On Sunday, April 8, 2012 12:00:17 AM UTC-4, jkbull...
gmail.com wrote:
It looks like you've found a bug -- I looked at the code and Deployed versions of Tunnelblick are not checking for a signature properly. This will be fixed in the next release (in time for Mountain Lion).
I was wrong. It is more complicated than that; there isn't a bug to be fixed.
The problem is that, when a Deployed version is updated from the Tunnelblick website, the signature will become invalid. That happens because after updating Tunnelblick the Deploy folder is copied into the (new) copy of Tunnelblick, which invalidates the new copy's signature. That's the way that Deployed versions of Tunnelblick work -- the Deploy folder is always backed up, and if the application is updated, the Deploy folder is restored from backup. That restoration invalidates the signature.
So one solution is to not sign Deployed versions. Note, however, that in that case you have no way to update your users' configurations (i.e., their Deploy folder).
If you really want to sign a Deployed version (which, as you said, will be needed for Mountain Lion), you must also maintain your own update site, and when updating, always update with a full version that contains the Deploy folder and is signed.
An alternative, which gets around this problem, is not to use a Deployed version, but, instead, use a "Tunnelblick Configurations.bundle", which contains (among other things) a set of "Tunnelblick VPN Configurations" (.tblks). They allow the program and the set of configurations to be updated separately -- you can update the program using the official Tunnelblick website, and the configurations using your own website. There isn't any documentation about them, yet, but I hope to write some "soon".
In the meantime, you can either (A) use unsigned versions, or (B) maintain your own update site for Tunnelblick..