Opened 5 years ago

Closed 20 months ago

#6540 closed enhancement (fixed)

Support OS X Gatekeeper

Reported by: jroith Owned by: mikeperry
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-stoppoint-app, MikePerry201510, TorBrowserTeam201604
Cc: phobos, mikeperry, pde, gk, michael@…, tom@…, torosx, Sherief, mrphs, hellais, mcs, brade, hsn Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorU

Description

Tor for Mac is currently not signed using a Gatekeeper certificate.

This means users can only run the app on Mountain Lion by right-clicking. I also suspect that by the time the next version of OS X comes around,almost anything is signed and the dialog shown for manually running unsigned apps will look rather scary.

These certificates are available for free from Apple.

Besides being good for Tor users, this is also an experiment to see if Apple dares to abuse their power and revoke the certificate at any time. This has been suggested by various people. I'm confident that they won't, especially since there are legitimate reasons to use Tor just as with Transmission.app (a BitTorrent client) which has already been signed.

Child Tickets

TicketTypeStatusOwnerSummary
#13252defectclosedmcsTor Browser on OS X should not store data into the application bundle
#14838enhancementclosedSebastianClearer OS X installation dialogues

Attachments (2)

mac_program_agreement_20130610.pdf (472.3 KB) - added by anon 4 years ago.
ios_program_standard_agreement_20130610.pdf (508.1 KB) - added by anon 4 years ago.

Download all attachments as: .zip

Change History (47)

comment:1 Changed 5 years ago by arma

Cc: phobos mikeperry pde added
Priority: normalmajor

We should either get it signed, or put up clear instructions on how to run it despite our lack of cooperation with the extortion plan.

comment:2 Changed 5 years ago by mikeperry

Hrmm.. Exactly how much security theater are we buying into here? Say I also get my own developer key from Apple, can I distribute "Tor Browser Bundles"? Or, more interestingly, can I give the Transmission developers $15k for their developer key and tell them to act surprised when it starts signing rogue Tor Browser Bundles only for a few people inside Iran/China?

In other words: Can we create our own mechanisms for multipath key trust in the system for updates and/or sophisticated users? Or was this also forbidden by the God Emperor before his death?

Also, wrt the "experiment": Apple already *does* dare abuse its power in all sorts of circumstances with respect to App store apps again and again. For fuck's sake, fart apps were among the first things banned from the iPhone store.. Trust them? Please... Apple is like a fucking zombie with its head cut off, and the head was practically criminally insane in the first place (game recognize game).

But net-net: Yeah, sure. If it's free, I say let's try it out for the 3 weeks that they allow us to do so. I just needed to get all that off my chest for the historical record.

comment:3 in reply to:  2 ; Changed 5 years ago by SteveJobsOnIce

Replying to mikeperry:

Hrmm.. Exactly how much security theater are we buying into here? Say I also get my own developer key from Apple, can I distribute "Tor Browser Bundles"? Or, more interestingly, can I give the Transmission developers $15k for their developer key and tell them to act surprised when it starts signing rogue Tor Browser Bundles only for a few people inside Iran/China?

You can build whatever software you like and sign it, for now. If you get caught doing something bad, we'll send our lawyers after you. Eventually we will require all signed applications to be distributed via the App store to solve this problem. If your application isn't signed, you can provide a tutorial explaining how to disable the Gatekeeper protection. Don't worry, there's only a few scary warnings.

In other words: Can we create our own mechanisms for multipath key trust in the system for updates and/or sophisticated users? Or was this also forbidden by the God Emperor before his death?

First you need a developer ID. Then you can read the documentation. And Steve lives!

Also, wrt the "experiment": Apple already *does* dare abuse its power in all sorts of circumstances with respect to App store apps again and again. For fuck's sake, fart apps were among the first things banned from the iPhone store.. Trust them? Please... Apple is like a fucking zombie with its head cut off, and the head was practically criminally insane in the first place (game recognize game).

