Signing packages without violating restrictions/laws
mojca at macports.org
Mon Apr 18 13:12:41 PDT 2016
I have a weird question. I know that MacPorts has been signing all the
packages for a long time already.
I'm currently involved with a project where one developer recently
implemented package signing. On the client level it uses the "gpg" or
"gpg2" binary to verify packages.
It works perfectly on Linux where gpg binary is installed and
available in PATH, but it doesn't work on Mac without compiling gpg
from source or installing some third party GPG tools (that also modify
the mail client etc).
Usually we would solve that by shipping some nonstandard tools along.
For example, we compile wget and xz[dec] and ship it with the package
installer to make sure that users can easily download and extract
packages even on some obscure OSes/platforms where these programs are
This seems to be a problem for GPG though. Apparently USA export
restrictions forbid exporting software that does cryptography (and
some other countries might have import restrictions).
I have a problem understanding those rules because we are not dealing
with encrypted information, but merely use the same algorithms to
verify authenticity of the packages. On the other hand I have problems
believing that this problem really cannot be solved ... MacPorts
apparently solved it.
My main question is: what options do we have (if any) to make package
verifications work out of the box (and without violating any
import/export restrictions) on Mac OS X? (The code signing is done on
By glimpsing through some parts of the source code in MacPorts I see
mention of "productsign" and "openssl" to do the job, but I didn't yet
try to fully understand how that works (I don't have a deeper insight
into the source code yet).
In case it is relevant, here are some parts of the relevant code:
More information about the macports-dev