Integrate code signing into the release process
We should integrate the OS X code signing as good as we can into our release process. We have the following pieces at the moment
- We create a .dmg file as the result of our build process
- We have a signing machine where these files need to get transferred to
- We need to sign the TorBrowser.app inside the .dmg file
- We need to ship the .dmg file with the signed app
Taking these into account it seems quite cumbersome to automate this even a bit. But maybe there is something I am missing.
This ticket is not about signing/removing the signature in a reproducible fashion. Getting this going is very likely a separate fun task.
Activity
However we end up integrating the codesigning this is no blocker for getting it shipped at all.
Trac:
Parent: #6540 (moved) to N/ATrac:
Parent: N/A to #3893 (moved)- From a nerd perspective it would be interesting to find signed statements like:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Checking that we are in possession the private key for $keyid.. Succeeded. Mounting .dmg image $tb_image_with_version_string.. Succeeded. Checking that TorBrowser.app is present.. Succeeded. TorBrowser.app has version: $version_string TorBrowser.app has sha256 checksum: $sum_tb Signing TorBrowser.app.. Succeeded. Signature file has sha256 checksum: $sum_tb_sig -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEk1ZN7YVGjZrCkDYFEu59cHERIFYFAluB6mgACgkQEu59cHER IFbFywv/Rn9Jz9ZB/do4V/bSa98PaZRfTIthstAxppP+Y0Xnphg0irOe9RTByV7y krAbbxzLGuzaHFmtKROBf9BvBBagesbYer6LKdO9MJtFLQBLplzNyjGFRVH9tiiL CpIfdyIZuM44ywHz+k1nKqaHIzfGxadzVGWnyhzoB6/CfY5So/hV154vrpHPwZkn 6fLJRkb3qJ9ayYzXI8eno4UJBG4si5OwMaph+wbGBAJvwmACw8TknQO+l5yz6gTQ Ch1adk4L+/DAjZTJ+ltAau39FlihvfqMsuRoa4oMi9EPhzVpnfWVXhoAW2ZOlpq6 rh4hT3FMFskXvMRzxhc968ICJCbGrN/H62u5vsg2kr5kSI2gi8zHcwnOKRwh7Ie7 fhCET4WaGpWhbaDpq/ubq9lhprs3CJIn0s0W7XJ5ICAzq7WGqe6x2WGhlhHm3wbR 0NkfX03M87cddxZNpLGUkK4PVuaMPPaduTxqJtFYFU3FeH+uR52XzROK5tiE20L/ P071uUkK =puUy -----END PGP SIGNATURE-----Then everyone with the necessary skills could download this statement from our website and verify it:
$ curl $tbo_url > tb_osx_version_statement.txt $ gpg --auto-key-retrieve --verify tb_osx_version_statement.txt gpg: Signature made Sun 26 Aug 2018 01:46:48 AM CEST gpg: using RSA key 93564DED85468D9AC290360512EE7D7071112056 gpg: key 12EE7D7071112056: public key "traumschule <traumschuleriebau@riseup.net>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "traumschule <traumschuleriebau@riseup.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9356 4DED 8546 8D9A C290 3605 12EE 7D70 7111 2056and be happy that there is a trustpath for the downloaded file.
(think yourself the tbo signing key here instead. it would be also good to integrate timestamps, to protect against attackers redoing this process for older versions.)
- From a user perspective only a detach-clearsigned shaX.sum file with sums for the .dmg and the signature file is interesting because it is automatically processable and supplies useful output:
$ wget $url_to_tba_osx_version.xz; tar xf $tba_osx_version.xz; cd tba_osx_version $ sha256sum -c sha256.sum tb_osx_version.dmg: OK tb_osx_version.dmg.asc: OK $ gpg --auto-key-retrieve --verify tb_osx_version.dmg.asc-
From a webadmin's perspective no changes are needed except updating the signing page once. This would solve us #9864 (moved), #22637 (moved), #26539 (moved).
-
The person who signs the file could run the signing script and carry the archive over to dist containing:
- .dmg file
- signature for .dmg file
- checksum file for both
- signature file for checksum file
gpg --clearsign $tb_osx_version_file > $tb_osx_version.dmg.sig sha256sum $tb_version_file $tb_version_file.sig > tb_osx_version_sha256.sum gpg --clearsign tb_osx_version_sha256.sum > tb_osx_version_sha256.sum.sig cd ..; tar cJf tb_osx_version.xz tb_osx_version/- An archive with these four files present can be considered trustworthy and reliably created by the tba signing person.
Do you see an alternative to this process?
macOS code signing is automatically verified by the OS. It is different to gpg signing: https://developer.apple.com/support/code-signing/
just read over comment:4:ticket:20254 and it doesn't sound fun, not even sure, if I want to be a part of it. Sorry, gk, for meddling with your ticket so much. Don't know if the new parent makes sense for you, but probably more than the previous one.
Trac:
Parent: #3893 (moved) to #18925 (moved)
