Opened 6 weeks ago

Last modified 6 weeks ago

#30126 new task

Make Tor Browser on macOS compatible with Apple's notarization

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

Notarization is a technique by Apple to make apps on macOS more secure to run. There a numerous parts to this and one can find more details about that on:

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

Mozilla is tracking the work in:

https://bugzilla.mozilla.org/show_bug.cgi?id=1470607

and there are a bunch of large pieces that still need to get solved on their side, like enabling the Hardened Runtime and building with the 10.14 SDK.

However, at some point in the future apps won't run without that anymore and the potential changes we need to made are probably considerable. Thus, we should keep an eye on that and start thinking about which pieces of our signing infrastructure need to get adapted. Questions could be:

1) Is it still enough to sign the builds on a 10.9 machine?
2) How do we integrate sending the apps to Apple to get their blessing into our release process?
3) How does that system work with our plan to get rid of the Apple signing machine and do the signing on Linux? (see: #29815)

I don't see this being relevant for ESR 68 but it might become so during the transition to the ESR after that one (or for the regular release train in case we'll start following that one instead).

Child Tickets

Change History (1)

comment:1 Changed 6 weeks ago by gk

Description: modified (diff)
Note: See TracTickets for help on using tickets.