Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:26:34Zhttps://gitlab.torproject.org/legacy/trac/-/issues/34398Harden our code signing on macOS for ESR 782020-06-16T01:26:34ZGeorg KoppenHarden our code signing on macOS for ESR 78While #32506 might be not doable during our transition to ESR 78 we might be able to pick up some improvements nevertheless, see:
https://hg.mozilla.org/releases/mozilla-beta/rev/497690887467ccf0709d71fdb1b20d0647388df9While #32506 might be not doable during our transition to ESR 78 we might be able to pick up some improvements nevertheless, see:
https://hg.mozilla.org/releases/mozilla-beta/rev/497690887467ccf0709d71fdb1b20d0647388df9https://gitlab.torproject.org/legacy/trac/-/issues/32507Move closer to the way Mozilla is signing macOS bundles2020-06-16T01:09:48ZGeorg KoppenMove closer to the way Mozilla is signing macOS bundlesMozilla is using a [bash script](https://searchfox.org/mozilla-esr68/source/security/mac/hardenedruntime/codesign.bash) `codesign.bash` for signing macOS bundles. We should go over it and include the finer-grained signing (different enti...Mozilla is using a [bash script](https://searchfox.org/mozilla-esr68/source/security/mac/hardenedruntime/codesign.bash) `codesign.bash` for signing macOS bundles. We should go over it and include the finer-grained signing (different entitlement files being used and sometimes entitlements are not even ready) into our setup.
(see: https://bugzilla.mozilla.org/show_bug.cgi?id=1593071 for important changes to that bash script)https://gitlab.torproject.org/legacy/trac/-/issues/32506Move to different entitlements files for parent and child processes2020-06-16T01:26:34ZGeorg KoppenMove to different entitlements files for parent and child processesMozilla started to provide/use different entitlements files for parent and child processes to be able to provide a finer-grained ruleset for the hardening depending on process type:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593071
h...Mozilla started to provide/use different entitlements files for parent and child processes to be able to provide a finer-grained ruleset for the hardening depending on process type:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593071
https://bugzilla.mozilla.org/show_bug.cgi?id=1593072
We should do the same for Tor Browser.https://gitlab.torproject.org/legacy/trac/-/issues/32505Tighten our rules in our entitlements file for macOS2020-06-16T01:09:47ZGeorg KoppenTighten our rules in our entitlements file for macOScomment:40:ticket:30126 mentions two possible rules we could tighten in our entitelments file:
com.apple.security.cs.disable-library-validation=false
com.apple.security.automation.apple-events=false
The former seems indeed to be a clea...comment:40:ticket:30126 mentions two possible rules we could tighten in our entitelments file:
com.apple.security.cs.disable-library-validation=false
com.apple.security.automation.apple-events=false
The former seems indeed to be a clear winner but I am not sure about the latter as we usually don't want to break the expected behavior for users installing WebExtensions (even if we don't recommend it).
We could think about more rules to be tightened while we are at it.Georg KoppenGeorg Koppen