Checksum -s of apple-pki-bundle fetches from MacPorts, not Source

Daniel J. Luke dluke at
Mon Nov 14 01:16:18 UTC 2022

-s just tells port to not fetch the 'binary archives', it doesn't tell port to not use the macports distfile mirror.

The files on the mirror will have a hash that matches the portfile, so they'll be the same as what the port maintainer downloaded from the master_sites (and the port command will validate this).

If the problem is that upstream files changed but the version didn't change, you need to treat it like a stealth update -

> On Nov 13, 2022, at 5:53 AM, Steven Smith <steve.t.smith at> wrote:
> I’ve updated this port locally, but port is still fetching the old file from, not the master_sites URL specified in the Portfile.
> May I please get some help determining what is causing this issue?
>> On Nov 12, 2022, at 8:06 AM, Steven Smith <steve.t.smith at> wrote:
>> Re:
>> This issue is caused because port fetches an expired certificate from ​, not source:
>>> sudo port clean --all apple-pki-bundle
>>> sudo port -s checksum apple-pki-bundle +additional_pki_bundle +system_roots_keychain
>>>>>> ---> Attempting to fetch AppleISTCA2G1.cer from
>> But I’m explicitly passing -s to the port command—download from source:
>> What’s the fix to this? (Simple revbump?) And why don’t I detect it but the OP does?

Daniel J. Luke

More information about the macports-dev mailing list