unsigned kexts on Yosemite

Dan Ports dports at macports.org
Mon Oct 27 16:36:36 PDT 2014


Also, I think Apple mandates using a separate certificate for each
kext -- so we're stuck getting more certificates no matter what.

Ideally, what I'd like to see is the ability for MacPorts to use a
local signing certificate to sign kexts if one is available. We could
then imagine getting signing certificates for specific packages on the
buildbots. That would cover most users, I think.

(also worth keeping in mind: there are not that many ports installing
kernel modules, so whatever process we wind up with doesn't have to be
infinitely scalable.)

Dan



On Tue, Oct 28, 2014 at 10:11:32AM +1100, Joshua Root wrote:
> On 2014-10-28 02:40 , Landon J Fuller wrote:
> > 
> > On Oct 27, 2014, at 8:55 AM, Landon J Fuller <landonf at macports.org> wrote:
> > 
> >>
> >> On Oct 27, 2014, at 7:50 AM, Daniel J. Luke <dluke at geeklair.net> wrote:
> >>
> >>> +1 I think Landon's plan seems reasonable (try to get a signing cert - even though we probably won't get one, use the nvram check to print information that helps our users, possibly use developer-signed kexts).
> >>
> >> Does MacPorts already have a paid developer account? If not, I can donate the $99 so portmgr can sign up for one.
> > 
> > Answering my own question :-)
> > 
> > landonf at zul:~> pkgutil --check-signature ~/Downloads/MacPorts-2.3.2-10.10-Yosemite.pkg 
> > Package "MacPorts-2.3.2-10.10-Yosemite.pkg":
> >    Status: signed by a certificate trusted by Mac OS X
> >    Certificate Chain:
> >     1. Developer ID Installer: Joshua Root
> >        SHA1 fingerprint: B3 8D 89 15 75 0A 97 0B F9 98 4D D8 7E 52 74 B8 6C 67 A3 1D
> >        -----------------------------------------------------------------------------
> >     2. Developer ID Certification Authority
> >        SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
> >        -----------------------------------------------------------------------------
> >     3. Apple Root CA
> >        SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
> 
> I don't particularly want to use my personal cert to sign things I
> didn't personally build, though.
> 
> - Josh
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-dev
> 

-- 
Dan R. K. Ports                UW CSE                http://drkp.net/


More information about the macports-dev mailing list