[MacPorts] #53411: macports-base codesigning ?

MacPorts noreply at macports.org
Fri Jan 27 20:47:35 UTC 2017


#53411: macports-base codesigning ?
--------------------------+-------------------
  Reporter:  juju4        |      Owner:
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:
 Component:  base         |    Version:  2.4.0
Resolution:               |   Keywords:
      Port:               |
--------------------------+-------------------
Description changed by ryandesign:

Old description:

> I'm using macports on Macos 10.11+10.12 and Google Santa
> (https://github.com/google/santa) which allows to whitelist and blacklist
> binaries.
> It can be done both by path+checksum and certificates.
>
> It seems with most port selfupgrade/sync of macports, I got a change with
> /opt/local/libexec/macports/bin/tclsh8.5
> and a few others. hopefully it's legit. but as it is not signed, I have
> to whitelist it again each time.
>
> Is there any work to get macports base binaries signed?
> ideally, base and all binaries distributed by project are codesigned by
> macports and any locally compiled port is compiled by local user if
> identity is available.
>
> I see that it has evolves positively in recents months for ports
> https://trac.macports.org/ticket/51504
> https://github.com/macports/macports-
> ports/commit/92a031da26545716e0de1ffd6db6b33283db49cd
> https://trac.macports.org/ticket/53168
> So why not bring it to base :)
>
> That would be a very helpful improvement to security.
>
> Thanks

New description:

 I'm using macports on Macos 10.11+10.12 and Google Santa
 (https://github.com/google/santa) which allows to whitelist and blacklist
 binaries.
 It can be done both by path+checksum and certificates.

 It seems with most port selfupgrade/sync of macports, I got a change with
 /opt/local/libexec/macports/bin/tclsh8.5
 and a few others. hopefully it's legit. but as it is not signed, I have to
 whitelist it again each time.

 Is there any work to get macports base binaries signed?
 ideally, base and all binaries distributed by project are codesigned by
 macports and any locally compiled port is compiled by local user if
 identity is available.

 I see that it has evolves positively in recents months for ports
 * #51504
 * https://github.com/macports/macports-
 ports/commit/92a031da26545716e0de1ffd6db6b33283db49cd
 * #53168
 So why not bring it to base :)

 That would be a very helpful improvement to security.

 Thanks

--

--
Ticket URL: <https://trac.macports.org/ticket/53411#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list