Wow, with the auto install feature introduced in beta30 and the Updatable Configurations in beta32, this is looking to be so much easier to administer for even my small group of users. And at a perfect time as I am about to roll out a new set of configs/keys. :)
But one question I have is that the initial install has the keys in the auto-installed configuration. This is OK as we secure the disk image it is installed on, as well as using two-factor authentication to connect to the server.So, in doing the Updatable Configuration via Sparkle, is it possible to do an update that only downloads the changed openvpn configuration file or parts of the .tblk bundle that need to change, or must the whole bundle be downloaded? If the whole bundle, then this might be problematic as each user would need a separate full bundle with their keys in it.
I could add a new Info.plist key: TBKeepExistingFile. The value would be the name of a file (possibly prefixed by one or more subfolders) that, although it would appear in the OpenVPN configuration file, would not be in the new configuration. Tunnelblick, when _replacing_ a configuration, would copy the existing file into the new configuration.
I could add a new Info.plist key: TBKeepExistingFiles, as a boolean.
IF the OpenVPN configuration file references a file that isn't in the new configuration
THEN IF TBKeepExisting is true
AND this is a _replacement_ configuration
AND the file exists in the old configuration
THEN copy the existing file from the old configuration to the new one
ELSE complain as we do now and stop the installation.
Obviously, once again, I am perhaps just missing something important. :)
The basic idea is to distribute updated configurations that replace only _some_ files and leave others.
Idea #1:I could add a new Info.plist key: TBKeepExistingFile. The value would be the name of a file (possibly prefixed by one or more subfolders) that, although it would appear in the OpenVPN configuration file, would not be in the new configuration. Tunnelblick, when _replacing_ a configuration, would copy the existing file into the new configuration.
Idea #2:I could add a new Info.plist key: TBKeepExistingFiles, as a boolean.IF the OpenVPN configuration file references a file that isn't in the new configurationTHEN IF TBKeepExisting is trueAND this is a _replacement_ configurationAND the file exists in the old configurationTHEN copy the existing file from the old configuration to the new oneELSE complain as we do now and stop the installation.
Both ideas would only work for private configurations, because the keys for shared configurations are not readable by the user (the main part of the installer runs as the user).
Since #2 doesn't include filenames, it would be easier to set up, but also easier to screw up -- if you have TBKeepExistingFiles set and you accidentally leave out a file, Tunnelblick will happily use the old one, which may not be what you want.
So: comments, questions, suggestions? I would really like some input!
Both ideas would only work for private configurations, because the keys for shared configurations are not readable by the user (the main part of the installer runs as the user).
While this may affect some users, at least for my installs I wouldn't have a pre-packaged key file in a public configuration. I assume this means the configurations that live in /Library/Application Support/Tunnelblick?
One other small point on the Sparkle appcast.rss file and the length="" field of the enclosure section... You say that this is the size of the .tblk, obtained via `stat -f %z configurations.tblk` or via the Finder "Get Info". But they give different things....$ stat -f %z TEST.tblk102Finder: 65,762 bytes (82 KB on disk)Very different numbers. :)
IF the OpenVPN configuration file references a file that does not exist
THEN IF TBUseExistingFiles is true (the default is false)
AND the file does not have a ".sh" extension
AND the file reference in the configuration file does not have an absolute path or a path relative to the user's home folder
AND the file exists in the unsecured copy of the old configuration (i.e., in ~/Library/Application Support/Tunnelblick/Configurations/...)
THEN copy the existing file from the unsecured copy of the old configuration to the new one that is being installed
ELSE complain as we do now and stop the installation.
3. After looking into the security implications of implementing this, there will be an additional restriction:
- The file must not be a ".sh" file. (Or, of course, a ".ovpn" or ".conf" file, but a valid config file can't contain a reference to one, so that's not really a problem.)
I don't think this restriction is a major problem. If a script file needs to be tailored for the user, it could read data from a per-user ".key" file (that really isn't a cryptographic key) and modify its operation accordingly.
