[tor-bugs] #19001 [Obfuscation/Snowflake]: Tor Browser with Snowflake
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jul 1 00:15:12 UTC 2017
#19001: Tor Browser with Snowflake
-----------------------------------+------------------------------
Reporter: dcf | Owner:
Type: project | Status: needs_review
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+------------------------------
Changes (by dcf):
* status: new => needs_review
Comment:
== mac reproducible build ==
I've ported the mac build to the GN build system and solved some
reproducibility problems. For the first time, I got two consecutive
identical working mac builds. I would like someone to please try building
https://gitweb.torproject.org/user/dcf/tor-browser-
bundle.git/log/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7
and comparing the sha256sums to
https://people.torproject.org/~dcf/pt-
bundle/snowflake/20170630-7.5a1-e084e834184d/
Here is the cumulative diff:
https://gitweb.torproject.org/user/dcf/tor-browser-
bundle.git/diff/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7&id2=36808fe250f4c1de115fc200e1eb9294cbcdc2c0
This is roughly the procedure to build. For more details, see
[[doc/Snowflake#IntegrationwithTorBrowser]].
{{{
$ git clone https://git.torproject.org/builders/tor-browser-bundle.git
$ cd tor-browser-bundle
tor-browser-bundle$ git remote add dcf https://git.torproject.org/user/dcf
/tor-browser-bundle.git
tor-browser-bundle$ git fetch dcf
tor-browser-bundle$ git checkout -b snowflake --track dcf/snowflake
tor-browser-bundle$ git checkout e084e834184d5ff61aef4c7f172ec883e266bdf7
tor-browser-bundle$ make clean
tor-browser-bundle$ ./mkbundle-mac.sh versions.alpha
}}}
I'm also using two locally uncommitted patches, which you may or may not
need. The first applies to gitian-builder and works around #22467. The
second applies to tor-browser-bundle and works around #20757. These
patches are not specific to snowflake at all; I need them whenever I build
Tor Browser.
{{{
diff --git a/target-bin/upgrade-system.sh b/target-bin/upgrade-system.sh
index 9384229..795c3b9 100644
--- a/target-bin/upgrade-system.sh
+++ b/target-bin/upgrade-system.sh
@@ -6,6 +6,9 @@ set -e
mkdir -p /var/cache/gitian
+DEBIAN_FRONTEND=noninteractive apt-get -y install grub
+DEBIAN_FRONTEND=noninteractive apt-get -y install linux-image-$(uname -r)
+
# remove obsolete grub, it causes package dependency issues
apt-get -q -y purge grub > /dev/null 2>&1 || true
}}}
{{{
diff --git a/gitian/git-gpg-wrapper b/gitian/git-gpg-wrapper
index f137d6d4..d3dcdf2c 100755
--- a/gitian/git-gpg-wrapper
+++ b/gitian/git-gpg-wrapper
@@ -3,10 +3,10 @@
# an expired key.
# https://bugs.torproject.org/19737
set -e
-if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
- && [ "$2" = '--verify' ]
+if [ $# -eq 5 ] && [ "$1" = '--status-fd=1' ] \
+ && [ "$3" = '--verify' ]
then
- gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
GOODSIG /'
+ gpgv "$1" "$4" "$5" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
GOODSIG /'
exit ${PIPESTATUS[0]}
else
exec gpg "$@"
}}}
The hacks needed to get the mac version to cross-compile, and build
reproducibly, are not terrible--definitely not as bad as they were back in
comment:15. Building with Clang and GN helped a lot. Of the
[https://gitweb.torproject.org/user/dcf/tor-browser-
bundle.git/tree/gitian/patches/webrtc-
mac.patch?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7 8 small
patches] applied to the webrtc source code, 4 of them have to do with our
use of the 10.7 macOS SDK (instead of a more recent SDK).
The only potentially sketchy patch, which I invite comment on,
[https://gitweb.torproject.org/user/dcf/tor-browser-
bundle.git/tree/gitian/patches/webrtc-
mac.patch?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7#n139
disables a call to a function that is not present in the 10.7 SDK]. The
function is not called on non-mac platforms, so it seems safe, but I am
not sure.
tl;dr: please try building [https://gitweb.torproject.org/user/dcf/tor-
browser-
bundle.git/log/?h=snowflake&id=e084e834184d5ff61aef4c7f172ec883e266bdf7
e084e834184d5ff61aef4c7f172ec883e266bdf7] and check it against
[https://people.torproject.org/~dcf/pt-
bundle/snowflake/20170630-7.5a1-e084e834184d/ these sha256sums].
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19001#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list