1774709 - Remove the code that clears the quarantine attribute from GMP downloaded plugins

Status: RESOLVED WONTFIX

(Core :: Audio/Video: GMP, enhancement, P2)

Description

[Haik Aftandilian [:haik]]

With bug 1774221, we are notarizing the OpenH264 plugin libgmpopenh264.dylib so that when it is downloaded by Firefox and installed, it should be loadable without requiring the quarantine attribute to be removed. Recent versions of the Widevine plugin are also notarized. This bug is filed to cover removing the code that removes the com.apple.quarantine attribute from downloaded plugin files here. In general, unless it is required, we should avoid clearing the quarantine attribute because it is bypasses macOS Gatekeeper. The plugin hashes are checked by Firefox regardless of macOS codesigning signatures.

Comment 1

[Haik Aftandilian [:haik]]

I have an outstanding query out to Apple for confirmation that our understanding of quarantining/notarization is correct for plugin dylibs.

Comment 2

[Haik Aftandilian [:haik]]

There is a one issue with not clearing the quarantine attribute on the dylib: when the dylib is loaded for the first time, the computer needs to have a working internet connection in order to load the module. Both the Widevine and OpenH264 dylibs are notarized, but the notarization process does not support stapling (attaching the notarization ticket) to dylibs at this time and as a result when the dylib is loaded for the first time, macOS has to contact Apple's servers to download the ticket to do its validation.

If the module is loaded for the first time when the computer is offline, the module would fail to load and the user would see the error message reported on bug 1773207.

Being offline (or on a LAN-only setup where Apple servers are unreachable) is unlikely, but it is a real use case.

I'm closing the bug as wont-fix for now due to this issue.