On Sat, Nov 16, 2013 at 09:58:40PM -0200, Erinn Clark wrote:
- Griffin Boyce griffin@cryptolab.net [2013:11:10 20:30 -0500]:
It's been a while since there's been a discussion on-list about getting the TBB into Apple's app store [1]. Interest hasn't really gone away in the intervening 13 months, so I just want to open up discussion about it.
Are there a lot of people interested in this? We hear complaints from OSX users about the packages not being signed the OSX way, but if we've received bugs about putting TBB into the app store, they have been so infrequent and long ago that I don't remember them. I'm not disagreeing with your claim, I just wonder where the interest is happening so I can read about it. :)
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
Here are some possible solutions:
- Submit Apple agreements to Wendy for review and
rejection/acceptance. The last mention of this was a year ago on #6540. Status?
I tried to get the licensing agreements earlier this year and they are, as far as I can tell, not available until you actually sign up. If someone reading this has put something in the app store (which may or may not be different from the app store the iPhone uses? does anyone know?) please send us a copy of any agreements you may have!
I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540.
- Actively decide to continue without being blessed by Apple, but
focusing instead on educating Mac users about their application security options.
I am at this point in favor of signing OSX packages with their codesigning but in order to acquire a codesigning cert you have to jump through some hoops (and there is the aforementioned issue of "who buys the certs? person or organization?"; see also #10002) This is why this problem has never been "solved" -- every time we look at it we get discouraged, confused, and/or ideologically enraged.
Codesigning is a good countermeasure against some attackers. The bar you have to jump over to get an Apple dev account and enroll for a codesigning cert is significantly lower than the one described in #10002.
Have you spoken to Mozilla how they have obtained their code signing cert?
Cheers, Ralf