code-signing (log message and potential "fixes")

René J. V. Bertin rjvbertin at
Fri Jun 3 02:41:10 PDT 2016

Brandon Allbery wrote:

>> OpenSSL might be able to accomplish the same task and it is possible with
>> OpenSSL to write a config file that fills in all the required fields. Port
>> could write such a config per user.
> OpenSSL can certainly create the signing certificate, and security(1) can
> be used to add it to the system keychain.

See for a very rudimentary implementation 
that uses a PortGroup and a specific file in etc/macports .

It turns out that access to the user's default keychain is wonky during the 
post-activate stage so it would probably indeed be necessary to add the 
certificate to the system keychain. It's one of those I prefer not to mess with 
directly until I really know what I'm doing.
There is however also an ad-hoc code-signing identity. As mentioned in that 
ticket, I haven't found much documentation on its limitations, but using it does 
seem to reduce the number of code signing warnings I'm seeing in the system.log 
. As far as those are even related; I'm also seeing them about Apple's own 
spindump for instance.


More information about the macports-dev mailing list