lldb ...

[Rainer Müller]

On 2016-09-08 22:09, Jeremy Huddleston Sequoia wrote:
>> On Sep 5, 2016, at 03:49, Rainer Müller <raimue at macports.org> wrote:
>> My intention here is to describe a way how the code-signing can be
>> automated. We do not gain much by providing a solution that still
>> requires manual interaction by the user. Generating a certificate and
>> signing the binary should be completely transparent to the user.
> 
> That obfuscation is very bad for security purposes.  We should not hide this detail from users.  It needs to be very explicit.

At the moment it is very explicit. We have no automation at all and you
need to do all of the code-signing yourself or gdb/lldb will not work as
intended.

The alternative way, recommended in the notes of the gdb port, requires
disabling SIP to edit /System/Library/com.apple.taskgated.plist, which I
would consider even worse for security. See [1].

Where do you see a security risk in adding a new trusted cert?

Consider that any software can already use your developer certificate
from your user keychain to sign whatever it wants. You will not even be
asked when that happens.

I propose we add an additional keychain, readable by root only that is
used to sign MacPorts binaries. As root is required to access it, your
security would be defeated anyway if anyone gets to it.

Rainer

[1] https://trac.macports.org/ticket/49815