cDigitalSignatures - tunnelblick - Tunnelblick and Digital Signatures - OpenVPN GUI for Mac OS X

Tunnelblick Discussion Group

Download Tunnelblick

News

Getting Started with Tunnelblick

Welcome to Tunnelblick
What is Tunnelblick?
What else you need
Getting VPN Service
How you can help
FAQ

Installation, Setup, and Usage

Installing 3.1 & 3.2
Uninstalling 3.1 & 3.2
Using Tunnelblick 3.1
Using Tunnelblick 3.2
Setting up Tunnelblick
Configuring OpenVPN
Tunnelblick as a VPN Server

Installing and Using Tunnelblick 3.0

Troubleshooting

Known Issues
Common Problems
Connects OK, But...
The Tunnelblick Log
The Console Log
How to get help

Releases

Stable Releases
Beta Releases
Release notes

Customized Versions

Distributing Tunnelblick
"Deployed" versions
".tblk" Details
Using Scripts
Icon Animation
Deployed vs. Tunnelblick VPN Configurations
Localizing Tunnelblick

For Developers

Building from Source
Modifying the disk image
Localizing Tunnelblick
Making Translations
Translation Status

Reference

FAQTunnelblickGoogleCodePage
Thanks
Known Issues
Release notes
AppleScript Support
Getting VPN Service
System requirements
Preferences 3.3
Preferences 3.2
Preferences 3.1
Preferences 3.0
Tunnelblick VPN Configurations
File Locations
Digital Signatures
Translation Status

What's New in 3.1
What's New in 3.2

Details About 3.0
Details About 3.1
Details About 3.2

cDigitalSignatures

Tunnelblick and Digital Signatures

Updated May 4, 2012 by jkbull...@gmail.com

Most Tunnelblick users do not need to use the information on this page. This page is primarily for those who create Deployed versions of Tunnelblick.

Digital Signatures

Tunnelblick uses two different types of digital signatures:

Tunnelblick.app may be digitally signed by the Tunnelblick Project with the Project's OS X digital signature. The signature is used in OS X 10.5 ("Leopard") and higher to allow an updated application with the same signature as the original application to access Keychain items created by the original application without OS X prompting the user for permission.
Updates to Tunnelblick are always digitally signed by the Tunnelblick Project. This is part of the update process, to ensure that updates to Tunnelblick are genuine and have not been tampered with or corrupted.

The rest of this page describes Tunnelblick.app's digital signatures, not update signatures.

Why Digital Signatures Are Useful

If the user agrees, Tunnelblick stores usernames, passwords and passphrases for VPNs in the user's Keychain so that the user does not have to enter them each time a connection is made.

For security reasons, OS X is careful when applications access the user's Keychain. Usually only the original application that created a Keychain item is allowed access to it. This means that when an application is updated, even though it has the same name, OS X will recognize that it is different and ask the user if the program may access the Keychain. In OS X 10.5 and higher, if the updated application is "digitally signed" by the same signer as the original application, OS X will allow it to access the Keychain without asking the user.

How Digital Signatures Can Cause Problems for Deployed Versions of Tunnelblick

If an application is digitally signed, and a change is made to the application, the signature becomes invalid. That can cause problems for Deployed versions of Tunnelblick, because the process of creating a Deployed version involves changing the application by adding a folder inside the application itself. If such a folder is added to a signed version of Tunnelblick, the signature becomes invalid, and OS X will refuse the program access to it's Keychain items, without asking the user.

The way to solve this problem is to add the folder to an unsigned version of Tunnelblick. OS X will then ask the user if the "new" program can access the Keychain items.

The maker of a Deployed version of Tunnelblick can then take the unsigned, already modified Tunnelblick and sign it himself/herself. That will give users the benefits of digital signatures.

Digital Signatures and Program Updates

Whenever Tunnelblick is updated by the built-in update process, the update itself will only be digitally signed under certain circumstances.

Standard Tunnelblick versions before 3.2beta34 will be updated with signed versions; and
Standard Tunnelblick versions 3.2beta34 and higher will be updated with signed versions only if they are themselves signed, otherwise they are updated with unsigned versions.
Standard Tunnelblick versions 3.2.3 and higher will be updated with signed versions unless they are Deployed versions, or there is a problem with the digital signature.
"Standard" means containing an Info.plist SUFeedURL entry of "http://tunnelblick.net/appcast.rss"

This behavior is meant to be backward compatible for most users of Tunnelblick.

Tunnelblick versions 3.2beta12 (2011-05-16) and higher are digitally signed, so updates to them that are signed will not require the user's permission to access the Keychain.

If an earlier version (for example, 3.1.7) is replaced by a signed version, OS X will ask the user to allow the new version to access Keychain items. But after that, further replacements by signed versions will be replacing a signed version with another version signed by the same signer (the Tunnelblick Project), and so will OS X will allow access without asking the user.

Digital Signatures

Why Digital Signatures Are Useful

How Digital Signatures Can Cause Problems for Deployed Versions of Tunnelblick

Digital Signatures and Program Updates

PLEASE USE THE TUNNELBLICK DISCUSSION GROUP FOR COMMENTS OR QUESTIONS