[tor-bugs] #13252 [Tor Browser]: Tor Browser on OS X should not store data into the application bundle

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 17 20:52:44 UTC 2015 

#13252: Tor Browser on OS X should not store data into the application bundle
-------------------------+-----------------------------------
 Reporter:  torosx       |          Owner:  mcs
     Type:  defect       |         Status:  needs_information
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:  #6540        |         Points:
  Sponsor:               |
-------------------------+-----------------------------------
Changes (by mcs):

 * cc: gk, mikeperry, teor (added)
 * status:  assigned => needs_information


Comment:

 Replying to [comment:5 mcs]:
 > But the showstopper issue with the Tor Browser bundle structure is going
 to be the Tor and browser profile data that we store inside the bundle. I
 am almost certain that we will need to move all files that may change out
 of the .app bundle.

 Digging a little deeper and experimenting on a Mac OS 10.10.5 system,
 Kathy and I learned some interesting things:
 1. It is possible to add a valid signature to Tor Browser if we remove the
 TorBrowser directory.
 2. It appears that the signature is only checked when the app bundle has a
 quarantine attribute in the file system. See
 http://www.cocoabuilder.com/archive/xcode/319946-revoking-gatekeeper-
 exceptions.html#320000
 3. After an application is opened once, the quarantine attribute is
 modified by the system so that the app bundle is no longer subjected to
 signature checks.
 4. It is possible to add a valid signature to Tor Browser if we move the
 TorBrowser directory under TorBrowser.app/Contents/.

 Because of 2-4 above, we might be able to cheat a little and just relocate
 the TorBrowser directory. This will mean that our app bundle's signature
 will be broken as soon as Tor Browser is opened for the first time (this
 is because we make changes under TorBrowser/Data and Apple's signature
 "seals" everything under Contents/ -- nothing can be modified without
 invalidating the signature).

 It is possible Apple will be even more strict in a future release of their
 Gatekeeper technology, so our other option is to keep our data outside
 TorBrowser.app (either in a side-by-side folder like Ricochet does or in
 the standard location under ~/Library/Application Support/).

 What do other people think?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13252#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list