Opened 2 years ago

Last modified 4 weeks ago

#18820 assigned task

Integrate code signing into the release process

Reported by: gk Owned by: gk
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-6.0a5, TorBrowserTeam201702, GeorgKoppen201702
Cc: boklm, brade, mcs Actual Points:
Parent ID: #18925 Points:
Reviewer: Sponsor:

Description

We should integrate the OS X code signing as good as we can into our release process. We have the following pieces at the moment

1) We create a .dmg file as the result of our build process
2) We have a signing machine where these files need to get transferred to
3) We need to sign the TorBrowser.app inside the .dmg file
4) We need to ship the .dmg file with the signed app

Taking these into account it seems quite cumbersome to automate this even a bit. But maybe there is something I am missing.

This ticket is not about signing/removing the signature in a reproducible fashion. Getting this going is very likely a separate fun task.

Child Tickets

Change History (24)

comment:1 Changed 2 years ago by mcs

Cc: brade mcs added

comment:2 Changed 2 years ago by gk

Parent ID: #6540

However we end up integrating the codesigning this is no blocker for getting it shipped at all.

comment:3 Changed 2 years ago by gk

Keywords: TorBrowserTeam201606 GeorgKoppen201606 added
Owner: changed from erinn to gk
Status: newassigned

comment:4 Changed 2 years ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:5 Changed 2 years ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

comment:6 Changed 2 years ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:7 Changed 2 years ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:8 Changed 2 years ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:9 Changed 2 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:10 Changed 2 years ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:11 Changed 2 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving tickets to October.

comment:12 Changed 23 months ago by gk

Keywords: GeorgKoppen201611 added; GeorgKoppen201610 removed

Moving my tickets to November.

comment:13 Changed 23 months ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

comment:14 Changed 22 months ago by gk

Keywords: GeorgKoppen201612 added; GeorgKoppen201611 removed

Moving my tickets

comment:15 Changed 22 months ago by gk

Keywords: TorBrowserTeam201612 added; TorBrowserTeam201611 removed

Moving tickets to December.

comment:16 Changed 21 months ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201612 removed

Moving our tickets to January 2017

comment:17 Changed 21 months ago by gk

Keywords: GeorgKoppen201701 added; GeorgKoppen201612 removed

comment:18 Changed 20 months ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:19 Changed 20 months ago by gk

Keywords: GeorgKoppen201702 added; GeorgKoppen201701 removed

Moving my tickets as well

comment:20 Changed 3 months ago by gk

Component: Applications/Tor bundles/installationApplications/Tor Browser

Moving to Tor Browser.

comment:21 Changed 6 weeks ago by traumschule

Parent ID: #3893

comment:22 Changed 4 weeks ago by traumschule

0) From a nerd perspective it would be interesting to find signed statements like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Checking that we are in possession the private key for $keyid.. Succeeded.                                                                                   
Mounting .dmg image $tb_image_with_version_string.. Succeeded.
Checking that TorBrowser.app is present.. Succeeded.
TorBrowser.app has version: $version_string
TorBrowser.app has sha256 checksum: $sum_tb
Signing TorBrowser.app.. Succeeded.
Signature file has sha256 checksum: $sum_tb_sig
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEk1ZN7YVGjZrCkDYFEu59cHERIFYFAluB6mgACgkQEu59cHER
IFbFywv/Rn9Jz9ZB/do4V/bSa98PaZRfTIthstAxppP+Y0Xnphg0irOe9RTByV7y
krAbbxzLGuzaHFmtKROBf9BvBBagesbYer6LKdO9MJtFLQBLplzNyjGFRVH9tiiL
CpIfdyIZuM44ywHz+k1nKqaHIzfGxadzVGWnyhzoB6/CfY5So/hV154vrpHPwZkn
6fLJRkb3qJ9ayYzXI8eno4UJBG4si5OwMaph+wbGBAJvwmACw8TknQO+l5yz6gTQ
Ch1adk4L+/DAjZTJ+ltAau39FlihvfqMsuRoa4oMi9EPhzVpnfWVXhoAW2ZOlpq6
rh4hT3FMFskXvMRzxhc968ICJCbGrN/H62u5vsg2kr5kSI2gi8zHcwnOKRwh7Ie7
fhCET4WaGpWhbaDpq/ubq9lhprs3CJIn0s0W7XJ5ICAzq7WGqe6x2WGhlhHm3wbR
0NkfX03M87cddxZNpLGUkK4PVuaMPPaduTxqJtFYFU3FeH+uR52XzROK5tiE20L/
P071uUkK
=puUy
-----END PGP SIGNATURE-----

Then everyone with the necessary skills could download this statement from our website and verify it:

$ curl $tbo_url > tb_osx_version_statement.txt 
$ gpg --auto-key-retrieve --verify tb_osx_version_statement.txt 
gpg: Signature made Sun 26 Aug 2018 01:46:48 AM CEST
gpg:                using RSA key 93564DED85468D9AC290360512EE7D7071112056
gpg: key 12EE7D7071112056: public key "traumschule <traumschuleriebau@riseup.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "traumschule <traumschuleriebau@riseup.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9356 4DED 8546 8D9A C290  3605 12EE 7D70 7111 2056

and be happy that there is a trustpath for the downloaded file.

(think yourself the tbo signing key here instead. it would be also good to integrate timestamps, to protect against attackers redoing this process for older versions.)

2) From a user perspective only a detach-clearsigned shaX.sum file with sums for the .dmg and the signature file is interesting because it is automatically processable and supplies useful output:

$ wget $url_to_tba_osx_version.xz; tar xf $tba_osx_version.xz; cd tba_osx_version
$ sha256sum -c sha256.sum
tb_osx_version.dmg: OK
tb_osx_version.dmg.asc: OK
$ gpg --auto-key-retrieve --verify tb_osx_version.dmg.asc

3) From a webadmin's perspective no changes are needed except updating the signing page once. This would solve us #9864, #22637, #26539.

4) The person who signs the file could run the signing script and carry the archive over to dist containing:

  • .dmg file
  • signature for .dmg file
  • checksum file for both
  • signature file for checksum file
    gpg --clearsign $tb_osx_version_file > $tb_osx_version.dmg.sig
    sha256sum $tb_version_file $tb_version_file.sig > tb_osx_version_sha256.sum
    gpg --clearsign tb_osx_version_sha256.sum > tb_osx_version_sha256.sum.sig
    cd ..; tar cJf tb_osx_version.xz tb_osx_version/
    

5) An archive with these four files present can be considered trustworthy and reliably created by the tba signing person.

Do you see an alternative to this process?

comment:23 Changed 4 weeks ago by teor

macOS code signing is automatically verified by the OS. It is different to gpg signing:
https://developer.apple.com/support/code-signing/

comment:24 Changed 4 weeks ago by traumschule

Parent ID: #3893#18925

just read over comment:4:ticket:20254 and it doesn't sound fun, not even sure, if I want to be a part of it. Sorry, gk, for meddling with your ticket so much. Don't know if the new parent makes sense for you, but probably more than the previous one.

Note: See TracTickets for help on using tickets.