[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization

Fri Jul 19 17:39:51 UTC 2019

#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
 Reporter:  gk                                  |          Owner:  tbb-team
     Type:  task                                |         Status:  new
 Priority:  Very High                           |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201907  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by mcs):

 Today, Kathy and I downloaded
 https://dist.torproject.org/torbrowser/9.0a4/TorBrowser-9.0a4-osx64_en-
 US.dmg, extracted `Tor Browser.app`, and experimented with Apple's
 notarization process. Using our own "Developer ID Application" signing
 key, we re-signed the app bundle like this:
  CERT="Developer ID Application: ..."
  ENTITLEMENTS=/path/to/production.entitlements.xml
  codesign -vvv --deep -o runtime --entitlements "$ENTITLEMENTS"
 --timestamp -f -s "$CERT" "Tor Browser.app/"

 (compared to the usual Tor Browser Gatekeeper signing we added `-o
 runtime` to enable the hardened runtime, we added the Firefox 68
 entitlements file, and we enabled timestamping).

 Then we used Xcode 10.1's Application Loader tool to upload a .zip to
 Apple for notarization, like this:
  rm -f tb.zip
  zip -qr tb.zip "Tor Browser.app"
  export PW="secret"
  BUNDLEID="org.torproject.torbrowser"
  xcrun altool --notarize-app -t osx -f tb.zip --primary-bundle-id
 "$BUNDLEID" -u ID -p @env:PW --output-format xml

 Finally, we used `altool` to poll for the status of Apple's server-side
 notarization process, e.g.,
   xcrun altool --notarization-info REQUESTID -u ID -p @env:PW --output-
 format xml
 (REQUESTID is a GUID returned by the `altool --notarize-app` command).

 The result was a "Package Invalid" error. Apple also provides an URL that
 points to a detailed log, and that shows a series of repeated issues (one
 for each of our binaries), e.g.,
  "severity": "error",
  "code": null,
  "path": "tb.zip/Tor Browser.app/Contents/MacOS/firefox",
  "message": "The binary uses an SDK older than the 10.9 SDK.",
  "docUrl": null,
  "architecture": "x86_64"
  ...

 That is strange. We then used `otool -l` on macOS to look at the `firefox`
 binary. The output indeed indicates that the minimum macOS version and SDK
 version are not what we would expect:
  cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.7
  sdk 10.6

 Kathy and I do not know enough about the cross-compile process to know
 where to look for a solution to this problem, but I think we need to fix
 this SDK issue before we can go further with notarization.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online