Opened 5 years ago

Last modified 5 months ago

#18820 assigned task

Integrate code signing into the release process

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-6.0a5, TorBrowserTeam201702, GeorgKoppen201702, tbb-sign, tbb-spec, gitlab-tb-tor-browser-spec
Cc: boklm, brade, mcs Actual Points:
Parent ID: #18925 Points:
Reviewer: Sponsor:


We should integrate the OS X code signing as good as we can into our release process. We have the following pieces at the moment

1) We create a .dmg file as the result of our build process
2) We have a signing machine where these files need to get transferred to
3) We need to sign the inside the .dmg file
4) We need to ship the .dmg file with the signed app

Taking these into account it seems quite cumbersome to automate this even a bit. But maybe there is something I am missing.

This ticket is not about signing/removing the signature in a reproducible fashion. Getting this going is very likely a separate fun task.

Child Tickets

Change History (28)

comment:1 Changed 5 years ago by mcs

Cc: brade mcs added

comment:2 Changed 5 years ago by gk

Parent ID: #6540

However we end up integrating the codesigning this is no blocker for getting it shipped at all.

comment:3 Changed 4 years ago by gk

Keywords: TorBrowserTeam201606 GeorgKoppen201606 added
Owner: changed from erinn to gk
Status: newassigned

comment:4 Changed 4 years ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:5 Changed 4 years ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

comment:6 Changed 4 years ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:7 Changed 4 years ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:8 Changed 4 years ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:9 Changed 4 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:10 Changed 4 years ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:11 Changed 4 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving tickets to October.

comment:12 Changed 4 years ago by gk

Keywords: GeorgKoppen201611 added; GeorgKoppen201610 removed

Moving my tickets to November.

comment:13 Changed 4 years ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

comment:14 Changed 4 years ago by gk

Keywords: GeorgKoppen201612 added; GeorgKoppen201611 removed

Moving my tickets

comment:15 Changed 4 years ago by gk

Keywords: TorBrowserTeam201612 added; TorBrowserTeam201611 removed

Moving tickets to December.

comment:16 Changed 4 years ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201612 removed

Moving our tickets to January 2017

comment:17 Changed 4 years ago by gk

Keywords: GeorgKoppen201701 added; GeorgKoppen201612 removed

comment:18 Changed 4 years ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:19 Changed 4 years ago by gk

Keywords: GeorgKoppen201702 added; GeorgKoppen201701 removed

Moving my tickets as well

comment:20 Changed 2 years ago by gk

Component: Applications/Tor bundles/installationApplications/Tor Browser

Moving to Tor Browser.

comment:21 Changed 2 years ago by traumschule

Parent ID: #3893

comment:22 Changed 2 years ago by traumschule

0) From a nerd perspective it would be interesting to find signed statements like:

Hash: SHA512

Checking that we are in possession the private key for $keyid.. Succeeded.                                                                                   
Mounting .dmg image $tb_image_with_version_string.. Succeeded.
Checking that is present.. Succeeded. has version: $version_string has sha256 checksum: $sum_tb
Signing Succeeded.
Signature file has sha256 checksum: $sum_tb_sig


Then everyone with the necessary skills could download this statement from our website and verify it:

$ curl $tbo_url > tb_osx_version_statement.txt 
$ gpg --auto-key-retrieve --verify tb_osx_version_statement.txt 
gpg: Signature made Sun 26 Aug 2018 01:46:48 AM CEST
gpg:                using RSA key 93564DED85468D9AC290360512EE7D7071112056
gpg: key 12EE7D7071112056: public key "traumschule <>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "traumschule <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9356 4DED 8546 8D9A C290  3605 12EE 7D70 7111 2056

and be happy that there is a trustpath for the downloaded file.

(think yourself the tbo signing key here instead. it would be also good to integrate timestamps, to protect against attackers redoing this process for older versions.)

2) From a user perspective only a detach-clearsigned shaX.sum file with sums for the .dmg and the signature file is interesting because it is automatically processable and supplies useful output:

$ wget $url_to_tba_osx_version.xz; tar xf $tba_osx_version.xz; cd tba_osx_version
$ sha256sum -c sha256.sum
tb_osx_version.dmg: OK
tb_osx_version.dmg.asc: OK
$ gpg --auto-key-retrieve --verify tb_osx_version.dmg.asc

3) From a webadmin's perspective no changes are needed except updating the signing page once. This would solve us #9864, #22637, #26539.

4) The person who signs the file could run the signing script and carry the archive over to dist containing:

  • .dmg file
  • signature for .dmg file
  • checksum file for both
  • signature file for checksum file
    gpg --clearsign $tb_osx_version_file > $tb_osx_version.dmg.sig
    sha256sum $tb_version_file $tb_version_file.sig > tb_osx_version_sha256.sum
    gpg --clearsign tb_osx_version_sha256.sum > tb_osx_version_sha256.sum.sig
    cd ..; tar cJf tb_osx_version.xz tb_osx_version/

5) An archive with these four files present can be considered trustworthy and reliably created by the tba signing person.

Do you see an alternative to this process?

comment:23 Changed 2 years ago by teor

macOS code signing is automatically verified by the OS. It is different to gpg signing:

comment:24 Changed 2 years ago by traumschule

Parent ID: #3893#18925

just read over comment:4:ticket:20254 and it doesn't sound fun, not even sure, if I want to be a part of it. Sorry, gk, for meddling with your ticket so much. Don't know if the new parent makes sense for you, but probably more than the previous one.

comment:25 Changed 11 months ago by gk

Owner: changed from gk to tbb-team


comment:26 Changed 9 months ago by boklm

Keywords: tbb-sign added

comment:27 Changed 5 months ago by sysrqb

Keywords: tbb-spec added

comment:28 Changed 5 months ago by gk

Keywords: gitlab-tb-tor-browser-spec added

Add magic gitlab keyword.

Note: See TracTickets for help on using tickets.