notarization vs MacPorts apps
Mojca Miklavec
mojca at macports.org
Sat Apr 13 15:12:34 UTC 2019
Hi,
On Sat, 13 Apr 2019 at 08:47, Joshua Root wrote:
> On 2019-4-13 07:57 , Jack Howarth wrote:
> > What will be the situation with 10.14.5 and its enforcement of
> > notarization for Applications and kernel extensions for MacPorts? In
> > particular, will the new notarization requirement limit users to the
> > MacPorts build machine copies of such packages which have applications
> > rather than being able to build those packages locally?
> > Jack
>
> The MacPorts installer pkg will need to be submitted, but I don't think
> much else will change. Using MacPorts-built kernel extensions is already
> impossible because of signing requirements (we don't have a kext signing
> certificate and I don't think we qualify for one.)
>
> For general apps, Gatekeeper doesn't prevent running locally built ones
> due to them being unsigned, and I gather than notarization is only
> required in the same circumstances as signing.
The developer of MacTeX (which is basically a collection of a large
number of command-line tools + really small set of GUI apps) started
researching this in more detail. In the past it would have been
sufficient to only sign the whole package (dmg) once. Now he needs to
take care of every single binary inside the package. From what I
understood it can be automated, some of the binaries require
additional privileges (I assume that luajittex requires some kind of
"JIT" privileges etc). There were some issues with ghostscript which
needs to be additionally hardened etc.
I assume that if I use rsync to get the binaries as opposed to
fetching them via web browser, they might work OK.
I don't have a payed developer account, so I probably cannot test
anything. But I assume there might be a way to individually notarize
individual binaries inside MacPorts packages. While this might not be
needed at this very moment, it might be that by putting a certificate
on the buildslave, we could:
- sign the debugger (which currently needs additional steps to work at all)
- get an additional automated safety check for any malware that might
have creeped into the source code unnoticed (with tens of thousands of
packages that's not impossible), which cannot hurt
I don't know if a certificate can be issues to a project instead of
private person and to what extent one can secure it on the servers.
These are just some random ideas, it would be nice to get a more
realistic response from someone who's more knowledgable in this area.
Mojca
More information about the macports-dev
mailing list