[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 27 20:47:06 UTC 2019 

#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201908  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by teor):

 Replying to [comment:42 mcs]:
 > Replying to [comment:34 gk]:
 > * A macOS computer running 10.13.6 or later (required for the `xcrun`
 notarization commands that are part of Xcode 10.1 and later). I do not
 know enough about the Tor Browser signing and release process to know what
 kind of computer to recommend. If we plan to buy a new computer and
 portability is needed, maybe a MacBook Air. If portability is less of a
 concern, maybe a Mac Mini (still somewhat portable but you need to add a
 keyboard, mouse, and display).

 New macs will come with the latest macOS.

 > * A copy of Xcode 10.1 or later (note that 10.3 is the highest stable
 release, but 10.2 and up require macOS 10.14.3 or later).

 Downloadable from the App Store, requires an App Store account for every
 download and update.

 > * Connectivity to the Internet (at least to reach Apple's timestamping
 and notarization servers).

 > > Another thought I had: can we buy us some time if we pretend we have
 signed our stuff _before_ June 2019? IIRC the notarization requirement is
 only a requirement for binaries signed _after_ that threshold.
 >
 > This is an interesting idea, but it seems like a loophole that Apple
 would have closed by now. But maybe it would work. I don't have any
 experience with running a timestamping server; can we easily set one up
 that uses a time prior to June 2019?

 Apple has banned apps for evading rules like this. Might not be the best
 idea.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:43>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list