[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 15 08:51:39 UTC 2019
#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: closed
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: fixed
Keywords: tbb-security, TorBrowserTeam201909 | Actual Points: 5.5
Parent ID: | Points: 2
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by gk):
Replying to [comment:40 ha]:
> Are the entitlement files Tor plans to use available online somewhere to
look at?
>
> If you're using the Firefox production entitlements as a starting point,
you might be able to change some rules to be more restrictive.
>
> Assuming Tor only loads shared libraries signed by Tor or Apple, you
should be able to set the disable library validation entitlement[1] to
false. Firefox needs to load libraries signed by Adobe and Google for
Flash and Widevine video decoding respectively.
>
> com.apple.security.cs.disable-library-validation=false
>
> In Firefox, we had to recently set this[2] to true because some
WebExtensions using the native message API relied on helper applications
that use Apple Events. I suspect Tor wouldn't need this and could set the
entitlement to false.
>
> com.apple.security.automation.apple-events=false
>
> 1.
https://developer.apple.com/documentation/bundleresources/entitlements
/com_apple_security_cs_disable-library-validation
> 2.
https://developer.apple.com/documentation/bundleresources/entitlements
/com_apple_security_automation_apple-events
Thanks for those pointers. I've filed a bunch of tickets to harden our
macOS Tor Browser. Your suggestions will be part of #32505.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:61>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list