Just to document it, how would you reference this .key file in the openvpn config file so that it wasn't really used but would still be copied over into a new config for reference by the script?
I appreciate your careful attention to security and for thinking this through. Since we have a fairly simple setup, it is hard to think through the wide variety of situations. I'm sure you have heard from many people with different setups, so it certainly makes sense that a solution tries to handle as many cases as possible.
On Friday, July 18, 2014 9:52:27 AM UTC-4, n9yty wrote:Just to document it, how would you reference this .key file in the openvpn config file so that it wasn't really used but would still be copied over into a new config for reference by the script?You wouldn't need to reference it in the OpenVPN configuration file. If a .tblk that is being installed contains "extra" files, they get copied into the final installed .tblk. I'm not sure that's documented anywhere; I will try to do so soon.
A new Info.plist key: TBKeepExistingFilesList. The value is be an array with the names (possibly prefixed by one or more subfolder names) of files that are to be copied from the old configuration to the new configuration. An error message would be displayed and the installation would be stopped if any of the files exist in the new configuration or do not exist in the old configuration.
There is a tricky catch to the new key, though: what to do about an inner .tblk TBKeepExistingFilesList overriding an outer .tblk one. We could (A) append the new array entries to the old ones while processing inside the inner .tblk or (B) replace the old array with the new one while inside the inner .tblk. Probably (B), but that needs more thought.
* would match any filenameabc* would match any filename which started with abcabc*def.key would match any filename that starts with "abc" and ends with "def.key".
defaults write net.tunnelblick.tunnelblick DB-UC -bool yes
/Library/Application Support/Tunnelblick/Tblks/xxx.yyy.zzz.tblk
Install the updatable .tblk by double-clicking it as usual. (Look in the Console log to see if there are any messages toward the end that refer to the updatable configuration.) Double-clicking the .tblk should install whatever configuration(s) are inside the .tblk as usual, and then it should also create a folder at
/Library/Application Support/Tunnelblick/Tblks/xxx.yyy.zzz.tblkwhere "xxx.yyy.zzz" is the CFBundleIdentifier for the updatable .tblk. That folder is a "stub" .tblk and contains only a Contents folder which contains only a copy of the Info.plist for the updatable .tblk.
Make sure that the stub .tblk is there. If it isn't, look in the Console log for a clue as to why the configuration wasn't considered "updatable". If you still can't figure it out, send me a .zip of the CONFIG.tblk privately at jkbullard at gmail.
On Monday, July 21, 2014 10:10:59 PM UTC-5, jkbull...gmail.com wrote:Install the updatable .tblk by double-clicking it as usual. (Look in the Console log to see if there are any messages toward the end that refer to the updatable configuration.) Double-clicking the .tblk should install whatever configuration(s) are inside the .tblk as usual, and then it should also create a folder at/Library/Application Support/Tunnelblick/Tblks/xxx.yyy.zzz.tblkwhere "xxx.yyy.zzz" is the CFBundleIdentifier for the updatable .tblk. That folder is a "stub" .tblk and contains only a Contents folder which contains only a copy of the Info.plist for the updatable .tblk.This was there, and also it included the public DSA key I used to sign the update. However, the version number in the plist is that of my original config, not the one that it would be updated to. Maybe that is OK, just mentioning it. Anyway, I wasn't signing them initially, but tried it since things weren't working. Now I know that was because I was editing a Info.plist file inside an already installed confirmation instead of installing one with that intact. My mistake.
Make sure that the stub .tblk is there. If it isn't, look in the Console log for a clue as to why the configuration wasn't considered "updatable". If you still can't figure it out, send me a .zip of the CONFIG.tblk privately at jkbullard at gmail.Here I see nothing...DB-UC: Copied updatable configuration 'xxx.yyy.zzz.TEST.tblk' to local user folderDB-UC: Delaying start of update check for configuration set xxx.yyy.zzz.TESTDB-UC: Starting update check without UI for configuration 'xxx.yyy.zzz.TEST'; URL = https://xxx.yy.zzz/tblk/appcast.rssDB-UC: cfgUpdater 0x8a377b0: didFinishLoadingAppcast
"This should be the same as the CFBundleVersion in the Info.plist in the updated Configuration."
