Opened 4 years ago

Last modified 16 months ago

#18925 needs_information enhancement

Add instructions for removing the code signing parts of OS X bundles and MAR files

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords: website-content, GeorgKoppen201806, TorBrowserTeam201806
Cc: boklm, brade, mcs Actual Points:
Parent ID: #17413 Points:
Reviewer: Sponsor:

Description

We start with code signing on OS X now and should have instructions on our website for getting rid of the code signing parts to make it easier for comparing the things we ship with the things we built.

Child Tickets

TicketTypeStatusOwnerSummary
#18820taskassignedtbb-teamIntegrate code signing into the release process
#20254enhancementnewtbb-teamUpdate marsigning-check.sh to cope with signed OS X MAR files

Change History (60)

comment:1 Changed 4 years ago by boklm

Cc: boklm added

comment:2 Changed 4 years ago by gk

Keywords: TorBrowserTeam201605 added; TorBrowserTeam201604 removed

Moving tickets

comment:3 Changed 4 years ago by gk

I've thought about this a bit and here are the requirements I came up with:

1) We should build .dmg files as we are doing now for our QA. One idea was to create .dmg files only after signing the packages to make the whole process less burdensome. But that would leave us without testing the step where users get Tor Browser out of the .dmg container on their computer.

2) We have scripts for checking the Authenticode signatures and the MAR files signatures to make sure we did not miss a file while signing and stripping the signatures is reproducible. We should have a script for checking signed .dmg files as well.

3) We should provide instructions for removing code signing parts *on* OS X systems as well.

comment:4 Changed 4 years ago by gk

Keywords: TorBrowserTeam201606 added; TorBrowserTeam201605 removed

comment:5 Changed 3 years ago by gk

Keywords: TorBrowserTeam201607 GeorgKoppen201607 added; TorBrowserTeam201606 removed

comment:6 Changed 3 years ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:7 Changed 3 years ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:8 Changed 3 years ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:9 Changed 3 years ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:10 Changed 3 years ago by gk

Summary: Add instructions for removing the code signing parts of OS X bundlesAdd instructions for removing the code signing parts of OS X bundles and MAR files

We have MAR files with code-signing bits as well now that #19410 got fixed. We should add instructions for removing them reproducibly as well.

comment:11 Changed 3 years ago by mcs

Cc: brade mcs added

comment:12 Changed 3 years ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:13 Changed 3 years ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving tickets to October.

comment:14 Changed 3 years ago by gk

Keywords: GeorgKoppen201611 added; GeorgKoppen201610 removed

Moving my tickets to November.

comment:15 Changed 3 years ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

comment:16 Changed 3 years ago by gk

Keywords: GeorgKoppen201612 added; GeorgKoppen201611 removed

Moving my tickets

comment:17 Changed 3 years ago by gk

Keywords: TorBrowserTeam201612 added; TorBrowserTeam201611 removed

Moving tickets to December.

comment:18 Changed 3 years ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201612 removed

Moving our tickets to January 2017

comment:19 Changed 3 years ago by gk

Keywords: GeorgKoppen201701 added; GeorgKoppen201612 removed

comment:20 Changed 3 years ago by gk

Providing instructions about removing the code signing parts (which is this ticket about) requires a tool that does the removal first. Getting that is tracked in #20254 for the MAR files as we need this tool for our Q&A work (and potentially for #20892) as well.

comment:21 Changed 3 years ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:22 Changed 3 years ago by gk

Keywords: GeorgKoppen201702 added; GeorgKoppen201701 removed

Moving my tickets as well

comment:23 Changed 3 years ago by gk

Keywords: TorBrowserTeam201703 added; TorBrowserTeam201702 removed

Moving tickets to March

comment:24 Changed 3 years ago by gk

Keywords: GeorgKoppen201703 added; GeorgKoppen201702 removed

Moving my tickets.

