[tor-dev] Apple App Store Redux

Ralf-Philipp Weinmann ralf at coderpunks.org
Sun Nov 17 09:25:49 UTC 2013 

On Sat, Nov 16, 2013 at 09:58:40PM -0200, Erinn Clark wrote:
> * Griffin Boyce <griffin at cryptolab.net> [2013:11:10 20:30 -0500]: 
> >   It's been a while since there's been a discussion on-list about
> > getting the TBB into Apple's app store [1].  Interest hasn't really gone
> > away in the intervening 13 months, so I just want to open up discussion
> > about it.
> 
> Are there a lot of people interested in this? We hear complaints from OSX users
> about the packages not being signed the OSX way, but if we've received bugs
> about putting TBB into the app store, they have been so infrequent and long ago
> that I don't remember them. I'm not disagreeing with your claim, I just wonder
> where the interest is happening so I can read about it. :)

Getting TBB into the App Store would definitely help increase its visibility on
the OSX side. However, I am not really in favour of giving a US company a list
of all users having downloaded TBB plus information whether or not they are upgraded
to the most recent version...

> > Here are some possible solutions:
> >   - Submit Apple agreements to Wendy for review and
> > rejection/acceptance. The last mention of this was a year ago on #6540.
> > Status?
> 
> I tried to get the licensing agreements earlier this year and they are, as far
> as I can tell, not available until you actually sign up. If someone reading
> this has put something in the app store (which may or may not be different from
> the app store the iPhone uses? does anyone know?) please send us a copy of any
> agreements you may have!

I think I still have access to both. Let me pull the latest version of both
agreements (iPhone and OSX developer) and attach them to #6540.

> >   - Actively decide to continue without being blessed by Apple, but
> > focusing instead on educating Mac users about their application security
> > options.
> 
> I am at this point in favor of signing OSX packages with their codesigning but
> in order to acquire a codesigning cert you have to jump through some hoops (and
> there is the aforementioned issue of "who buys the certs? person or
> organization?"; see also #10002) This is why this problem has never been
> "solved" -- every time we look at it we get discouraged, confused, and/or
> ideologically enraged.


Codesigning is a good countermeasure against some attackers. The bar you have
to jump over to get an Apple dev account and enroll for a codesigning cert is
significantly lower than the one described in #10002.

Have you spoken to Mozilla how they have obtained their code signing cert?

Cheers,
Ralf

More information about the tor-dev mailing list