[tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 28 05:36:56 UTC 2015
#3861: begin signing Windows packages the Windows way
-------------------------------------+-------------------------------------
Reporter: erinn | Owner: erinn
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
bundles/installation | Keywords: tbb-3.0, tbb-security,
Resolution: | tbb-usability-stoppoint-app,
Actual Points: | tbb-4.5-alpha
Points: | Parent ID:
-------------------------------------+-------------------------------------
Comment (by starlight):
A major benefit of signing binaries is that
TBB can be readily whitelisted in AppLocker
(and presumably other whitelist tools).
Please sign all the .DLLs, .PYDs and .EXEs as
well as the actual release bundle .EXE.
I've been experimenting with strict whitelisting
on a system and just upgraded to 4.5a4. Was
some trouble to add hashes for all the files!
With a set of fully signed binaries, one
only has to add the rule to allow the Tor
Project certificate one time. MS's AppLocker
does not check certificate hashes (I'm not
sure if that's good design or not) so if the
attributes of a renewed certificate stay the
same, a TBB "publisher" rule should continue
to work through cert rollovers.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list