But net-net: Yeah, sure. If it's free, I say let's try it out for the 3 weeks that they allow us to do so. I just needed to get all that off my chest for the historical record.

Well, according to: https://support.apple.com/kb/HT5290

"Note: If an app with a revoked Gatekeeper certificate is already installed, it will continue to run."

But blacklisting malware is done by a separate mechanism. So you're SoL anyway, whether you play this game or not.

"Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet."

Seriously now:

How is the evil bit set? Does this only work with Safari?

I wonder what Gatekeeper will do about auto-updating applications (e.g. Thandy). Will users get stuck with obsoleted (but signed) software that refuses to update?

comment:4 in reply to:  3 Changed 5 years ago by jroith

Replying to SteveJobsOnIce:

How is the evil bit set? Does this only work with Safari?

Safari, Chrome and I think Firefox set it. Transmission (BitTorrent)
also sets it. In fact, the bit was already used in previous versions,
such as OS X Lion to trigger the "downloaded from the Internet"
warning.

I wonder what Gatekeeper will do about auto-updating applications (e.g. Thandy). Will users get stuck with obsoleted (but signed) software that refuses to update?

Nope. Gatekeeper will only check the affected Application once and
clear the bit afterwards. It can then be freely changed or replaced by
new versions.

comment:5 Changed 5 years ago by gk

Cc: g.koppen@… added

comment:6 Changed 5 years ago by erinn

I began finally looking into the Gatekeeper situation and while learning about Developer ID here I came across this:

When you enroll in the Mac Developer Program, you become the primary contact for Apple and are asked to sign legal agreements. Regardless whether you enroll as an individual or company, you are the team agent and responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals to your team, but only the team agent has permission to create Developer ID certificates. Developer ID certificates are owned by the team not an individual.

I think we should sign up as a company, but given the situation with legal agreements maybe we want Wendy or someone to look it over first and see what a better option would be. I'm already registered as an Apple Developer and will be the signing agent, but longer term I think we want some latitude about authorizing new people to sign things.

comment:7 in reply to:  6 Changed 5 years ago by ioerror

Replying to erinn:

I began finally looking into the Gatekeeper situation and while learning about Developer ID here I came across this:

When you enroll in the Mac Developer Program, you become the primary contact for Apple and are asked to sign legal agreements. Regardless whether you enroll as an individual or company, you are the team agent and responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals to your team, but only the team agent has permission to create Developer ID certificates. Developer ID certificates are owned by the team not an individual.

I think we should sign up as a company, but given the situation with legal agreements maybe we want Wendy or someone to look it over first and see what a better option would be. I'm already registered as an Apple Developer and will be the signing agent, but longer term I think we want some latitude about authorizing new people to sign things.

That seems like a good plan. Can you do so as an agent of the company? If so - I say just do it? I doubt anyone would object - quite the opposite! :)

comment:8 Changed 5 years ago by erinn

Well, they might, since part of the signup process says "Yes, I have the legal authority to sign and bind my company to Apple Developer Program legal agreements and contracts. This can be verified by the contact below." Do I have that legal authority?

Also I don't have the money or the D-U-N-S number they want which is some kind of legal identifier of the business. I would need to get both of those things in addition to the legal authority. (It doesn't say up front how much it costs or what the price difference might be either -- I know I read $99 somewhere, but I don't know if that's a per-developer, per-cert, per-registration thing, although I am pretty sure it's at least annual.)

comment:9 Changed 5 years ago by pde

There's more information on what Tor would have to agree to here:

https://www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms#gatekeeper-update

If those obligations seem objectionable / onerous, you could write an open letter to Apple requesting that you be allowed to provide Tor to mainstream Mountain Lion users without agreeing to a contract that is itself wrapped in an NDA. They might ignore you, of course...

comment:10 Changed 4 years ago by mikeperry

Keywords: tbb-3.0 added

Changed 4 years ago by anon

comment:11 Changed 4 years ago by michael

Cc: michael@… added

comment:12 Changed 4 years ago by tom

Cc: tom@… added

I'd like to add a user experience story:

I was at a user training, and while we did not cover Tor, it naturally came up. He came up to me afterwards:

The guy used a Mac, and was not super technically inclined, but knew his way around a few things. He successfully downloaded Tor Browser Bundle and added it to his dock.

