[tor-bugs] #30126 [Applications/Tor Browser]: Make Tor Browser on macOS compatible with Apple's notarization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Aug 22 22:05:12 UTC 2019
#30126: Make Tor Browser on macOS compatible with Apple's notarization
------------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, TorBrowserTeam201908 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
Comment (by ha):
Are the entitlement files Tor plans to use available online somewhere to
look at.
If you're using the Firefox production entitlements as a starting point,
you might be able to change some rules to be more restrictive.
Assuming Tor only loads shared libraries signed by Tor or Apple, you
should be able to set the disable library validation entitlement[1] to
false. Firefox needs to load libraries signed by Adobe and Google for
Flash and Widevine video decoding respectively.
com.apple.security.cs.disable-library-validation=false
In Firefox, we had to recently set this[2] to true because some
WebExtensions using the native message API relied on helper applications
that use Apple Events. I suspect Tor wouldn't need this and could set the
entitlement to false.
com.apple.security.automation.apple-events=false
1. https://developer.apple.com/documentation/bundleresources/entitlements
/com_apple_security_cs_disable-library-validation
2. https://developer.apple.com/documentation/bundleresources/entitlements
/com_apple_security_automation_apple-events
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30126#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list