[MacPorts] #42718: certsync fails to verify macports.org certificate

Fri Mar 14 06:29:15 PDT 2014

#42718: certsync fails to verify macports.org certificate
---------------------------+-----------------------
  Reporter:  ryandesign@…  |      Owner:  landonf@…
      Type:  defect        |     Status:  assigned
  Priority:  High          |  Milestone:
 Component:  ports         |    Version:  2.2.1
Resolution:                |   Keywords:
      Port:  certsync      |
---------------------------+-----------------------

Comment (by landonf@…):

 I've attached patch-mktemp-fixes-v0, which contains a proposed fix;
 testing+review is much appreciated before I commit it to the repo.

 Based on Raimue's comments, I implemented the first option; to check for
 certificate validity, I actually set up a SecTrustRef with the only anchor
 being the certificate being tested, and then evaluate self-trust of the
 certificate. If this fails, the certificate is expired or otherwise
 untrustable, even if it's marked as trusted.

 This approach should resolve the observed problem. Longer-term, I think
 it's more reasonable to go with the second option (Only export one valid
 /non-expired certificate per public key), and evaluate certificates
 according to internal heuristics based on what OpenSSL/gnutls will
 actually require. However, that requires a better API/model for working
 with certificates, and probably has to wait for the larger work I'm doing
 on implementing a certsync Security.framework-backed PKCS#11 module:
 https://opensource.plausible.coop/src/projects/CRTS/repos/certsync

-- 
Ticket URL: <https://trac.macports.org/ticket/42718#comment:6>
MacPorts <http://www.macports.org/>
Ports system for OS X