So maybe something is wrong in the appcast format so that Tunnelblick thinks it is not supposed to update it? It looks good.If I don't get this sorted tomorrow (giving up for tonight), I will email you some pieces privately to have a quick look-over.
A side issue...When I delete the configuration it leaves the old /Library/Application Support/Tunnelblick/Tblks/xxx.yyy.zzz.TEST directory there, should it be deleting it when a config is deleted? I re-imported a new config (same name) and when I force an update check it reports the OLD version number and says it is still the latest one.
Even stranger, though, is that I deleted those Tblks copies, in the /Library and my ~/Library, and it STILL reports the old version number, so clearly I am not finding something... :) Where is this version stored or being pulled from? I do not see it in the net.tunnelblick.tunnelblick.plist file, no copies of the configuration exist in /Library or ~/Library, no Tblks files... Yet when I re-add the configuration (CFBundleVersion set to 1), it reports the old version string.
Now I am going mad... :)
After reporting to you that the old version was "stuck", I deleted everything again, and quit Tunnelblick, then when I relaunched and added the config it immediately prompted me to update! Yay! But....
7/22/14 10:46:09.137 AM Tunnelblick[4020]: DB-UC: cfgUpdater 0x68d1f0: didFinishLoadingAppcast
7/22/14 10:46:09.138 AM Tunnelblick[4020]: DB-UC: cfgUpdater 0x68d1f0: didFindValidUpdate
7/22/14 10:46:25.237 AM Tunnelblick[4020]: DB-UC: cfgUpdater 0x68d1f0: willInstallUpdate
7/22/14 10:46:32.470 AM Tunnelblick[4020]: Sparkle Error: An error occurred while installing the update. Please try again later.
7/22/14 10:46:32.471 AM Tunnelblick[4020]: Sparkle Error (continued): Couldn't find an appropriate update in the downloaded package.
This is the format of the zip file:
Archive: test_configurations.zip
testing: TEST.tblk/ OK
testing: TEST.tblk/Contents/ OK
testing: TEST.tblk/Contents/Info.plist OK
testing: TEST.tblk/Contents/Resources/ OK
testing: TEST.tblk/Contents/Resources/client.test.down.sh OK
testing: TEST.tblk/Contents/Resources/client.test.up.sh OK
testing: TEST.tblk/Contents/Resources/config.ovpn OK
testing: TEST.tblk/Contents/Resources/dsa_pub.pem OK
No errors detected in compressed data of sga_configurations.zip.
Is it supposed to be built from the TEST.tblk level or from inside of it (i.e. one layer down?)
That looks good. The "didFinishLoadingAppcast" means that it loaded the appcast.rss file properly from your website. If Sparkle didn't complain, then I think that means that the appcast has the same or lower version number compared to the installed configuration. (When I have an error in the appcast, I usually get a Console log entry from Sparkle that an error occurred, although the messages never say very clearly what is wrong.)
The way it works is that Sparkle compares the appcast's "sparkle:version" number (in the "enclosure" tag) with the CFBundleVersion in the local user copy of /Library/Application Support/Tunnelblick/Tblks/xxx.yyy.zzz.tblk. If the "sparkle:version" number is the same or lower in the appcast, Sparkle does nothing. If the "sparkle:version" number is higher, it shows a window to the user asking if the user wants to update.
One other tip: you can force an update check at any time from the "Preferences" panel -- it will first do an update check for the application, then it will do an update check for each configuration. And those checks will specifically say if the configuration is up-to-date. So you'll get two windows, one saying that Tunnelblick up-to-date and one saying that the configuration is up-to-date or needs updating.
That would be fine; I'd be glad to help. Sorry this is so hard. Being a pioneer is difficult!
