[tbb-bugs] #31905 [Applications/Tor Browser]: Sign dmg images (not just their contents)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 1 11:19:21 UTC 2019


#31905: Sign dmg images (not just their contents)
------------------------------------------+--------------------------------
     Reporter:  gk                        |      Owner:  tbb-team
         Type:  enhancement               |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  tbb-security, tbb-
                                          |  rbm
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+--------------------------------
 Since macOS 10.11.5 there is the option
 [https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG18
 to sign the dmg images themselves] (not just their contents) to make sure
 the .dmg file is actually coming from us. Might be worth doing given that
 the OpenPGP part requires yet another non-native tool for verification
 while users could use the built-in macOS capabilities to check whether the
 .dmg is good.

 Apart from that I am not sure about the benefit of signing the .dmg
 itself. Thanks to juno_hacker at HackerOne for pointing out the missing
 container signature.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31905>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list