[MacPorts] #63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
MacPorts
noreply at macports.org
Mon Nov 1 13:14:36 UTC 2021
#63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
-------------------------------+--------------------
Reporter: RJVB | Owner: (none)
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: apple-pki-bundle |
-------------------------------+--------------------
Comment (by essandess):
Replying to [comment:10 mascguy]:
> Replying to [comment:9 essandess]:
> > Replying to [comment:6 RJVB]:
> >> I see no evidence in the Portfile that the certificates are actually
being added to any of the OS's certificate stores.
> >
> > If there’s a circumstance for which a port installs CAs in the System
Keychain, I can’t imagine what that would be. This sounds like a Bad Idea.
Users/Admins should manage their PKI.
>
> Perhaps the port could include an ultra-simple shell script to effect
the changes? We'd want the script to backup the keychain first, and tell
the user where said backup is. But otherwise, this would simply everyone's
life, without forcibly making changes.
>
> We'd also want to include a port note, mentioning the helper script.
Along with a quick blurb on how to use it.
>
> How does that sound?
It’s not clear from this thread or the email thread the problem that is
being addressed, or whether adding these certs to the keychain would
actually fix it. There are more fundamental issues on old systems, like
TLS1 being deprecated.
If there were a confirmed, working solution for PKI on unsupported OS’s,
then that should be separate port that uses {{{apple-pki-bundle}}} in
{{{depends_lib}}}.
--
Ticket URL: <https://trac.macports.org/ticket/63740#comment:11>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list