This is the format of the zip file:
Archive: test_configurations.zip
testing: TEST.tblk/ OK
testing: TEST.tblk/Contents/ OK
testing: TEST.tblk/Contents/Info.plist OK
testing: TEST.tblk/Contents/Resources/ OK
testing: TEST.tblk/Contents/Resources/client.test.down.sh OK
testing: TEST.tblk/Contents/Resources/client.test.up.sh OK
testing: TEST.tblk/Contents/Resources/config.ovpn OK
testing: TEST.tblk/Contents/Resources/dsa_pub.pem OK
No errors detected in compressed data of test_configurations.zip.
It looks like your "TEST.tblk" is exactly that, an "outer", updatable .tblk that contains OpenVPN configurations inside it.
It might have to do with not finding (in the .zip) an Info.plist entry with the correct CFBundleIdentifier and CFBundleVersion, or something like that. The new CFBundleIdentifier (the one in the .zip) must match the one in the appcast and the one in the un-updated configuration (that is, all three must be identical) and I think the CFBundleVersion in the appcast must match the one in the new one.( Of course they won't match the un-updated one; that's the point!)
It might have to do with not finding (in the .zip) an Info.plist entry with the correct CFBundleIdentifier and CFBundleVersion, or something like that. The new CFBundleIdentifier (the one in the .zip) must match the one in the appcast and the one in the un-updated configuration (that is, all three must be identical) and I think the CFBundleVersion in the appcast must match the one in the new one.( Of course they won't match the un-updated one; that's the point!)The appcast.rss version number:sparkle:version="201407.22.003"The TEST.tblk/Contents/Info.plist version number:<key>CFBundleVersion</key>
<string>201407.22.003</string>The TEST.tblk also has:<key>CFBundleIdentifier</key>
<string>xx.yy.zz.TEST</string>
Is there any way to prompt Sparkle to be a bit more verbose about why it doesn't like the update?
I will email you the appcast URL so you can download it and the zip of the configuration update and see if you see anything unusual. I'll also include the "old" installed config. I'm sure that will be easier for you to look over than going back and forth here over which bits are set which way. :)
On Tuesday, July 22, 2014 1:01:07 PM UTC-4, n9yty wrote:It might have to do with not finding (in the .zip) an Info.plist entry with the correct CFBundleIdentifier and CFBundleVersion, or something like that. The new CFBundleIdentifier (the one in the .zip) must match the one in the appcast and the one in the un-updated configuration (that is, all three must be identical) and I think the CFBundleVersion in the appcast must match the one in the new one.( Of course they won't match the un-updated one; that's the point!)The appcast.rss version number:sparkle:version="201407.22.003"The TEST.tblk/Contents/Info.plist version number:<key>CFBundleVersion</key>
<string>201407.22.003</string>The TEST.tblk also has:<key>CFBundleIdentifier</key>
<string>xx.yy.zz.TEST</string>The appcast's "sparkle:version" must match "xx.yy.zz.TEST", too. All three must match.
The appcast's "sparkle:version" must match "xx.yy.zz.TEST", too. All three must match.Oh, wait... I thought the "sparkle:version" was to match the "CFBundleVersion" which was just a version number.I thought CFBundleIdentifier was different, and was the config reverse-dns style name. So all three have to match?
com.example.tunnelblick-configs.001.tblk/Contents/Info.plistcom.example.tunnelblick-configs.001.tblk/Contents/Resources/dsa_pub.pemcom.example.tunnelblick-configs.001.tblk/Contents/Resources/Config1.tblk/Info.plistcom.example.tunnelblick-configs.001.tblk/Contents/Resources/Config1.tblk/client.crtcom.example.tunnelblick-configs.001.tblk/Contents/Resources/Config1.tblk/client.keycom.example.tunnelblick-configs.001.tblk/Contents/Resources/Config1.tblk/ca.crtcom.example.tunnelblick-configs.001.tblk/Contents/Resources/Config1.tblk/client.ovpn
Without this, Sparkle always complained with "Sparkle Error (continued): Couldn't find an appropriate update in the downloaded package."
