code-signing

Rainer Müller raimue at macports.org
Fri Oct 16 05:39:31 PDT 2015


On 2015-10-15 12:56, René J.V. Bertin wrote:
> Has any thought been given, maybe even some hooks implemented, to
> allow code-signing of applications, which would presumable be done in
> the post-destroot?
> 
> From the looks of it this would be (increasingly) beneficial for
> applications that use a Keychain or have network functionality.

You need a trusted certificate in your local Keychain for codesigning
and the codesign command requires its name, which is the user's real
name by default.

I am doing this with a self-signed certificate I created in Keychain
Access, so I could run a command such as:
  codesign -s "Rainer Müller" /opt/local/bin/svn

Note this will only be useful on the local machine, where this
self-signed certificate is trusted. This has to be considered when
putting such a binary in an archive for redistribution.

To solve the redistribution there are two options:

  a) codesign at activation with a local self-signed certificate
  b) get signed certificates to be used on the buildbots

b) would additional trust as this could even be signed with an official
certificate. However, option b) will not cover non-distributable ports,
local rebuilds or upgrades before the binary archive is available, which
makes option a) the only feasible solution.

Rainer


More information about the macports-dev mailing list