[MacPorts] #53411: macports-base codesigning ?
MacPorts
noreply at macports.org
Fri Jan 27 20:47:35 UTC 2017
#53411: macports-base codesigning ?
--------------------------+-------------------
Reporter: juju4 | Owner:
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: base | Version: 2.4.0
Resolution: | Keywords:
Port: |
--------------------------+-------------------
Description changed by ryandesign:
Old description:
> I'm using macports on Macos 10.11+10.12 and Google Santa
> (https://github.com/google/santa) which allows to whitelist and blacklist
> binaries.
> It can be done both by path+checksum and certificates.
>
> It seems with most port selfupgrade/sync of macports, I got a change with
> /opt/local/libexec/macports/bin/tclsh8.5
> and a few others. hopefully it's legit. but as it is not signed, I have
> to whitelist it again each time.
>
> Is there any work to get macports base binaries signed?
> ideally, base and all binaries distributed by project are codesigned by
> macports and any locally compiled port is compiled by local user if
> identity is available.
>
> I see that it has evolves positively in recents months for ports
> https://trac.macports.org/ticket/51504
> https://github.com/macports/macports-
> ports/commit/92a031da26545716e0de1ffd6db6b33283db49cd
> https://trac.macports.org/ticket/53168
> So why not bring it to base :)
>
> That would be a very helpful improvement to security.
>
> Thanks
New description:
I'm using macports on Macos 10.11+10.12 and Google Santa
(https://github.com/google/santa) which allows to whitelist and blacklist
binaries.
It can be done both by path+checksum and certificates.
It seems with most port selfupgrade/sync of macports, I got a change with
/opt/local/libexec/macports/bin/tclsh8.5
and a few others. hopefully it's legit. but as it is not signed, I have to
whitelist it again each time.
Is there any work to get macports base binaries signed?
ideally, base and all binaries distributed by project are codesigned by
macports and any locally compiled port is compiled by local user if
identity is available.
I see that it has evolves positively in recents months for ports
* #51504
* https://github.com/macports/macports-
ports/commit/92a031da26545716e0de1ffd6db6b33283db49cd
* #53168
So why not bring it to base :)
That would be a very helpful improvement to security.
Thanks
--
--
Ticket URL: <https://trac.macports.org/ticket/53411#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list