DB-UC: Started update checks without UI for configuration 'org.sga.tunnelblick.config.SGAMaster' (0); URL = https:/redacted
DB-UC: didFinishLoadingAppcast for 'SGAMaster.tblk' (org.sga.tunnelblick.config.SGAMaster 0)
DB-UC: didFindValidUpdate for 'SGAMaster.tblk' (org.sga.tunnelblick.config.SGAMaster 0)
DB-UC: willInstallUpdate for 'SGAMaster.tblk' (org.sga.tunnelblick.config.SGAMaster 0)
Sparkle Error: An error occurred while installing the update. Please try again later.
Sparkle Error (continued): Couldn't find an appropriate update in the downloaded package.
org.sga.tunnelblick.config.SGAMaster.tblk/
└── Contents
├── Info.plist
└── Resources
├── SGA.tblk
│ ├── Info.plist
│ ├── client.sga.down.sh
│ ├── client.sga.up.sh
│ └── config.ovpn
└── dsa_pub.pem
OUTER:
<key>CFBundleIdentifier</key>
<string>org.sga.tunnelblick.config.SGAMaster</string>
INNER:
<key>CFBundleIdentifier</key>
<string>org.sga.tunnelblick.config.SGA</string>
So I think (but I haven't worked with this for a long time) that if the file that is being downloaded for the update is a .zip of "org.sga.tunnelblick.config.SGAMaster.tblk", it should be named "org.sga.tunnelblick.config.SGAMaster.tblk.zip" and that is the file that should be referenced in the "url=" part of the "enclosure:" entry in the .rss file.
DB-UC: Installing updated configurations at '/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk'
Created symlink to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/SGA.tblk/client.sga.down.sh at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/client.sga.down.sh
Created symlink to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/SGA.tblk/client.sga.up.sh at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/client.sga.up.sh
Created symlink to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/SGA.tblk/config.ovpn at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/config.ovpn
Created symlink to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/SGA.tblk/Info.plist at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Info.plist
Error returned from createSymbolicLinkAtPath: /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/client.sga.down.sh withDestinationPath: /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk/Contents/Resources/client.sga.down.sh; Error was Error Domain=NSCocoaErrorDomain Code=516 "The file “client.sga.down.sh” couldn’t be saved in the folder “Resources” because a file with the same name already exists." UserInfo={NSFilePath=/private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/client.sga.down.sh, NSUnderlyingError=0x21d4a60 {Error Domain=NSPOSIXErrorDomain Code=17 "File exists"}}
Failed to create symlink to /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk/Contents/Resources/client.sga.down.sh at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-dBpjoN/SGA.tblk/Contents/Resources/client.sga.down.sh
$ ls -l /Library/Application\ Support/Tunnelblick/Tblks/
drwxr-xr-x+ 3 root wheel 102 Sep 21 12:40 org.sga.tunnelblick.config.SGAMaster_0
drwxr-xr-x+ 3 root wheel 102 Sep 21 13:17 org.sga.tunnelblick.config.SGAMaster_1
On Monday, September 21, 2015 at 1:11:50 PM UTC-5, jkbull...gmail.com wrote:So I think (but I haven't worked with this for a long time) that if the file that is being downloaded for the update is a .zip of "org.sga.tunnelblick.config.SGAMaster.tblk", it should be named "org.sga.tunnelblick.config.SGAMaster.tblk.zip" and that is the file that should be referenced in the "url=" part of the "enclosure:" entry in the .rss file.The name of the zip file made a huge difference.
open on /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem: Permission denied
Error returned from copyItemAtPath: /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem toPath: /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-qSP9Gs/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem; Error was Error Domain=NSCocoaErrorDomain Code=513 "“dsa_pub.pem” couldn’t be copied because you don’t have permission to access “Resources”." UserInfo={NSSourceFilePathErrorKey=/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem, NSUserStringVariant=(
Copy
), NSFilePath=/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem, NSDestinationFilePath=/private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-qSP9Gs/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem, NSUnderlyingError=0xd308740 {Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied"}}
When did the "open on" message happen? Was this from Tunnelblick or did you try to use the command line to "open"? If it was from Tunnelblick it would be helpful to have the messages that led up to it.
