macOS Tor Browser drops code signature on update from 11.0.2
Summary
All components of the macOS version of Tor Browser will become unsigned (e.g. no Apple Notarized Developer ID) when upgrading from 11.0.2 to 11.0.3. This is bad security practice since other applications can now modify Tor Browser without triggering Gatekeeper alerts on launch.
This issue only occurs during such an upgrade. Regular installs to 11.0.3 are unaffected.
Steps to reproduce:
- Download and install 11.0.2 (
TorBrowser-11.0.2-osx64_en-US.dmg
) - Verify its code signatures via
spctl --assess --verbose=2 [path to package]
/Volumes/Tor Browser/Tor Browser.app: accepted
source=Notarized Developer ID
- Launch 11.0.2, connect to Tor, and install update to 11.0.3 via the built-in update prompt
- Once updated, verify code signatures via
spctl --assess --verbose=2 [path to package]
/Applications/Tor Browser.app: rejected
source=no usable signature
What is the current bug behavior?
Upgrading will cause Tor Browser and all of its components (including bundled executables like tor.real) to lose notarized code signatures. This is not transparent to the user and will trigger no alerts without verifying manually using spctl
or codesign
for verification, or utilization of third-party software that can monitor such modifications.
What is the expected behavior?
Upgrading should replace old components with new signed components. This is the behaviour for directly installing 11.0.3.
Environment
macOS Catalina 10.15.7, Tor Browser installed from main mirror .dmg
images (https://dist.torproject.org)