[tor-bugs] #6540 [Tor bundles/installation]: Support Mountain Lion Gatekeeper

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Aug 4 08:45:05 UTC 2012 

#6540: Support Mountain Lion Gatekeeper
--------------------------------------+-------------------------------------
 Reporter:  jroith                    |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  major                     |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------

Comment(by SteveJobsOnIce):

 Replying to [comment:2 mikeperry]:
 > Hrmm.. Exactly how much security theater are we buying into here? Say I
 also get my own  developer key from Apple, can I distribute "Tor Browser
 Bundles"? Or, more interestingly, can I give the Transmission developers
 $15k for their developer key and tell them to act surprised when it starts
 signing rogue Tor Browser Bundles only for a few people inside Iran/China?
 >

 You can build whatever software you like and sign it, for now. If you get
 caught doing something bad, we'll send our lawyers after you. Eventually
 we will require all signed applications to be distributed via the App
 store to solve this problem. If your application isn't signed, you can
 provide a tutorial explaining how to disable the Gatekeeper protection.
 Don't worry, there's only a few scary warnings.

 > In other words: Can we create our own mechanisms for multipath key trust
 in the system for updates and/or sophisticated users? Or was this also
 forbidden by the God Emperor before his death?

 First you need a developer ID. Then you can read the documentation. And
 Steve lives!

 >
 > Also, wrt the "experiment": Apple already *does* dare abuse its power in
 all sorts of circumstances with respect to App store apps again and again.
 For fuck's sake, fart apps were among the first things banned from the
 iPhone store.. Trust them? Please... Apple is like a fucking zombie with
 its head cut off, and the head was practically criminally insane in the
 first place (game recognize game).
 >
 > But net-net: Yeah, sure. If it's free, I say let's try it out for the 3
 weeks that they allow us to do so. I just needed to get all that off my
 chest for the historical record.

 Well, according to: https://support.apple.com/kb/HT5290

 "Note: If an app with a revoked Gatekeeper certificate is already
 installed, it will continue to run."

 But blacklisting malware is done by a separate mechanism. So you're SoL
 anyway, whether you play this game or not.

 "Important: Developer ID signature applies to apps downloaded from the
 Internet. Apps from other sources, such as file servers, external drives,
 or optical discs are exempt, unless the apps were originally downloaded
 from the Internet."

 Seriously now:

 How is the evil bit set? Does this only work with Safari?

 I wonder what Gatekeeper will do about auto-updating applications (e.g.
 Thandy). Will users get stuck with obsoleted (but signed) software that
 refuses to update?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6540#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list