[tbb-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 31 10:05:04 UTC 2019 

#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201907  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:20 mcs]:

 [snip]

 > It is almost perfect.  Apple complains about the following three files
 which have `sdk 10.7` in the mach-o header:
 >  Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/meek-client
 >  Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/meek-client-
 torbrowser
 >  Tor Browser.app/Contents/MacOS/Tor/PluggableTransports/obfs4proxy
 > Is the build process different for those binaries?

 Those are pure `go` builds. Thus, I suspect we need to find some magic way
 to set the required flags when CGO is not involved. Hrm.

 > After finding those anomolies, Kathy and I did some more checking and
 found that all of our other binaries have (min) `version 10.7` and `sdk
 10.11` (as expected) with the exception of two files. The following have
 `sdk 10.11` (good) but for some reason have (min) `version 10.11`
 (possibly bad):
 >  Tor Browser.app/Contents/MacOS/Tor/libevent-2.1.6.dylib
 >  Tor Browser.app/Contents/MacOS/Tor/tor.real
 > That won't break notarization, but I wonder if it will cause problems
 when trying to run on older macOS systems.

 Nice catch! That can get solved by setting the proper
 `MACOSX_DEPLOYMENT_TARGET` version. To answer my IRC question: we were not
 affected by that previously as we did not get the proper SDK version but
 fixing that and not setting `MACOSX_DEPLOYMENT_TARGET` just takes the SDK
 version as min OS version it seems.

 (Oh and I finally realized that my concerns about `snowflake` not running
 on 10.9 were a non-issue as we set the corresponding `-mmacosx-version-
 min=10.7` flag.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list