But when he ran it, he got the warning "This app is signed by an unknown developer". He did not know what it meant, or how to disable it. As it was a security feature, he did not want to. He assumed TBB would not work for him.

I disabled it for him (telling him I would re-enable it when we were done), and ran TBB.

TBB really should be signed. Legally, Apple's being a giant dick, but I think Tor should look hard at this again and either carefully document what is objectionable and close this as WONTFIX or execute on it.

Looking at the above comments, it seems that someone from Tor would need to agree, on behalf of Tor, to the Registered Apple Developer Agreement and the Mac Developer Program License Agreement. Note that these agreements are separate from the problem of distributing TBB via the App Store, where there's some conflict between GPL code and the App Store.

I read the new Mac Developer Program License Agreement: https://developer.apple.com/programs/terms/mac/mac_program_agreement_20140602.pdf . I did not see anything that immediately seemed concerning. Section 2 is about not stealing or pirating Apple software, Section 3 is about not lying to them, not and (irrelevant) restrictions about the App Store. Section 4 is the standard we can update this at any time, Section 5 about protecting your cert, using the cert only for legal purposes. Section 6&7 about the App Store (irrelevant). 8 about Revocation, and the standard terms where they might revoke at their whim. 9 about fees, 10 about pre-release beta product they make available to you, 11 about indemnification for apple, 12 about term length and termination, 13 is no warranty, 14 is limitation of liability, 15 about general legal stuff: privacy policy, assignment, etc.

The other agreement is https://developer.apple.com/programs/terms/registered_apple_developer_20100301.pdf (there might be a newer one?) which I only skimmed, but seemed more about protecting apple's beta releases they make available through the beta program part of being a registered developer.

comment:13 Changed 3 years ago by erinn

Keywords: needs-triage added

comment:14 Changed 3 years ago by erinn

Component: Tor bundles/installationTor Browser
Keywords: needs-triage removed
Owner: changed from erinn to tbb-team

comment:15 Changed 3 years ago by dcf

Keywords: gatekeeper added

comment:16 Changed 3 years ago by gk

Cc: gk added; g.koppen@… removed

10.9.5 brings even tighter requirements with codesign v2 signatures. See https://bugzilla.mozilla.org/show_bug.cgi?id=1046306 and related bugs for Mozilla's reaction. This shall be available starting with Fx 34.

comment:17 Changed 3 years ago by gk

Cc: torosx added

Resolved #13251 as duplicate. See #13252 for one of the tighter requirements mentioned in the previous comment.

comment:18 Changed 3 years ago by Sherief

Cc: Sherief added

comment:19 Changed 3 years ago by mrphs

Cc: mrphs added

comment:20 Changed 3 years ago by hellais

Has any progress been made on this? Are there plans on starting to ship codesigned packages for OSX?

comment:21 Changed 3 years ago by hellais

Cc: hellais added

comment:22 in reply to:  20 Changed 3 years ago by gk

Replying to hellais:

Has any progress been made on this? Are there plans on starting to ship codesigned packages for OSX?

Well, we'd like to have codesigned packages sooner than later but given the even tighter requirements mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1046306 I doubt this will happen anytime soon.

comment:23 Changed 3 years ago by mikeperry

Keywords: tbb-usability-stoppoint-app added

comment:24 Changed 3 years ago by dcf

Some observations from org/meetings/2015UXsprint:

Everyone was frustrated by the Gatekeeper dialog. However, users were surprisingly adept at disabling Gatekeeper (sometimes system-wide) in order to get Tor Browser to run. Most users seemed to have seen the dialog before and vaguely known what to do. There is also a "?" button on the dialog that gets you to the right preferences window.

