Code signing

[Gerben Wierda]

Dear developers,

I’m using a couple of ports that deliver services (unbound/nsd, dovecot, postfix, nginx, minIO, etc.) and the reliability of these being able to be started and used becomes less and less over the successive macOS versions. I have no proof, but I get the distinct feeling that unsigned code is not high on Apple’s list of supporting. One can for instance allow them in Firewall, but the actual working of that is often iffy (e.g. I updated unbound/nsd on a test system yesterday, could not reach unbound while it was running, only when the firewall was turned off — allowing it did not work, allowing worked after a reboot). I have other ‘iffyness’ for instance with stuff started from launchd.

Apple has been working hard at security deep in the OS (think the separation of volumes that make up a single file system) and they seem to take their choices mostly for granted, exceptions do not get a lot of attention. One of those choices seems to be code signing. Unsigned code ends up in all kinds of poorly-managed/built exceptions, unexplainable lack of working, and even (my feeling is) 

In other words: isn’t it at some point becoming important to have some sort of process where we can support this? This might not be fully automated, but for instance a wiki entry how to set it up from start to finish with some manual actions after you have fully activated a port.

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220801/4855d9d6/attachment.htm>