Skip to content

Error while signing 12.0.2 for macos

While signing 12.0.2, running the step macos-signer-gatekeeper-signing, I had an error, during signature verification, which is done with the command:

spctl -vvvv --assess --type exec --context context:primary-signature 'Tor Browser.app/'

The script is checking the signature two times. A first time immediately after signing, then it creates a zip file, then extract the zip file in a temporary directory and check the signature again. The signature verification is failing only the second time (from the directory that was extracted from the zip file).

To debug this I modified the signing script to keep a copy of the Tor Browser.app signed directory (non-zipped), and compared it with a Tor Browser.app extracted from the zip: both directory have exactly the same content and same file permissions. However although the content is apparently exactly the same, spctl returns a different result: good signature on the never-zipped directory, and bad signature on the directory extracted from zip.

I created tar files from both directories and compared them with diffoscope on a linux machine: the tar file with working signature has one additional file: Contents/MacOS/Tor/PluggableTransports/._pt_config.json

$ file Contents/MacOS/Tor/PluggableTransports/._pt_config.json 
Contents/MacOS/Tor/PluggableTransports/._pt_config.json: AppleDouble encoded Macintosh file

So it seems this file is some kind of hidden metadata for Contents/MacOS/Tor/PluggableTransports/pt_config.json, which is lost when creating zip files, but not when creating tar files.

It looks like the signing tool doesn't like having some non-binary file in directory Contents/MacOS and adds signature information as hidden metadata.

So I think possible solutions for this issue are:

  • using tar files instead of zip files in the signing scripts. However I'm not sure if that will work in all following steps, for example when we re-create the dmg file.
  • removing the file Contents/MacOS/Tor/PluggableTransports/pt_config.json. This will however require rebuilding 12.0.2 for macos.

/cc @richard

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information