Installing Tunnelblick without a root password

[danande...@gmail.com]

I have a mild paranoia for typing a root password in any program.

Can you provide steps to manually install "Tunnelblick 3.4beta22" without root password?

For instance, if it's just a matter of moving files to particular system folders, can you provide steps so I can do it myself manually?

Thanks,

DA

[jkbull...gmail.com]

It isn't very practical because the ownership and permissions required to make Tunnelblick usable and secure are very complex. And there are specific ownership/permissions required for configurations, too.

You can inspect the code of installer.m, the program that installs Tunnelblick and its configurations. If you want to do all of that by hand, feel free.

If you want to create a script that replaces the installer.m program, I would be happy to host it in User-Contributed Scripts.

Each time you launch Tunnelblick, it verifies that it is "secure" -- that is, that the ownership and permissions of its critical files and folders are as expected. If the ownership and/or permission of any element is not as expected, it will ask for an admin username/password (not your root password, which is an entirely different thing on OS X) so it can run the installer program to correct the problem.

Also see Why does Tunnelblick need root privileges?

[D.A.]

Thanks for the reassuring reply. Since it's open source, I don't have as much fear of doing this.

However:

1. Do you know approx how many independent individuals verify each Tunnelblick release (including betas)?

2. For each release (including betas), do you have a reliable way in place to check that the Tunnelblick.app provided in the downloads is exactly the same as the one we obtain by compiling the source code? If not, can we be sure that this .app compiler can be trusted?

[jkbull...gmail.com]

On Thursday, April 17, 2014 2:28:18 PM UTC-4, D.A. wrote:

1. Do you know approx how many independent individuals verify each Tunnelblick release (including betas)?

I suspect the answer is one (me) -- but it depends on what you mean by "verify".

 

2. For each release (including betas), do you have a reliable way in place to check that the Tunnelblick.app provided in the downloads is exactly the same as the one we obtain by compiling the source code? If not, can we be sure that this .app compiler can be trusted?

My understanding is that the Xcode compiler used to build Tunnelblick (the gcc compiler) does not create the same binary each time source is compiled. (I am a little hazy about this, but I think that some parts of the binary include timestamps of the compile time. There may be other reasons, too.) That makes it difficult to say that any particular binary was built from any particular source code.

I personally build each release (including betas and pre-release snapshots that I occasionally make available privately for testing), using the instructions at Building from Source. I personally upload the built .dmg files to the SourceForger servers. I then download a copy and verify for myself that it is identical to the file I uploaded. (SourceForge provides MD5 and SHA1 checksums that you can use to verify that your downloaded copy is valid.)

Tunnelblick and its component parts are digitally signed by me (as an Apple-recognized developer) and Tunnelblick checks those digital signature each time it is launched.

Updates are done via https: and also are separately digitally signed by me (using a different digital signature scheme). When Tunnelblick updates itself, it verifies the signature and refuses to update if it is not correct.

It is possible that SourceForge, or an entity impersonating them, intercepts my downloads and always gives me good ones, and intercepts everyone else's and gives them copies of Tunnelblick that are subtly altered to include a backdoor, but I think that is unlikely.

I have no way of knowing if the compiler in Xcode 3.2.2 produces code which includes backdoors. See ACM Classic: Reflections on Trusting Trust.

[jkbull...gmail.com]

I should clarify that I create an "Unsigned Release" build of Tunnelblick (in OS X 10.6.8 because only it runs Xcode 3.2.2, which is used because it is the latest version of Xcode that produces PowerPC code), then add digital signatures to the app and components (in OS X 10.8.5 because only it can create digital signatures that all versions of OS X from 10.5 to 10.9 recognize), and then create a new .dmg with the result. That is the .dmg that I upload to SourceForge.