Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20855 closed defect (worksforme)

torBrowser and update services unsigned on macOS.

Reported by: togg Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi,

WhatsYourSign shows me that the torBrowser.app 6.07 is unsigned.

Little Flocker highlight the same problem with " meek-client-torbrowser " and "updater".

Am I missing something or all of these stuff should be signed?

Child Tickets

Change History (11)

comment:1 Changed 3 years ago by cypherpunks

Component: ApplicationsApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 3 years ago by gk

Status: newneeds_information

Hm. What OS X version are you on? Does Gatekeeper complain or can you start Tor Browser? What bundle did you download? Is that an issue with 6.0.7 only? 6.0.6 bundles can be found on https://dist.torproject.org/torbrowser/6.0.6/.

comment:3 Changed 3 years ago by togg

El Capitan 10.11.6. It was the same on 6.0.6.

I have gatekeeper disabled, I'm noticing now that I can't put it back on. I can but it doesn't do anything. Whooops.

Version 0, edited 3 years ago by togg (next)

comment:4 in reply to:  3 ; Changed 3 years ago by gk

Cc: mcs brade added

Replying to togg:

Replying to gk:

Hm. What OS X version are you on? Does Gatekeeper complain or can you start Tor Browser? What bundle did you download? Is that an issue with 6.0.7 only? 6.0.6 bundles can be found on https://dist.torproject.org/torbrowser/6.0.6/.

El Capitan 10.11.6. It was the same on 6.0.6.

I have gatekeeper disabled, I'm noticing now that I can't put it back on. I can but it doesn't do anything. Whooops.

Well, it should not do anything with respect to Tor Browser because we've signed it with a proper certificate for a while. So, I think that is a good sign. It seems to me then the question is why is Gatekeeper happy but your tools not? Hm.

comment:5 in reply to:  4 Changed 3 years ago by togg

Replying to gk:

Replying to togg:

Replying to gk:

Hm. What OS X version are you on? Does Gatekeeper complain or can you start Tor Browser? What bundle did you download? Is that an issue with 6.0.7 only? 6.0.6 bundles can be found on https://dist.torproject.org/torbrowser/6.0.6/.

El Capitan 10.11.6. It was the same on 6.0.6.

I have gatekeeper disabled, I'm noticing now that I can't put it back on. I can but it doesn't do anything. Whooops.

Well, it should not do anything with respect to Tor Browser because we've signed it with a proper certificate for a while. So, I think that is a good sign. It seems to me then the question is why is Gatekeeper happy but your tools not? Hm.

Wait that was a mistake on my part, gatekeeper works on new software. It probably remembers the ecceptions for the stuff that I have already installed.

I'm almost sure that the TorBrowser is not signed, those are simple tools that just translate gives a UI to terminal commands. I'll try to reinstall let's see.

comment:6 Changed 3 years ago by togg

WELL: Now it is signed '_' I had an unsigned version. Jesus, the bad news is that I've stupidly trashed the old one. So I can't send you anything to analyse.
I wonder if I got it in China. Well, fuck me.

comment:7 Changed 3 years ago by gk

Resolution: worksforme
Status: needs_informationclosed

Okay. :) Resolving this as WORKSFORME as it seems our bundles are properly signed.

comment:8 in reply to:  7 ; Changed 3 years ago by togg

Replying to gk:

Okay. :) Resolving this as WORKSFORME as it seems our bundles are properly signed.

Sorry for the trouble, I couldn't have imagined that I was using a fake one.

comment:9 in reply to:  8 ; Changed 3 years ago by mcs

Replying to togg:

Replying to gk:

Okay. :) Resolving this as WORKSFORME as it seems our bundles are properly signed.

Sorry for the trouble, I couldn't have imagined that I was using a fake one.

You probably do not have a fake Tor Browser. If you had updated from an older version, the signature was probably lost due to #19410.

comment:10 in reply to:  9 ; Changed 3 years ago by togg

Replying to mcs:

Replying to togg:

Replying to gk:

Okay. :) Resolving this as WORKSFORME as it seems our bundles are properly signed.

Sorry for the trouble, I couldn't have imagined that I was using a fake one.

You probably do not have a fake Tor Browser. If you had updated from an older version, the signature was probably lost due to #19410.

mmm I'm not smart enough to understand this. How is it possible that the signature was lost for all this time and updates?

comment:11 in reply to:  10 Changed 3 years ago by mcs

Replying to togg:

mmm I'm not smart enough to understand this. How is it possible that the signature was lost for all this time and updates?

The packages we offer for download are signed, but our updates were created to update you to an unsigned .app bundle. That is a bug that has been fixed, but (as far as I know) the fix has not yet been deployed to our stable releases (6.0.X). This problem is fixed in our alpha releases (e.g., Tor Browser 6.5aX).

Note: See TracTickets for help on using tickets.