[tor-bugs] #33480 [Applications/Tor Browser]: Create a plan for releasing an update when Apple's notarization service is not available
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Feb 28 12:36:38 UTC 2020
#33480: Create a plan for releasing an update when Apple's notarization service is
not available
------------------------------------------+----------------------
Reporter: sysrqb | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Last year Apple introduced "notarization" into their app-signing process.
We integrated this into our release process in #30126. However, our
current process assumes Apple's notarization service is highly-available.
This is not always true, and in our experience it has frequent outages or
slowness (but maybe we just have really bad timing).
In our current release flow, as a result of our release process assuming
notarization is "quick", we wait for Apple to notarize each package and
then "staple" the notarization into each dmg. After this is completed, we
regenerate the macOS mar files and then compute the hash of all of the
signed packages (and then sign all of the individual files).
I wonder if we can think about these last three steps again, particularly
in a situation where we must get out an update as quickly as possible (I'm
thinking like a chemspill).
1. If we don't staple the notarization, then we can code-sign (gatekeeper)
the packages and then continue with the remaining release steps (recreate
mars and incrementals, signmars, hash, gpg sign) in parallel with waiting
for notarization from Apple.
1. We split the release between Windows/Linux/Android and macOS, where we
release updates for the former platforms initially and we release updates
for macOS when the packages are ready. This would require "teaching" some
of our scripts if they should operate over al platforms or only a subset
of them.
The main disadvantage of (1) is that all macOS users will query Apple for
checking the update's notarization. We want to limit the amount of
information Apple learns about our users, and this enumeration is not
good.
The main disadvantage of (2) is additional complexity in our build/release
process. Maybe the webserver's config needs changing, too?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33480>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list