Certificate Authorities: curl-ca-bundle, certsync, keychain

Landon Fuller landonf at macports.org
Thu Nov 28 06:25:44 PST 2013 

Howdy All --

certsync is tested and works on 10.6+, and is building successfully on all the buildbots, and a MacPorts update has now shipped with support for auto-loading certsync's startup item. I've been running certsync since May without any noticed ill-effects.

I would like to propose that we move to using certsync by default, as a replacement for curl-ca-bundle. To briefly rehash the benefits of certsync:
	- Uses the CAs Apple provides -- that way MacPorts doesn't have to be in the business of distributing CA certificates.
	- Also includes any custom CAs that the user has added. This is the case for many people who use internal CAs to sign certificates for their corporate (or personal) services.
	- Automatically updates when the System Keychain(s) or trust settings are modified. 

Thoughts?

-landonf

On May 13, 2013, at 21:39 , Landon Fuller <landonf at macports.org> wrote:

> Howdy,
> 
> Over the weekend I whipped up (and added a port for) 'certsync'; it's a small tool that fetches all trusted certificates from the Mac OS X system keychain, and then spits them out as OpenSSL-readable pem-encode certificate bundle.
> 
> The goal was to provide a replacement for curl-ca-bundle with the following benefits:
> 	- Uses the CAs Apple provides -- that way MacPorts doesn't have to be in the business of distributing CA certificates.
> 	- Also includes any custom CAs that the user has added. This is the case for many people who use internal CAs to sign certificates for their corporate (or personal) services.
> 	- Automatically updates (if the launchd item is loaded) when the System Keychain(s) or trust settings are modified. 
> 
> There are a few gotchas that I could use input on, however:
> 	- curl-ca-bundle currently lays claim to ${prefix}/etc/openssl/cacerts.pem. This conflicts with certsync, and there's no way to have both installed at the same time.
> 	- A small number of ports directly depend on curl-ca-bundle to ensure that valid CA certificates are available.
> 	- certsync can only keep the cert.pem file up-to-date if the launchd item is enabled. Ideally that would be done by default, but that's not currently supported.
> 
> Any thoughts on how to proceed?
> 
> I'm currently using certsync locally; to install, you'll have to:
> 	sudo port -f deactivate curl-ca-bundle
> 	sudo port install certsync
> 
> -landonf
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-dev

More information about the macports-dev mailing list