MacPorts Mountain Lion Futures

Blair Zajac blair at orcaware.com
Mon Jun 18 20:39:38 PDT 2012


Backing up a bit, what do we get by signing?  My understanding is that this is required for the App Store, but MacPorts isn't distributed that way.  What issues do we run into if we don't sign?  Can MacPorts not install preconpiled software without signing?

Regards,
Blair

On Jun 18, 2012, at 8:30 PM, James Berry <jberry at macports.org> wrote:

> Here's a bit of dreaming out loud about MacPorts under Mountain Lion and future architectures in a Gatekeeper world.
> 
> With Gatekeeper, there are three (or four) tiers of binary deliver we can/should/might consider signing:
> 
> (a) The MacPorts installer should be signed.
> 
> (b) The MacPorts-installation should be signed.  The binaries here include daemondo, as well as the Tcl extension libraries.
> 
> (c) Binaries built by the MacPorts build-bots could be signed.
> 
> (d) Binaries built by MacPorts users could be signed.
> 
> I think this would call for at least three-different signing keys:
> 
>    (1) Official MacPorts distribution signing key for (a) and (b).
> 
>    (2) MacPorts build-bot signing key, for (c). This key is more vulnerable to revocation than (1), since it is used to sign a broad variety of software (the ports) that we have somewhat less control over, so it should likely be distinct.
> 
>    (3) The MacPorts user could have a per-user or per-machine signing key with which to sign software built by the user on their machine.
> 
> If it's possible and feasible to sign binaries for ports, then a per-user and/or per-machine key should be used to sign binaries for each port built. It would be very nice if this didn't require per-port changes, and could be done wholesale.
> 
> One approach I've pondered:
> 
> - Create an additional phase ("sign") to code-sign. Maybe this would run on the destroot?
> 
> - The sign phase would examine all files (in the destroot?), and sign each binary (executable, library or framework?) (if not already signed?).
> 
> - The signing key would be per-user/per-machine. So on the build-bot this would be the configured build-bot key (2), and on a user machine it would be the user's key. If no key then no signing.
> 
> It seems plausible that all that could be accomplished without too many huge hacks. I likely won't work on any of that any time soon, but thought I'd expose my thinking in case anybody else is so-inclined.
> 
> I believe Josh has put in the work already to at least accomplish (a). Do we need to create an apple-recognized official signing key for (1) before we distribute that?
> 
> James
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev


More information about the macports-dev mailing list