code signing and the future of MacPorts
Gerben Wierda
gerben.wierda at rna.nl
Fri Mar 11 14:16:25 UTC 2022
I’ve recently moved from macOS Mojave with MacPorts to macOS Monterey with MacPorts
I’ve had serious trouble with the application level firewall (alf/socketfilterfw). I now suspect that one reason is that Apple is getting stricter and stricter about only allowing binaries that have been code signed. This might play more and more havoc with using open source e,g. via MacPorts.
For instance, at this point, I cannot turn on socketfilterfw because it blocks (in weird ways sometimes) my mail server. Even if I allow a certain binary to run, socketfilterfw will report error like the “-67062’ error, which stands for
% security error -67062
Error: 0xFFFEFA0A -67062 code object is not signed at all
I’ve seen the socketfilterfw either block or not block in that situation. There is not discernible method. It seems macOS becomes more and more unreliable when faced with unsigned apps, which is something that is the default when using open source installs.
Apple itself signs everything. Even simple command line executables now have an embedded signature:
gerben at hermione Downloads % codesign -v -d /bin/echo
Executable=/bin/echo
Identifier=com.apple.echo
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=583 flags=0x0(none) hashes=13+2 location=embedded
Platform identifier=13
Signature size=4442
Signed Time=18 Dec 2021 at 18 December 01:20:02
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=64
There are more and more parts of macOS where the security screws are being tightened more and more and code signing is a key element.
I am therefore wondering if it will become necessary to add code signing to the MacPorts install process, to support it in some way.
Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20220311/38a41205/attachment.htm>
More information about the macports-dev
mailing list