Support OS X Gatekeeper
Tor for Mac is currently not signed using a Gatekeeper certificate.
This means users can only run the app on Mountain Lion by right-clicking. I also suspect that by the time the next version of OS X comes around,almost anything is signed and the dialog shown for manually running unsigned apps will look rather scary.
These certificates are available for free from Apple.
Besides being good for Tor users, this is also an experiment to see if Apple dares to abuse their power and revoke the certificate at any time. This has been suggested by various people. I'm confident that they won't, especially since there are legitimate reasons to use Tor just as with Transmission.app (a BitTorrent client) which has already been signed.
Trac:
Username: jroith
Activity
Hrmm.. Exactly how much security theater are we buying into here? Say I also get my own developer key from Apple, can I distribute "Tor Browser Bundles"? Or, more interestingly, can I give the Transmission developers $15k for their developer key and tell them to act surprised when it starts signing rogue Tor Browser Bundles only for a few people inside Iran/China?
In other words: Can we create our own mechanisms for multipath key trust in the system for updates and/or sophisticated users? Or was this also forbidden by the God Emperor before his death?
Also, wrt the "experiment": Apple already does dare abuse its power in all sorts of circumstances with respect to App store apps again and again. For fuck's sake, fart apps were among the first things banned from the iPhone store.. Trust them? Please... Apple is like a fucking zombie with its head cut off, and the head was practically criminally insane in the first place (game recognize game).
But net-net: Yeah, sure. If it's free, I say let's try it out for the 3 weeks that they allow us to do so. I just needed to get all that off my chest for the historical record.
Replying to mikeperry:
Hrmm.. Exactly how much security theater are we buying into here? Say I also get my own developer key from Apple, can I distribute "Tor Browser Bundles"? Or, more interestingly, can I give the Transmission developers $15k for their developer key and tell them to act surprised when it starts signing rogue Tor Browser Bundles only for a few people inside Iran/China?
You can build whatever software you like and sign it, for now. If you get caught doing something bad, we'll send our lawyers after you. Eventually we will require all signed applications to be distributed via the App store to solve this problem. If your application isn't signed, you can provide a tutorial explaining how to disable the Gatekeeper protection. Don't worry, there's only a few scary warnings.
In other words: Can we create our own mechanisms for multipath key trust in the system for updates and/or sophisticated users? Or was this also forbidden by the God Emperor before his death?
First you need a developer ID. Then you can read the documentation. And Steve lives!
Also, wrt the "experiment": Apple already does dare abuse its power in all sorts of circumstances with respect to App store apps again and again. For fuck's sake, fart apps were among the first things banned from the iPhone store.. Trust them? Please... Apple is like a fucking zombie with its head cut off, and the head was practically criminally insane in the first place (game recognize game).
But net-net: Yeah, sure. If it's free, I say let's try it out for the 3 weeks that they allow us to do so. I just needed to get all that off my chest for the historical record.
Well, according to: https://support.apple.com/kb/HT5290
"Note: If an app with a revoked Gatekeeper certificate is already installed, it will continue to run."
But blacklisting malware is done by a separate mechanism. So you're SoL anyway, whether you play this game or not.
"Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet."
Seriously now:
How is the evil bit set? Does this only work with Safari?
I wonder what Gatekeeper will do about auto-updating applications (e.g. Thandy). Will users get stuck with obsoleted (but signed) software that refuses to update?
Trac:
Username: SteveJobsOnIce-
Replying to SteveJobsOnIce:
How is the evil bit set? Does this only work with Safari?
Safari, Chrome and I think Firefox set it. Transmission (BitTorrent) also sets it. In fact, the bit was already used in previous versions, such as OS X Lion to trigger the "downloaded from the Internet" warning.
I wonder what Gatekeeper will do about auto-updating applications (e.g. Thandy). Will users get stuck with obsoleted (but signed) software that refuses to update?
Nope. Gatekeeper will only check the affected Application once and clear the bit afterwards. It can then be freely changed or replaced by new versions.
Trac:
Username: jroith 
Trac:
Cc: phobos, mikeperry, pde to phobos, mikeperry, pde, g.koppen@jondos.deI began finally looking into the Gatekeeper situation and while learning about Developer ID here I came across this:
When you enroll in the Mac Developer Program, you become the primary contact for Apple and are asked to sign legal agreements. Regardless whether you enroll as an individual or company, you are the team agent and responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals to your team, but only the team agent has permission to create Developer ID certificates. Developer ID certificates are owned by the team not an individual.
I think we should sign up as a company, but given the situation with legal agreements maybe we want Wendy or someone to look it over first and see what a better option would be. I'm already registered as an Apple Developer and will be the signing agent, but longer term I think we want some latitude about authorizing new people to sign things.
Replying to erinn:
I began finally looking into the Gatekeeper situation and while learning about Developer ID here I came across this:
When you enroll in the Mac Developer Program, you become the primary contact for Apple and are asked to sign legal agreements. Regardless whether you enroll as an individual or company, you are the team agent and responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals to your team, but only the team agent has permission to create Developer ID certificates. Developer ID certificates are owned by the team not an individual.
I think we should sign up as a company, but given the situation with legal agreements maybe we want Wendy or someone to look it over first and see what a better option would be. I'm already registered as an Apple Developer and will be the signing agent, but longer term I think we want some latitude about authorizing new people to sign things.
That seems like a good plan. Can you do so as an agent of the company? If so - I say just do it? I doubt anyone would object - quite the opposite! :)
Well, they might, since part of the signup process says "Yes, I have the legal authority to sign and bind my company to Apple Developer Program legal agreements and contracts. This can be verified by the contact below." Do I have that legal authority?
