[MacPorts] #63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
MacPorts
noreply at macports.org
Mon Nov 1 13:56:20 UTC 2021
#63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
-------------------------------+--------------------
Reporter: RJVB | Owner: (none)
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: apple-pki-bundle |
-------------------------------+--------------------
Comment (by RJVB):
The context here is "not-so-old" systems like 10.11 for which up-to-date
browsers are still being provided, and where the lack of updates to the
`System Roots` causes connection errors to sites that use other or renewed
certificate authority certificates. I can confirm explicitly that adding
the missing or updated certificates to the `System` store does indeed
restore connectivity to the affected sites.
When I wrote "outside of MacPorts" I referred to applications not
installed through MacPorts, NOT to download locations. But as indicated
any application that uses the system's certificate stores would be
affected - I presume that would include Qt and GTk apps using the Security
framework. The deprecation of TLS1 is an orthogonal problem, regardless of
whether or not it's more fundamental.
Having random ports that try to install certificates at the system level
wouldn't be a very good idea, though evidently they could only do that
through the intervention of a local administrator who already has the
power to apply system updates or mess with the central certificate
store(s). Except the `System Roots` store directly, FWIW, because that one
can only be modified by the system (although I presume anyone with sudo
powers could replace the corresponding file).
--
Ticket URL: <https://trac.macports.org/ticket/63740#comment:12>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list