MacPorts Mountain Lion Futures
jberry at macports.org
Mon Jun 18 20:30:10 PDT 2012
Here's a bit of dreaming out loud about MacPorts under Mountain Lion and future architectures in a Gatekeeper world.
With Gatekeeper, there are three (or four) tiers of binary deliver we can/should/might consider signing:
(a) The MacPorts installer should be signed.
(b) The MacPorts-installation should be signed. The binaries here include daemondo, as well as the Tcl extension libraries.
(c) Binaries built by the MacPorts build-bots could be signed.
(d) Binaries built by MacPorts users could be signed.
I think this would call for at least three-different signing keys:
(1) Official MacPorts distribution signing key for (a) and (b).
(2) MacPorts build-bot signing key, for (c). This key is more vulnerable to revocation than (1), since it is used to sign a broad variety of software (the ports) that we have somewhat less control over, so it should likely be distinct.
(3) The MacPorts user could have a per-user or per-machine signing key with which to sign software built by the user on their machine.
If it's possible and feasible to sign binaries for ports, then a per-user and/or per-machine key should be used to sign binaries for each port built. It would be very nice if this didn't require per-port changes, and could be done wholesale.
One approach I've pondered:
- Create an additional phase ("sign") to code-sign. Maybe this would run on the destroot?
- The sign phase would examine all files (in the destroot?), and sign each binary (executable, library or framework?) (if not already signed?).
- The signing key would be per-user/per-machine. So on the build-bot this would be the configured build-bot key (2), and on a user machine it would be the user's key. If no key then no signing.
It seems plausible that all that could be accomplished without too many huge hacks. I likely won't work on any of that any time soon, but thought I'd expose my thinking in case anybody else is so-inclined.
I believe Josh has put in the work already to at least accomplish (a). Do we need to create an apple-recognized official signing key for (1) before we distribute that?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4820 bytes
Desc: not available
More information about the macports-dev