Some free advice (and worth every penny : ) -- get basic updating of configs working first before trying to use advanced features like "TBKeepExistingFilesList". (Maybe you've done that; I kind of lost track.)
When did the "open on" message happen? Was this from Tunnelblick or did you try to use the command line to "open"? If it was from Tunnelblick it would be helpful to have the messages that led up to it.
Installation failed:
Not replacing an existing configuration, so configuration '(null)' cannot use 'TBKeepExistingFilesList'
org.sga.tunnelblick.config.SGAMaster.tblk
├── Info.plist
├── SGA.tblk
│ ├── Info.plist
│ ├── client.sga.down.sh
│ ├── client.sga.up.sh
│ └── config.ovpn
└── dsa_pub.pem
Installation failed:
Updatable configuration 'org.sga.tunnelblick.config.SGAMaster' was not stored as updatable because '/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/dsa_pub.pem' could not be copied to '/private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-WsBOy7/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem'
-rwx------ 1 root wheel 2222 Jul 24 2014 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/dsa_pub.pem
UID PID COMM FD PATH
501 6469 Tunnelblick 30 /Applications/Tunnelblick.app/Contents/Frameworks/Sparkle.framework/Resources/SUStatus.nib
501 6469 Tunnelblick 30 /Applications/Tunnelblick.app/Contents/Resources/tunnelblick.icns
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0
501 6469 Tunnelblick 30 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1
501 6469 Tunnelblick 30 /Users/n9yty/Library/Keychains/login.keychain
501 6469 Tunnelblick 30 /Library/Keychains/System.keychain
501 6469 Tunnelblick 37 /System/Library/Frameworks/AppKit.framework/Resources/English.lproj/NSAlertPanel.nib
501 6469 Tunnelblick 37 /Applications/Tunnelblick.app/Contents/Resources/tunnelblick.icns
501 6469 Tunnelblick 37 /Applications/Tunnelblick.app/Contents/Frameworks/Sparkle.framework/Resources/SUStatus.nib
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick 39 /Applications/Tunnelblick.app/Contents/Frameworks/Sparkle.framework/Resources/en.lproj/SUUpdateAlert.nib
501 6469 Tunnelblick -1 /Library/Managed Preferences/n9yty/com.apple.familycontrols.contentfilter.plist
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick -1 /Library/Managed Preferences/n9yty/com.apple.familycontrols.contentfilter.plist
501 6469 Tunnelblick 39 /Users/n9yty/Library/Preferences/com.apple.security.revocation.plist
501 6469 Tunnelblick 39 /Users/n9yty/Library/Preferences/com.apple.security.revocation.plist
501 6469 Tunnelblick 39 /System/Library/Keychains/SystemRootCertificates.keychain
501 6469 Tunnelblick 39 /Applications/Tunnelblick.app/Contents/Frameworks/Sparkle.framework/Resources/SUStatus.nib
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/org.sga.tunnelblick.config.SGAMaster 1509.21.010 Update/org.sga.tunnelblick.config.SGAMaster.zip
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources/dsa_pub.pem
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/org.sga.tunnelblick.config.SGAMaster 1509.21.010 Update/org.sga.tunnelblick.config.SGAMaster.zip
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/relaunch
501 6469 Tunnelblick 42 /Applications/Tunnelblick.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/relaunch
501 6469 Tunnelblick 43 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/relaunch
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/org.sga.tunnelblick.config.SGAMaster 1509.21.010 Update
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/org.sga.tunnelblick.config.SGAMaster 1509.21.010 Update/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/tmp.PsTLiY
501 7211 Tunnelblick 0 /dev/null
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/tmp.eGWUWW
501 7214 Tunnelblick 0 /dev/null
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/tmp.Zg7mon
501 7215 Tunnelblick 0 /dev/null
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/tmp.2KT64x
501 7216 Tunnelblick 0 /dev/null
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/tmp.HouvMO
501 7217 Tunnelblick 0 /dev/null
501 6469 Tunnelblick 42 .
