[tbb-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 29 15:33:40 UTC 2019 

#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201907  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by mcs):

 Replying to [comment:14 gk]:
 > Hm, I think we don't do something differently to what Mozilla is using.
 So, what is the Firefox ESR 60 output here? And does that change with the
 patch for bug 1270217 landed in Firefox (that is with Firefox 62)? What
 does the firefox binary for ESR 68 say in that regard?

 Here is the LC_VERSION_MIN_MACOSX info for various builds:

 ||Build||min OS version||SDK version||
 ||Firefox 60.8.0 ESR||10.7||10.11||
 ||Firefox 68.0.1 ESR||10.9||10.11||
 ||Firefox 62.0||10.9||10.11||
 ||Tor Browser 9.0a4||10.7||10.6||
 ||2019-07-28 Patched Tor Browser build||10.9||10.6||

 > Meanwhile I've started a test build with the patch for bug 1270217
 applied, in case that buys us something. I'll post a link to a bundle
 later when the build has finished.

 See the last row in the table above. The patch affects the minimum
 supported OS version but not the SDK version.

 Kathy and I looked at the cctools code, and maybe the problem is that the
 SDK version is not defaulting to the correct value. There is code to pick
 it up from the SDK path, but our SDK path is just `SDK/`. Search for `if
 -sdk_version not on command line, infer from -syslibroot` within
 https://github.com/tpoechtrager/cctools-
 port/blob/8e9c3f2506b51cf56725eaa60b6e90e240e249ca/cctools/ld64/src/ld/Options.cpp
 to see the relevant code.

 One solution is to leave our SDK directory name as `MacOSX10.11.sdk`. An
 alternative is to add `-sdk_version 10.11` to the ld command.

 By the way, we could not find an open source tool that dumps mach-o header
 fields like the macOS `otool` and `objdump` commands can.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list