./Tor\ Browser.app
 Processing: /Applications/Tor Browser.app
 The validate action worked!
 }}}

 There is one command variant which fails; compare these two (`--type exec`
 vs. `--type open`):
 {{{
 % spctl -vvvv --assess --type exec --context context:primary-signature
 Tor\ Browser.app
 Tor Browser.app: accepted
 source=Notarized Developer ID
 origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)

 % spctl -vvvv --assess --type open --context context:primary-signature
 Tor\ Browser.app
 Tor Browser.app: rejected
 source=Unnotarized Developer ID
 origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)
 }}}

 With the .app that Kathy and I notarized, both of these commands succeed.
 I am not sure if this is an important difference, but it is the only one
 we have found so far.

 There must be some step that we missed. I assume you included the
 entitlements file? Can you give us the zipped up Tor Browser.app to try
 (i.e., no .dmg processing)?

 Other ideas?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:49>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs