Update marsigning-check.sh to cope with signed OS X MAR files

Now that the fix for #19410 (moved) landed our marsigning-check.sh script can't check the correctness of our MAR file signatures easily anymore as we use the SHA256 sums of the unsigned MAR files currently. We should adapt the script.

added GeorgKoppen201806 ReleaseTrainMigration TorBrowserTeam201806 component::applications/tor browser gitlab-tb-tor-browser-build owner::tbb-team parent::18925 priority::medium severity::normal status::new tbb-rbm tbb-sign type::enhancement labels

Trac:
Description: Now that the fix for #19410 (moved) landed out marsigning-check.sh script can't check the correctness of our MAR file signatures easily anymore as we use the SHA256 sums of the unsigned MAR files currently. We should adapt the script.

to

Now that the fix for #19410 (moved) landed our marsigning-check.sh script can't check the correctness of our MAR file signatures easily anymore as we use the SHA256 sums of the unsigned MAR files currently. We should adapt the script.

Trac:
Keywords: N/A deleted, TorBrowserTeam201701 added

Trac:
Cc: N/A to boklm, brade, mcs

Here comes an update on where I am right now. Input is highly appreciated:

To strip the code signature off a macOS binary the following things must be done:

1. Adjust the number of commands in the header (- LC_CODE_SIGNATURE)
2. Adjust the size of the commands in the header (- 16 as this is the size of LC_CODE_SIGNATURE)
3. Remove the LC_CODE_SIGNATURE load command
4. Adapt __LINKEDIT segment and respective load command

Doing 1)-3) is not overly complicated but adapting the __LINKEDIT segment properly turns out to be tricky. During code signing the signature is appended to the __LINKEDIT segment. When stripping the signature some approaches just overwrite the signature with 0-bytes. That's not working for us as we want to restore the original binary to be able to compare the SHA256 sums. But, unfortunately, removing the signature from the __LINKEDIT segment is not enough to achieve this. That's because the segemt is padded to be aligned with 0x10 if needed before the signature gets added. E.g. here is the relevant part of a library's __LINKEDIT segment without the code signature:

000034a0: 352f2f3a 35343136 00003234 00000000  ://5614542......
000034b0: 00000000                             ....

While it looks like this after code signing:

000034a0: 352f2f3a 35343136 00003234 00000000  ://5614542......
000034b0: 00000000 00000000 00000000 00000000  ................

So, the question is: How do we find out how many padding bytes got added during the code signing (and need now get removed)? A naive approach looking at the above hexdump output would be: "Leave 16 0-bytes and remove the remaining ones as padding bytes". But that does not work as there are binaries where the __LINKEDIT segment ends with less than 16 0-Bytes.

Three ways forward come to mind:

a) Align the files to be code-signed to 0x10 (+ adapt the size of the symbol table accordingly which is usually the last section in the __LINKEDIT segment) before starting the signing process. We are doing something similar with our .exe installers (see: #15539 (closed)) already which is working pretty well. Additionally, as we need to code-sign the binaries anyway one could argue it's perfectly fine to do the padding during the build.

b) Find out if there is the amount of 0-bytes at the end of the __LINKEDIT segment follows a pattern we could use to reliably strip the padding after removing the signature.

c) Record the size (or laste X bytes or) of all OS X binaries we ship during the build and make that available. The script removing the signatures could then consult that information when stripping the signature. This might not work for incremental MAR files as expected. I have not checked that yet.

Thoughts? Better alternatives? I find a) scary, have no much hope for b) and dislike c) so far.

General material about code signing on macOS:

https://developer.apple.com/library/content/technotes/tn2206/_index.html

(This document has the following fun Q&A :) ):

I wrote some data to the Mach-O file before signing. Is that allowed?

No. Do not tamper with Mach-O files, outside of using macOS build tools and Xcode workflows.

Material about the Mach-O file format:

https://lowlevelbits.org/parsing-mach-o-files/ https://github.com/aidansteele/osx-abi-macho-file-format-reference

Kathy and I cannot think of a better approach than a) or c). I like the elegance of a) but I wonder why Apple warns developers not to "tamper" with Mach-O files. So maybe c) is the best solution, even if having a file that records the "before signing" length of each Mach-O file is ugly.

Replying to mcs:

Kathy and I cannot think of a better approach than a) or c). I like the elegance of a) but I wonder why Apple warns developers not to "tamper" with Mach-O files.

I think that's the usual "There be dragons!1!!" scaremongering. :) So, it might be a) then? Exciting!

Moving our tickets to Feb 2017.

Trac:
Keywords: TorBrowserTeam201701 deleted, TorBrowserTeam201702 added

Trac:
Keywords: TorBrowserTeam201702 deleted, TorBrowserTeam201707, GeorgKoppen201707 added

Trac:
Parent: N/A to #18925 (moved)

Moving our Tickets to August.

Trac:
Keywords: TorBrowserTeam201707 deleted, TorBrowserTeam201708 added

Moving my tickets to August.

Trac:
Keywords: GeorgKoppen201707 deleted, GeorgKoppen201708 added

Moving my tickets to the new month.

Trac:
Keywords: GeorgKoppen201708 deleted, GeorgKoppen201709 added

Items for September 2017.

Trac:
Keywords: TorBrowserTeam201708 deleted, TorBrowserTeam201709 added

Moving over to rbm

Trac:
Keywords: tbb-gitian deleted, tbb-rbm added

Items for October 2017

Trac:
Keywords: TorBrowserTeam201709 deleted, TorBrowserTeam201710 added

Trac:
Keywords: GeorgKoppen201709 deleted, GeorgKoppen201710 added

Moving my tickets to November.

Trac:
Keywords: GeorgKoppen201710 deleted, GeorgKoppen201711 added

Moving tickets over to November.

Trac:
Keywords: TorBrowserTeam201710 deleted, TorBrowserTeam201711 added

Moving tickets to December 2017

Moving tickets to December 2017, for realz.

Trac:
Keywords: TorBrowserTeam201711 deleted, TorBrowserTeam201712 added

Moving my tickets to December.

Trac:
Keywords: GeorgKoppen201711 deleted, GeorgKoppen201712 added

Moving my tickets to 2018

Trac:
Keywords: GeorgKoppen201712 deleted, GeorgKoppen201801 added

Moving tickets to 2018.

Trac:
Keywords: TorBrowserTeam201712 deleted, TorBrowserTeam201801 added

Moving my tickets to Feb.

Trac:
Keywords: GeorgKoppen201801 deleted, GeorgKoppen201802 added

Moving tickets to Feb

Trac:
Keywords: TorBrowserTeam201801 deleted, TorBrowserTeam201802 added

Moving my tickets to March.

Trac:
Keywords: GeorgKoppen201802 deleted, GeorgKoppen201803 added

Adding to our March plate.

Trac:
Keywords: TorBrowserTeam201802 deleted, TorBrowserTeam201803 added

Moving my tickets to April 2018

Trac:
Keywords: GeorgKoppen201803 deleted, GeorgKoppen201804 added

Moving our tickets to April.

Trac:
Keywords: TorBrowserTeam201803 deleted, TorBrowserTeam201804 added

Moving remaining tickets to May.

Trac:
Keywords: TorBrowserTeam201804 deleted, TorBrowserTeam201805 added

Moving my tickets.

Trac:
Keywords: GeorgKoppen201804 deleted, GeorgKoppen201805 added

Moving my tickets to June 2018.

Trac:
Keywords: GeorgKoppen201805 deleted, GeorgKoppen201806 added

Moving our tickets to June 2018

Trac:
Keywords: TorBrowserTeam201805 deleted, TorBrowserTeam201806 added

Release Train Migration.

Trac:
Keywords: N/A deleted, ReleaseTrainMigration added

Adding S58 on testsuite tickets.

Trac:
Sponsor: N/A to Sponsor58

That's not S58 related.

Trac:
Sponsor: Sponsor58 to N/A
Keywords: N/A deleted, tbb-sign added

Trac:
Component: Applications/Quality Assurance and Testing to Applications/Tor Browser

Add magic gitlab keyword.

Trac:
Keywords: N/A deleted, gitlab-tb-tor-browser-build added

mentioned in issue #32895 (moved)

moved to tpo/applications/tor-browser-build#20254 (closed)

mentioned in issue tpo/applications/tor-browser-build#32895 (closed)