Bug 41243: Use separate entitlements for signing tor
Merge Info
Related Issues
- tor-browser#xxxxx
- mullvad-browser#xxxxx
- #41243 (closed)
Backporting
Timeline
-
Immediate: patchset needed as soon as possible -
Next Minor Stable Release: patchset that needs to be verified in nightly before backport -
Eventually: patchset that needs to be verified in alpha before backport -
No Backport (preferred): patchset for the next major stable
(Optional) Justification
-
Emergency security update: patchset fixes CVEs, 0-days, etc -
Censorship event: patchset enables censorship circumvention -
Critical bug-fix: patchset fixes a bug in core-functionality -
Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc -
Sponsor required: patchset required for sponsor -
Other: please explain
Issue Tracking
-
Link resolved issues with appropriate Release Prep issue for changelog generation
Review
Request Reviewer
-
Request review from an applications developer depending on modified system: -
NOTE: if the MR modifies multiple areas, please
/cc
all the relevant reviewers (since gitlab only allows 1 reviewer) - accessibility : henry
- android : clairehurst, dan
- build system : boklm
- extensions : ma1
- firefox internals (XUL/JS/XPCOM) : jwilde, ma1
- fonts : pierov
- frontend (implementation) : henry
- frontend (review) : donuts, morgan
- localization : henry, pierov
- macOS : clairehurst, dan
- nightly builds : boklm
- rebases/release-prep : boklm, dan, ma1, morgan, pierov
- security : jwilde, ma1
- signing : boklm, morgan
- updater : pierov
- windows : jwilde, morgan
- misc/other : morgan, pierov
-
NOTE: if the MR modifies multiple areas, please
Change Description
Use a separate entitlements file for signing the tor binary, with
`com.apple.security.cs.allow-unsigned-executable-memory` enabled.
How Tested
I've signed 14.0.1 dmg with this change:
- https://people.torproject.org/~boklm/tmp/bug_41243/tor-browser-macos-14.0.1.dmg
- https://people.torproject.org/~boklm/tmp/bug_41243/tor-browser-macos-14.0.1.dmg.asc
Setting the MR as draft until confirmed it's fixing the issue.