Signing packages without violating restrictions/laws
allbery.b at gmail.com
Mon Apr 18 13:27:26 PDT 2016
On Mon, Apr 18, 2016 at 4:12 PM, Mojca Miklavec <mojca at macports.org> wrote:
> Apparently USA export
> restrictions forbid exporting software that does cryptography
Umm, ITAR's had an OSS exemption for years. Are you reading old information?
> some other countries might have import restrictions).
Sadly still true.
I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages.
The law is often a blunt object, especially when formulated by those who do
not understand the thing being regulated.
My main question is: what options do we have (if any) to make package
> verifications work out of the box (and without violating any
> import/export restrictions) on Mac OS X? (The code signing is done on
It's nigh impossible to keep up with all relevant laws worldwide; the best
you can do is obey the laws in the jurisdiction(s) providing the software
and warn potential users that they must check their appropriate local
regulations --- then try to help them on a case by case basis.
By glimpsing through some parts of the source code in MacPorts I see
> mention of "productsign" and "openssl" to do the job, but I didn't yet
productsign is used in creating signed OS X installer packages, and you
simply can't do that sensibly on Linux.
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the macports-dev