Signing packages without violating restrictions/laws

Brandon Allbery allbery.b at
Mon Apr 18 13:27:26 PDT 2016

On Mon, Apr 18, 2016 at 4:12 PM, Mojca Miklavec <mojca at> wrote:

> Apparently USA export
> restrictions forbid exporting software that does cryptography

Umm, ITAR's had an OSS exemption for years. Are you reading old information?

> (and
> some other countries might have import restrictions).

Sadly still true.

I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages.

The law is often a blunt object, especially when formulated by those who do
not understand the thing being regulated.

My main question is: what options do we have (if any) to make package
> verifications work out of the box (and without violating any
> import/export restrictions) on Mac OS X? (The code signing is done on
> Linux.)

It's nigh impossible to keep up with all relevant laws worldwide; the best
you can do is obey the laws in the jurisdiction(s) providing the software
and warn potential users that they must check their appropriate local
regulations --- then try to help them on a case by case basis.

By glimpsing through some parts of the source code in MacPorts I see
> mention of "productsign" and "openssl" to do the job, but I didn't yet

productsign is used in creating signed OS X installer packages, and you
simply can't do that sensibly on Linux.

brandon s allbery kf8nh                               sine nomine associates
allbery.b at                                  ballbery at
unix, openafs, kerberos, infrastructure, xmonad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-dev mailing list