Allow TBA to install tor button, tor launcher and https everywhere extensions without signatures
When trying to install torbutton, torlauncher or https-e. TBA doesn't allow it because they don't have signatures.
The distribution code path is different for mobile and desktop.
Activity
Replying to sysrqb:
We don't modify https-everywhere, so it shouldn't fail the signing requirement. Maybe we can only add the exception for torbutton and tor-launcher?
Agreed. I think it's worth being even more conservative and adding only exceptions for things we actually need, meaning only Torbutton for the alpha for now.
Updated patch.
Trac:
Status: needs_review to needs_revisionDo we need to change mustSign()? I haven't tested this yet, but the code path I see will still fail - maybe I'm looking in the wrong place. I'll test this, as well.
Replying to igt0:
The issue is not about signatures anymore. Looks like there is a race condition in the addons code. If i close the browser and open again. The addon is loaded.
Ah, I see, the patch is good. loadManifest() => loadManifestFromZipReader() => verifyZipSignedState() => shouldVerifySignedState().
verifyZipSignedState()setssignedState: AddonManager.SIGNEDSTATE_NOT_REQUIRED(where
AddonManager.SIGNEDSTATE_NOT_REQUIREDhas valueundefined), so the inner conditional block isn't executed:if (mustSign(this.addon.type)) { if (this.addon.signedState <= AddonManager.SIGNEDSTATE_MISSING) { [...] if (state == AddonManager.SIGNEDSTATE_MISSING) return Promise.reject([AddonManager.ERROR_SIGNEDSTATE_REQUIRED, "signature is required but missing"]); [...] } }As for the race condition, I don't think that's true. I think that is because torbutton isn't a restartless extension. It requires restarting after installation. I don't think there's anyway way we can prevent this. I wonder if we can force a restart (semi-transparently) at the end of the firstrun onboarding screen.
-
Replying to igt0:
Updated patch.
Applied to
tor-browser-60.1.0esr-8.0-1(commit b9aecf44142c7874de51bd29abdcd40dcf3e6cb2). -
Replying to sysrqb:
As for the race condition, I don't think that's true. I think that is because torbutton isn't a restartless extension. It requires restarting after installation. I don't think there's anyway way we can prevent this. I wonder if we can force a restart (semi-transparently) at the end of the firstrun onboarding screen.
I agree that leaving the user without Torbutton is suboptimal especially as they would be looking for the slider settings (I assume we advertise those) and might not restart the browser (who is restarting things today anyways unless one is not forced too?). Is there some quick fix for this then we could include it in the alpha. If it's more elaborate and we need to think more I don't want to delay the alpha further for that (we can add the restart this to the TBA alpha "manual"). Anyway, I think that's for a new ticket.
Trac:
Resolution: N/A to fixed
Status: needs_review to closed 
Can anyone confirm that this doesn't allow someone to install any random add-on that they name torbutton@torproject.org ?
-
Replying to tom:
Can anyone confirm that this doesn't allow someone to install any random add-on that they name torbutton@torproject.org ?
Good question. I've not looked into the mobile side of this but for the desktop I wrote up https://lists.torproject.org/pipermail/tbb-dev/2017-April/000517.html and it seemed to me that we are not in a bad shape back then.
-
Replying to tom:
Can anyone confirm that this doesn't allow someone to install any random add-on that they name torbutton@torproject.org ?
FWIW this gets addressed with the patch for #27271 (moved).