[MacPorts] #49233: selfupdate fails with "Failed to verify signature for MacPorts source"

Tue Oct 13 13:42:04 PDT 2015

#49233: selfupdate fails with "Failed to verify signature for MacPorts source"
-----------------------------+---------------------
  Reporter:  n.gilbert@…     |      Owner:  admin@…
      Type:  defect          |     Status:  new
  Priority:  High            |  Milestone:
 Component:  server/hosting  |    Version:  2.3.3
Resolution:                  |   Keywords:
      Port:                  |
-----------------------------+---------------------

Comment (by cal@…):

 Replying to [comment:34 seb@…]:
 > I sugget a (temporary) workaround:
 >
 > Edit /opt/local/libexec/macports/lib/macports1.0/macports.tcl
 >
 > On lines 3429/3430 you'll find:
 >
 >                 ui_debug "failed verification with key $pubkey"[[BR]]
 >                 ui_debug "openssl output: $result"
 >
 > Add this command:
 >                 set verified 1
 >
 > And maybe (if you want to remember)
 >                 ui_debug "But i take my chance"
 >

 This is a bad idea, because it breaks the chain of trust that normally
 ensures the macports update has not been tampered with. If your version of
 MacPorts is outdated, it is a much better idea to download one of the
 installers, because those are signed with an Apple Developer ID. Running
 this installer will only update MacPorts itself and leave your installed
 ports as-is.

-- 
Ticket URL: <https://trac.macports.org/ticket/49233#comment:82>
MacPorts <https://www.macports.org/>
Ports system for OS X