14.0a1 fails to run on macOS because of invalid signature

Affects both TBB and MB.

Also, another screenshot from Claire (aarch64 macOS):

marked this issue as related to #41199 (closed)

Probably related to the changes from #41199 (closed).

@pierov, @clairehurst: to debug the invalid signature issue, can you run the following command and paste the output?

$ codesign -vvv --deep --strict /path/to/bundle

Maybe the following command can also help:

$ spctl -vvv --assess --type exec /path/to/application

(taken from https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues )

> codesign -vvv --deep --strict tor-browser-macos-14.0a1.dmg
tor-browser-macos-14.0a1.dmg: code object is not signed at all
> sha256sum tor-browser-macos-14.0a1.dmg
7869b568abdb39a5d43aefa775f85aadc462e2edf83bc88f6a3dab355fca3461  tor-browser-macos-14.0a1.dmg

Another output

> codesign -vvv --deep --strict firefox
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libfreebl3.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libfreebl3.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/liblgpllibs.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/liblgpllibs.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/plugin-container.app
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/plugin-container.app
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/nmhproxy
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/nmhproxy
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libsoftokn3.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libsoftokn3.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/XUL
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/XUL
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libosclientcerts.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libosclientcerts.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozavutil.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozavutil.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozglue.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozglue.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libgkcodecs.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libgkcodecs.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libipcclientcerts.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libipcclientcerts.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozavcodec.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libmozavcodec.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/updater.app
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/updater.app/Contents/Frameworks/UpdateSettings.framework
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/updater.app
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/lyrebird
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/lyrebird
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/conjure-client
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/conjure-client
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/snowflake-client
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/PluggableTransports/snowflake-client
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/libevent-2.1.7.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/libevent-2.1.7.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/tor
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/Tor/tor
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libnssckbi.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libnssckbi.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/media-plugin-helper.app
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/media-plugin-helper.app
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libnss3.dylib
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/MacOS/libnss3.dylib
--prepared:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/Frameworks/ChannelPrefs.framework
--validated:/Users/piero/Downloads/Tor Browser Alpha.app/Contents/Frameworks/ChannelPrefs.framework
firefox: valid on disk
firefox: satisfies its Designated Requirement

spctl (it wants a bundle):

> spctl -vvv --assess --type exec Tor\ Browser\ Alpha.app/
Tor Browser Alpha.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: The Tor Project, Inc (MADPSAYN6T)

I'm wondering if the firefox binary has the correct entitlement set.

From the signing logs:

setting entitlements XML for main signing target from path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml
setting entitlements XML for path Contents/MacOS/media-plugin-helper.app from path /signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml
setting entitlements XML for path Contents/MacOS/plugin-container.app from path /signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml

So in theory the firefox binary should get the firefox.browser.xml entitlement. But maybe the "main signing target" is not applied to the to the firefox binary for some reason. I had a similar issue with the code signature flag CodeSignatureFlags(RUNTIME) which is set on the main signing target according to the logs, but was not applied to some files (including the firefox binary) and required to be specified for each file individualy.

It seems this command can be used to check the entitlements on some file:

codesign -d --entitlements :- <file>

On monday I can try signing a 14.0a1 bundle specifying the entitlements for each file (I'll be afk today and tomorrow).

I've signed the 14.0a1 dmg with entitlements specified for all files:

• https://people.torproject.org/~boklm/tmp/bug_41202/tor-browser-macos-14.0a1.dmg
• https://people.torproject.org/~boklm/tmp/bug_41202/tor-browser-macos-14.0a1.dmg.asc

Using this patch: boklm/tor-browser-build@2fe60a32

Can anyone with a macOS machine check if it has the same error?

An other dmg to test:

• https://people.torproject.org/~boklm/tmp/bug_41202-3d0cb5417f42524529359a926fa12458f2943c2b/tor-browser-macos-14.0a1.dmg
• https://people.torproject.org/~boklm/tmp/bug_41202-3d0cb5417f42524529359a926fa12458f2943c2b/tor-browser-macos-14.0a1.dmg.asc

This one adds the following change: boklm/tor-browser-build@3d0cb541

From @ahf on irc:

% open Tor\ Browser\ Alpha.app
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000163a4c0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Thanks for testing @ahf!

After looking more at tools/signing/macos/mach_commands.py from Mozilla, I found that they have the option production-without-restricted which strips some restricted entitlements from the entitlements file:

• com.apple.developer.web-browser.public-key-credential
• com.apple.application-identifier

https://searchfox.org/mozilla-central/source/tools/signing/macos/mach_commands.py#656

Maybe having those entitlements is what is causing the error (com.apple.application-identifier is incorrect as it is set to Mozilla application-identifier, and com.apple.developer.web-browser.public-key-credential might not be allowed with our account).

So I removed them in this commit: boklm/tor-browser-build@ae9cabfd

And with this change signed a new dmg file for testing:

• https://people.torproject.org/~boklm/tmp/bug_41202-ae9cabfd200176655f2d378f9db051de7f516057/tor-browser-macos-14.0a1.dmg
• https://people.torproject.org/~boklm/tmp/bug_41202-ae9cabfd200176655f2d378f9db051de7f516057/tor-browser-macos-14.0a1.dmg.asc

Using this patch: boklm/tor-browser-build@2fe60a32

This one doesn't work also for me.

Screenshot

This one adds the following change: boklm/tor-browser-build@3d0cb541

This is also broken for me.

Screenshot

So I removed them in this commit: boklm/tor-browser-build@ae9cabfd

This works on x86!

and com.apple.developer.web-browser.public-key-credential might not be allowed with our account

Shall we request it somehow?

So I removed them in this commit: boklm/tor-browser-build@ae9cabfd

This works on x86!

Nice!

and com.apple.developer.web-browser.public-key-credential might not be allowed with our account

Shall we request it somehow?

Yes, maybe. This seems necessary to have passkey support on macOS:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1853230
• https://bugzilla.mozilla.org/show_bug.cgi?id=1792433#c6

Let me know if I can help with anything here. The Mac I have is only used for meetings usually, so it can easily also test stuff for you all.

I made an other signed build that needs testing:

• https://people.torproject.org/~boklm/tmp/bug_41202-4d4e13806af0d21b8fd5bc37f7479d4cedbf6448/tor-browser-macos-14.0a1.dmg
• https://people.torproject.org/~boklm/tmp/bug_41202-4d4e13806af0d21b8fd5bc37f7479d4cedbf6448/tor-browser-macos-14.0a1.dmg.asc

This was made using this patch: boklm/tor-browser-build@4d4e1380

Which is !1011 (merged).

Which is the same patch removing the restricted entitlements as ae9cabfd200176655f2d378f9db051de7f516057 (the signed build that is working), but without the two previous patchs that might not be necessary. Testing this signed build is needed to confirm that the two other patches are not necessary.

https://people.torproject.org/~boklm/tmp/bug_41202-4d4e13806af0d21b8fd5bc37f7479d4cedbf6448/tor-browser-macos-14.0a1.dmg

Works on x86_64.

mentioned in merge request !1011 (merged)

marked this issue as related to #41186 (closed)

closed

added Build System MacOS Signing labels