[tbb-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 30 18:08:10 UTC 2019
#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201907 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by mcs):
Replying to [comment:17 gk]:
> Thanks for the investigation! I think I have a fix for that which
follows Mozilla leaving the SDK directory name as `MacOSX10.11.sdk`:
>
> https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-
30126_2-osx64_en-US.dmg
> https://people.torproject.org/~gk/testbuilds/TorBrowser-tbb-nightly-
30126_2-osx64_en-US.dmg.asc
>
> Is Apple happier with that one? (Note: that's without the patch for bug
1270217 which we might need as well) If we are good I'll open a child bug
just for the SDK issue and get that one fixed there.
It is almost perfect. Apple complains about the following three files
which have `sdk 10.7` in the mach-o header:
Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/meek-client
Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/meek-client-
torbrowser
Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/obfs4proxy
Is the build process different for those binaries?
After finding those anomolies, Kathy and I did some more checking and
found that all of our other binaries have (min) `version 10.7` and `sdk
10.11` (as expected) with the exception of two files. The following have
`sdk 10.11` (good) but for some reason have (min) `version 10.11`
(possibly bad):
Tor Browser.app/Contents/MacOS/Tor/libevent-2.1.6.dylib
Tor Browser.app/Contents/MacOS/Tor/tor.real
That won't break notarization, but I wonder if it will cause problems when
trying to run on older macOS systems.
In any case, after Kathy and I removed `meek-client`, `meek-client-
torbrowser`, and `obfs4proxy` we followed the steps from comment:11 again
and notarization (finally) succeeded. There is one more required step to
avoid macOS having to contact Apple to check notarization status every
time the app is opened: stapling. This also requires Internet access but
at least it did its job quickly:
xcrun stapler staple Tor\ Browser.app
The above command adds one new file to the app bundle (`Tor
Browser.app/Contents/CodeResources`) and makes no other changes. Near the
end of the following article there is some info about network access
requirements:
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
Now we can check the app status and note that the source is a "Notarized
Developer ID":
spctl -av Tor\ Browser.app
Tor Browser.app: accepted
source=Notarized Developer ID
Finally, the prompt displayed when a user tries to open a downloaded app
("Tor Browser.app is an app downloaded from the Internet. Are you sure you
want to open it?") now includes the "Apple checked it for malicious
software and none was detected" text as expected for a notarized app.
> > By the way, we could not find an open source tool that dumps mach-o
header fields like the macOS `otool` and `objdump` commands can.
>
> That would be unfortunate, so I looked a bit around. It turns out that
you are already building such a tool while building the macOS bundles :) :
`x86_64-apple-darwin11-otool` (and a bunch of similar tools) gets built
when assembling the `macosx-toolchain` and works for me for the purposes
at hand (you need to put the path to `clang/lib` into `LD_LIBRARY_PATH` to
find `libc++abi.so.1`).
Nice! (and good to know).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list