Signed MacOS release with autoupdates disabled (for use with Nix)

[heywoodlh]

I have been attempting to port Mullvad Browser for MacOS to nixpkgs for use with the Nix package manager on MacOS: https://github.com/NixOS/nixpkgs/pull/283874

However, I cannot package it with auto-updates enabled -- because I want Nix to manage the updates. Auto updates can be disabled within Firefox via policies.json as described in Firefox's documentation: https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos

I also tested what happens with installing an old release (13.0.7) with Nix and auto-updates completely broke the browser after the update completed.

After a lot of testing, I have found that on MacOS I can only deploy a custom policies.json in Mullvad Browser after the .app is installed on my system. If I modify it before it gets on my system i.e. with Nix, I have to remove the code signature like so:

/usr/bin/codesign -fs - "$out/Applications/Mullvad Browser.app"

This gets the app to launch but basically breaks all of the functionality of the app (crashed tabs, unable to browse the web, etc.).

Is there any way we could see a signed release of Mullvad Browser on MacOS with auto updates disabled for use in Nix? Or, is there another way I could disable auto-updates without modifying the .app?

(I want to also port the Tor Browser for MacOS to nixpkgs, but suspect the exact same issue will be present -- so if this could also be addressed with Tor Browser that would be fantastic!)

[heywoodlh]

Apparently Firefox allows you to manage policies with a plist file: Managing policies on macOS desktops

I tried this using the apparent plist file for Mullvad Browser and setting the DisableAppUpdate bool to true with this command:

/usr/bin/defaults write $HOME/Library/Preferences/net.mullvad.mullvadbrowser.plist DisableAppUpdate -bool TRUE

However, it seems that Mullvad Browser ignores the plist. Is there a different location that Mullvad Browser looks for a plist?

[PieroV]

@heywoodlh is there a way to detect the browser has been installed through NixOS?

Otherwise, we can try to find more information about the plist.

[heywoodlh]

is there a way to detect the browser has been installed through NixOS?

In the Linux derivative, Nix injects some light branding into Mullvad Browser: https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/mu/mullvad-browser/package.nix#L109-L120

However, by nature, I don't think this would work for MacOS because the integrity of the original .app would be compromised -- and thus wouldn't be valid/considered secure per the original signature.

[heywoodlh]

Alternatively, building the app from source for Nix would probably be more ideal and would bypass this problem altogether. The last time I looked, there were only instructions for building from source on Linux and I couldn't find any MacOS documentation.

---

EDIT: seems the Tor Browser publishes docs now including MacOS build instructions here: https://gitlab.torproject.org/tpo/applications/team/-/wikis/Development-Information/Tor-Browser/Building

Will try building Mullvad Browser from source on MacOS with Nix and report back!

[PieroV]

You can build Mullvad Browser on macOS in the same way you'd build Firefox. I don't know if the difference in toolchain can be fingerprinted. In addition to that, you'll have to bundle a few fonts for additional language support (a fingerprinter might check for them).