Code signing

Christopher Nielsen mascguy at
Fri Aug 5 20:04:40 UTC 2022

> I’m using a couple of ports that deliver services (unbound/nsd, dovecot, postfix, nginx, minIO, etc.) and the reliability of these being able to be started and used becomes less and less over the successive macOS versions. I have no proof, but I get the distinct feeling that unsigned code is not high on Apple’s list of supporting. One can for instance allow them in Firewall, but the actual working of that is often iffy (e.g. I updated unbound/nsd on a test system yesterday, could not reach unbound while it was running, only when the firewall was turned off — allowing it did not work, allowing worked after a reboot). I have other ‘iffyness’ for instance with stuff started from launchd.
> Apple has been working hard at security deep in the OS (think the separation of volumes that make up a single file system) and they seem to take their choices mostly for granted, exceptions do not get a lot of attention. One of those choices seems to be code signing. Unsigned code ends up in all kinds of poorly-managed/built exceptions, unexplainable lack of working, and even (my feeling is)
> In other words: isn’t it at some point becoming important to have some sort of process where we can support this? This might not be fully automated, but for instance a wiki entry how to set it up from start to finish with some manual actions after you have fully activated a port. 

Yes indeed, code-signing will be increasingly important going forward. And some recent discussion took place via this thread: <>

Relative to how we automate all of this, well, that’s still TBD. Thoughts/comments certainly welcome!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-dev mailing list