501 6469 Tunnelblick 42 /dev/null
501 6469 Tunnelblick 46 .
501 6469 Tunnelblick 42 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/org.sga.tunnelblick.config.SGAMaster 1509.21.010 Update
501 6469 Tunnelblick 42 /System/Library/CoreServices/SystemVersion.plist
501 6469 Tunnelblick 43 /var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/.dat.nosync1945.YhU23n
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Info.plist
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/Info.plist
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk/Info.plist
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Shared
501 6469 Tunnelblick 42 /Users/n9yty/Library/Application Support/Tunnelblick/Configurations
501 6469 Tunnelblick 42 /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk
501 6469 Tunnelblick 42 /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk/Contents/Info.plist
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk
501 6469 Tunnelblick 42 /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk/Contents/Resources
501 6469 Tunnelblick 42 /Library/Application Support/Tunnelblick/Shared
501 6469 Tunnelblick 42 /Users/n9yty/Library/Application Support/Tunnelblick/Configurations
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/.dat.nosync1945.68tRun
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/.dat.nosync1945.e46Q56
501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk/dsa_pub.pem
501 6469 Tunnelblick 42 /Applications/Tunnelblick.app/Contents/Resources/AlertWindow.nib
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/SGA.tblk
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/SGA.tblk/Contents
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/SGA.tblk/Contents/Resources
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents
501 6469 Tunnelblick 42 /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-rtQk4M/Updatables/org.sga.tunnelblick.config.SGAMaster.tblk/Contents/Resources
...
Few people are using updatable configurations, so it is possible that there is a bug associated with them. My test updatable config doesn't have a dsa_pub.pem file, so as far as I can tell this hasn't been tested. I am away from my test machine and won't be able to get to it until sometime tomorrow.
DB-UC: willInstallUpdate for 'org.sga.tunnelblick.config.SGAMaster.tblk' (org.sga.tunnelblick.config.SGAMaster 0)
DB-UC: updaterShouldRelaunchApplication for 'org.sga.tunnelblick.config.SGAMaster.tblk' (org.sga.tunnelblick.config.SGAMaster 0)
DB-UC: Scheduling installation of updated configurations at '/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk'
CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
DB-UC: Installing updated configurations at '/Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk'
Created symlink
to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk/client.sga.down.sh
at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk/Contents/Resources/client.sga.down.sh
Created symlink
to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk/client.sga.up.sh
at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk/Contents/Resources/client.sga.up.sh
Created symlink
to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk/config.ovpn
at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk/Contents/Resources/config.ovpn
Created symlink
to /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_0/org.sga.tunnelblick.config.SGAMaster.tblk/SGA.tblk/Info.plist
at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk/Contents/Info.plist
Created symlink
to /Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk/Contents/Resources/user.p12
at /private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk/Contents/Resources/user.p12
Beginning installation or repair
executing /Applications/Tunnelblick.app/Contents/Resources/installer
installer reported failure: /Applications/Tunnelblick.app/Contents/Resources/installer: (
1,
"/Users/n9yty/Library/Application Support/Tunnelblick/Configurations/SGA.tblk",
"/private/var/folders/7n/8c4nbqln0nnbqj9944ypb5xr0000gn/T/Tunnelblick-VixoO2/SGA.tblk"
)
On Sep 21, 2015, at 6:28 PM, jkbull...gmail.com <jkbu...@gmail.com> wrote:This:501 6469 Tunnelblick -1 /Library/Application Support/Tunnelblick/Tblks/org.sga.tunnelblick.config.SGAMaster_1/org.sga.tunnelblick.config.SGAMaster.tblk//Contents/PkgInfo
shows what looks like a bug in Tunnelblick: notice the double //, which should be a single /. I think Tunnelblick screwed up when it constructed the path. I don't know if OS X ignores the double slash, though, because it didn't seem to be complaining about that file.
Also, are "family controls" involved here? I'm a little hazy about them, but try turning them off and see if that helps.
I was unable to get my test to fail.I have updated the updatable configurations documentation to include a working downloadable sample. You can compare it to yours to see what the problem might be.