Nobody (N=5) used the Ctrl-click technique. They all either disabled Gatekeeper completely, or used the button on the same preferences window (maybe new in OS X 10.10) that said something like "Tor Browser failed to start because it is from an unidentified developer, allow anyway?"

If you "allow anyway," the setting gets remembered somewhere that's not surfaced in the GUI anywhere I could find. In order to disable it, and cause Gatekeeper again to reject opening the app (even the same file downloaded fresh), I had to run the command

spctl --disable /path/to/Tor\ Browser.app

comment:25 Changed 3 years ago by dcf

Summary: Support Mountain Lion GatekeeperSupport OS X Gatekeeper

comment:26 Changed 3 years ago by dcf

Check #14838 which suggests adding screenshots to the download page.

comment:27 Changed 3 years ago by mikeperry

Cc: mcs brade added
Keywords: ff38-esr added

For additional reference, here's Mozilla's .app folder reorg bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1047584.

mcs and brade will want to keep an eye on this bug when we transition to ff38. We'll need extra testing to make sure our updater is OK with this reorg, as well as signing.

comment:28 Changed 3 years ago by mikeperry

Keywords: TorBrowserTeam201506 MikePerry201506 tbb-5.0a-highrisk added; tbb-3.0 gatekeeper removed

I need to get on top of the Apple Developer legal docs this month, at the very least, or we may not have a cert in time for TBB-5.0-stable in August.

comment:29 Changed 2 years ago by mikeperry

Keywords: TorBrowserTeam201507 added; TorBrowserTeam201506 removed

Move over remaining June items to July

comment:30 Changed 2 years ago by mikeperry

Keywords: MikePerry201507 added; MikePerry201506 removed

Move my tickets over for July

comment:31 Changed 2 years ago by mikeperry

Keywords: TorBrowserTeam201508 added; TorBrowserTeam201507 removed

comment:32 Changed 2 years ago by mikeperry

Keywords: MikePerry201508 added; ff38-esr tbb-5.0a-highrisk MikePerry201507 removed

comment:33 Changed 2 years ago by mikeperry

Keywords: TorBrowserTeam201509 added; TorBrowserTeam201508 removed

Move remaining August tickets to September.

comment:34 Changed 2 years ago by gk

Cc: hsn added

#17010 is a duplicate.

comment:35 Changed 2 years ago by gk

Keywords: MikePerry201510 TorBrowserTeam201510 added; MikePerry201508 TorBrowserTeam201509 removed
Owner: changed from tbb-team to mikeperry
Sponsor: Sponsor U
Status: newassigned

comment:36 Changed 2 years ago by gk

Sponsor: Sponsor UU

comment:37 Changed 2 years ago by gk

Sponsor: USponsorU

comment:38 Changed 2 years ago by gk

Keywords: TorBrowserTeam201511 added; TorBrowserTeam201510 removed

comment:39 Changed 2 years ago by mikeperry

Keywords: TorBrowserTeam201512 added; TorBrowserTeam201511 removed

comment:40 Changed 2 years ago by cypherpunks

Severity: Normal

#17900 is a duplicate.

comment:41 Changed 2 years ago by gk

Keywords: TorBrowserTeam201601 added; TorBrowserTeam201512 removed

Tickets for Jan 2016.

comment:42 Changed 23 months ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed

Putting stuff on the radar for February.

comment:43 Changed 22 months ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:44 Changed 21 months ago by gk

Keywords: TorBrowserTeam201604 added; TorBrowserTeam201603 removed

comment:45 Changed 20 months ago by gk

Resolution: fixed
Status: assignedclosed

This will be fixed in 6.0a5, yay!

Note: See TracTickets for help on using tickets.