[tbb-bugs] #31905 [Applications/Tor Browser]: Sign dmg images (not just their contents)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 1 11:19:21 UTC 2019
#31905: Sign dmg images (not just their contents)
------------------------------------------+--------------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords: tbb-security, tbb-
| rbm
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+--------------------------------
Since macOS 10.11.5 there is the option
[https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG18
to sign the dmg images themselves] (not just their contents) to make sure
the .dmg file is actually coming from us. Might be worth doing given that
the OpenPGP part requires yet another non-native tool for verification
while users could use the built-in macOS capabilities to check whether the
.dmg is good.
Apart from that I am not sure about the benefit of signing the .dmg
itself. Thanks to juno_hacker at HackerOne for pointing out the missing
container signature.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31905>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list