Also I don't have the money or the D-U-N-S number they want which is some kind of legal identifier of the business. I would need to get both of those things in addition to the legal authority. (It doesn't say up front how much it costs or what the price difference might be either -- I know I read $99 somewhere, but I don't know if that's a per-developer, per-cert, per-registration thing, although I am pretty sure it's at least annual.)
There's more information on what Tor would have to agree to here:
If those obligations seem objectionable / onerous, you could write an open letter to Apple requesting that you be allowed to provide Tor to mainstream Mountain Lion users without agreeing to a contract that is itself wrapped in an NDA. They might ignore you, of course...
-
Trac:
Username: anon -
Trac:
Username: anon -
Trac:
Username: michael
Cc: phobos, mikeperry, pde, g.koppen@jondos.de to phobos, mikeperry, pde, g.koppen@jondos.de, michael@schloh.com 
I'd like to add a user experience story:
I was at a user training, and while we did not cover Tor, it naturally came up. He came up to me afterwards:
The guy used a Mac, and was not super technically inclined, but knew his way around a few things. He successfully downloaded Tor Browser Bundle and added it to his dock.
But when he ran it, he got the warning "This app is signed by an unknown developer". He did not know what it meant, or how to disable it. As it was a security feature, he did not want to. He assumed TBB would not work for him.
I disabled it for him (telling him I would re-enable it when we were done), and ran TBB.
TBB really should be signed. Legally, Apple's being a giant dick, but I think Tor should look hard at this again and either carefully document what is objectionable and close this as WONTFIX or execute on it.
Looking at the above comments, it seems that someone from Tor would need to agree, on behalf of Tor, to the Registered Apple Developer Agreement and the Mac Developer Program License Agreement. Note that these agreements are separate from the problem of distributing TBB via the App Store, where there's some conflict between GPL code and the App Store.
I read the new Mac Developer Program License Agreement: https://developer.apple.com/programs/terms/mac/mac_program_agreement_20140602.pdf . I did not see anything that immediately seemed concerning. Section 2 is about not stealing or pirating Apple software, Section 3 is about not lying to them, not and (irrelevant) restrictions about the App Store. Section 4 is the standard we can update this at any time, Section 5 about protecting your cert, using the cert only for legal purposes. Section 6&7 about the App Store (irrelevant). 8 about Revocation, and the standard terms where they might revoke at their whim. 9 about fees, 10 about pre-release beta product they make available to you, 11 about indemnification for apple, 12 about term length and termination, 13 is no warranty, 14 is limitation of liability, 15 about general legal stuff: privacy policy, assignment, etc.
The other agreement is https://developer.apple.com/programs/terms/registered_apple_developer_20100301.pdf (there might be a newer one?) which I only skimmed, but seemed more about protecting apple's beta releases they make available through the beta program part of being a registered developer.
Trac:
Cc: phobos, mikeperry, pde, g.koppen@jondos.de, michael@schloh.com to phobos, mikeperry, pde, g.koppen@jondos.de, michael@schloh.com, tom@ritter.vg-
10.9.5 brings even tighter requirements with codesign v2 signatures. See https://bugzilla.mozilla.org/show_bug.cgi?id=1046306 and related bugs for Mozilla's reaction. This shall be available starting with Fx 34.
Trac:
Cc: phobos, mikeperry, pde, g.koppen@jondos.de, michael@schloh.com, tom@ritter.vg to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg -
Resolved #13251 (moved) as duplicate. See #13252 (moved) for one of the tighter requirements mentioned in the previous comment.
Trac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx Trac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, SheriefTrac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs
Trac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs, hellais-
Replying to hellais:
Has any progress been made on this? Are there plans on starting to ship codesigned packages for OSX?
Well, we'd like to have codesigned packages sooner than later but given the even tighter requirements mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1046306 I doubt this will happen anytime soon.
Some observations from [[org/meetings/2015UXsprint]]:
Everyone was frustrated by the Gatekeeper dialog. However, users were surprisingly adept at disabling Gatekeeper (sometimes system-wide) in order to get Tor Browser to run. Most users seemed to have seen the dialog before and vaguely known what to do. There is also a "?" button on the dialog that gets you to the right preferences window.
Nobody (_N_=5) used the Ctrl-click technique. They all either disabled Gatekeeper completely, or used the button on the same preferences window (maybe new in OS X 10.10) that said something like "Tor Browser failed to start because it is from an unidentified developer, allow anyway?"
If you "allow anyway," the setting gets remembered somewhere that's not surfaced in the GUI anywhere I could find. In order to disable it, and cause Gatekeeper again to reject opening the app (even the same file downloaded fresh), I had to run the command
spctl --disable /path/to/Tor\ Browser.appCheck #14838 (moved) which suggests adding screenshots to the download page.
-
For additional reference, here's Mozilla's .app folder reorg bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1047584.
mcs and brade will want to keep an eye on this bug when we transition to ff38. We'll need extra testing to make sure our updater is OK with this reorg, as well as signing.
Trac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs, hellais to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs, hellais, mcs, brade
Keywords: N/A deleted, ff38-esr added -
#17010 (moved) is a duplicate.
Trac:
Cc: phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs, hellais, mcs, brade to phobos, mikeperry, pde, gk, michael@schloh.com, tom@ritter.vg, torosx, Sherief, mrphs, hellais, mcs, brade, hsn #17900 (moved) is a duplicate.
Trac:
Severity: N/A to Normal