comment:25 Changed 3 years ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Remmove remaining tickets over to April

comment:26 Changed 3 years ago by gk

Keywords: GeorgKoppen201704 added; GeorgKoppen201703 removed

Moving my tickets to April

comment:27 Changed 3 years ago by gk

Keywords: TorBrowserTeam201705 added; TorBrowserTeam201704 removed

Moving our tickets to May 2017.

comment:28 Changed 3 years ago by gk

Keywords: TorBrowserTeam201706 added; TorBrowserTeam201705 removed

Moving our tickets to June.

comment:29 Changed 2 years ago by gk

Keywords: TorBrowserTeam201707 added; TorBrowserTeam201706 removed

Moving Tickets to July 2017.

comment:30 Changed 2 years ago by gk

Keywords: GeorgKoppen201707 added; GeorgKoppen201704 removed

comment:31 Changed 2 years ago by hiro

Keywords: website-content added

comment:32 Changed 2 years ago by gk

Keywords: TorBrowserTeam201708 added; TorBrowserTeam201707 removed

Moving our Tickets to August.

comment:33 Changed 2 years ago by gk

Keywords: GeorgKoppen201708 added; GeorgKoppen201707 removed

Moving my tickets to August.

comment:34 Changed 2 years ago by gk

Keywords: GeorgKoppen201709 added; GeorgKoppen201708 removed

Moving my tickets to the new month.

comment:35 Changed 2 years ago by gk

Keywords: TorBrowserTeam201709 added; TorBrowserTeam201708 removed

Items for September 2017.

comment:36 Changed 2 years ago by gk

Keywords: TorBrowserTeam201710 added; TorBrowserTeam201709 removed

Items for October 2017

comment:37 Changed 2 years ago by gk

Keywords: GeorgKoppen201710 added; GeorgKoppen201709 removed

comment:38 Changed 2 years ago by gk

Keywords: GeorgKoppen201711 added; GeorgKoppen201710 removed

Moving my tickets to November.

comment:39 Changed 2 years ago by gk

Keywords: TorBrowserTeam201711 added; TorBrowserTeam201710 removed

Moving tickets over to November.

comment:40 Changed 2 years ago by gk

Moving tickets to December 2017

comment:41 Changed 2 years ago by gk

Keywords: TorBrowserTeam201712 added; TorBrowserTeam201711 removed

Moving tickets to December 2017, for realz.

comment:42 Changed 2 years ago by gk

Keywords: GeorgKoppen201712 added; GeorgKoppen201711 removed

Moving my tickets to December.

comment:43 Changed 2 years ago by gk

Keywords: GeorgKoppen201801 added; GeorgKoppen201712 removed

Moving my tickets to 2018

comment:44 Changed 2 years ago by gk

Keywords: TorBrowserTeam201801 added; TorBrowserTeam201712 removed

Moving tickets to 2018.

comment:45 Changed 22 months ago by gk

Keywords: GeorgKoppen201802 added; GeorgKoppen201801 removed

Moving my tickets to Feb.

comment:46 Changed 22 months ago by gk

Keywords: TorBrowserTeam201802 added; TorBrowserTeam201801 removed

Moving tickets to Feb

comment:47 Changed 21 months ago by gk

Keywords: GeorgKoppen201803 added; GeorgKoppen201802 removed

Moving my tickets to March.

comment:48 Changed 21 months ago by gk

Keywords: TorBrowserTeam201803 added; TorBrowserTeam201802 removed

Adding to our March plate.

comment:49 Changed 21 months ago by gk

Keywords: GeorgKoppen201804 added; GeorgKoppen201803 removed

Moving my tickets to April 2018

comment:50 Changed 20 months ago by gk

Keywords: TorBrowserTeam201804 added; TorBrowserTeam201803 removed

Moving our tickets to April.

comment:51 Changed 19 months ago by gk

Keywords: TorBrowserTeam201805 added; TorBrowserTeam201804 removed

Moving remaining tickets to May.

comment:52 Changed 19 months ago by gk

Keywords: GeorgKoppen201805 added; GeorgKoppen201804 removed

Moving my tickets.

