[MacPorts] #53411: macports-base codesigning ?
MacPorts
noreply at macports.org
Sun Jan 29 15:43:03 UTC 2017
#53411: macports-base codesigning ?
--------------------------+-------------------
Reporter: juju4 | Owner:
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: base | Version: 2.4.0
Resolution: | Keywords:
Port: |
--------------------------+-------------------
Comment (by juju4):
I'm mostly talking about macports-base and port command which I hope
developers review regularly. For sure an audit, would be best. But
signature is not in anyway linked to an audit. I'm pretty sure most of
signed apps either on Mac App Store or iOS App store were never really
audited.
It's more about distribution and origin of the file, like a gpg --verify.
If the installer is signed, why not using the same signature for
executables binary files attached to it?
installer signature is installed but there is none at binaries execution.
In my setup with a whitelising configure. certificates is the way to
ensure files are coming of the same origin and can be as trusted as they
were before.
If I don't trust it, blacklist corresponding certificates.
Currently without certificate signature, I have at each base update to
whitelist again some files (mostly tclsh) by hash else it is blocked.
That's what I currently do.
--
Ticket URL: <https://trac.macports.org/ticket/53411#comment:4>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list