comment:53 Changed 18 months ago by gk

Keywords: GeorgKoppen201806 added; GeorgKoppen201805 removed

Moving my tickets to June 2018.

comment:54 Changed 18 months ago by gk

Keywords: TorBrowserTeam201806 added; TorBrowserTeam201805 removed

Moving our tickets to June 2018

comment:55 Changed 16 months ago by traumschule

Parent ID: #3893

comment:56 Changed 16 months ago by traumschule

Parent ID: #3893#17413

comment:57 Changed 16 months ago by traumschule

Status: newneeds_information

For some reason I assigned myself to the parent of this, but I have no access to mac hardware right now (and need to setup a test environment fist). Maybe someone can help with a hint if and how the current guide needs to be updated while I try to let the page look better and less confusing.

comment:58 in reply to:  57 Changed 16 months ago by gk

Replying to traumschule:

For some reason I assigned myself to the parent of this, but I have no access to mac hardware right now (and need to setup a test environment fist). Maybe someone can help with a hint if and how the current guide needs to be updated while I try to let the page look better and less confusing.

It seems the formatting got broken, especially in the parts at the end of that page? That said the macOS (i.e. code-signing) related bits are blocked on #20254.

Last edited 16 months ago by gk (previous) (diff)

comment:59 Changed 16 months ago by traumschule

Saw that one and I'm pretty sure you spent a lot of time on it. From my perspective it should get support from an apple developer. Maybe the donate button needs to get nearer to the mac row :)

The formatting issue looks like a missing close tag to me but i couldn't find it yet. Have to go over the whole page anyway for https://github.com/torproject/webwml/pull/31
What do you think of the idea? I wonder which browsers it might break.

comment:60 Changed 16 months ago by traumschule

I cannot test it right now, but i used this guide some time ago for testing an ansible role with travis. Here's my draft:

set -e
# Tests the checksum of our generated mar files on macOS

# settings
tbbversion=8.0a10
lang=en-US
distdomain=https://dist.torproject.org
#distdomain=http://rqef5a5mebgq46y5
dmgurl="$domain/torbrowser/$tbbversion/TorBrowser-$tbbversion-osx64_$lang.dmg"
martoolsurl="http://rqef5a5mebgq46y5.onion/torbrowser/$tbbversion/mar-tools-mac64.zip"
sumsurl=$domain/torbrowser/$tbbversion/sha256sums-signed-build.txt

cache="$(pwd)/cache" # Assuming this is run by a CI and it supports it, cache be mounted before.
dmgfile="$cache/$(basename $dmgurl)"
mountpath="/Volumes/$dmgfile" # TODO may differ
signedmarfile="signed-mar-file.mar"
unsignedmarfile="tor-browser-osx64-$tbbversion_$lang.mar"

# preparation
[ -n "$cache" ] && [ -d "$cache" ] || mkdir "$cache"
cd $cache
wget $martoolsurl
wget $dmgurl
wget $sumsurl
wget $sumsurl.asc
sumfile="$cache/$(basename $sumsurl)"

gpg --recv 0x4E2C6E8793298290
if [ ! $(gpg --verify $sumfile.asc|grep "Good signature"|wc -l) -gt 0 ]
then echo "Signature verification failed: $sumfile"; exit 1; fi

martoolszip="$(basename $martoolsurl)"
[ -n "martoolszip" ] || exit 1
[ -f "martoolszip" ] || exit 1
unzip "$martoolszip" # should extract to mar-tools
[ -f mar-tools/marsign ] || exit 1
marpath="$cache/mar-tools"

hdiutil mount -nobrowse $cache/$dmgfile
cd $mountpath
export LD_LIBRARY_PATH=$marpath
$marpath/marsign -r $signedmarfile $unsignedmarfile
if [ "$(sha256sum $unsignedmarfile)" -ne "$(grep $unsignedmarfile $sumfile)" ]
then echo "sha256sum does not match: $unsignedmarfile"; exit 1; fi

Would that work?

Note: See TracTickets for help on using tickets.