[MacPorts] #63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"

MacPorts noreply at macports.org
Mon Nov 1 16:21:56 UTC 2021 

#63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
-------------------------------+--------------------
  Reporter:  RJVB              |      Owner:  (none)
      Type:  enhancement       |     Status:  new
  Priority:  Normal            |  Milestone:
 Component:  ports             |    Version:
Resolution:                    |   Keywords:
      Port:  apple-pki-bundle  |
-------------------------------+--------------------

Comment (by RJVB):

 Replying to [comment:13 essandess]:

 > Great! That’s simple.

 Indeed. Me too I was pleasantly surprised, after all the hair-pulling to
 understand what was going on, why an up-to-date Chrome would no longer
 connect to lots of sites that Firefox had no issue with, etc.

 > What about providing a bash one-liner in the notes or a script that adds
 CAs to the {{{System}}} keychain, per [comment:10 mascguy]’s suggestion?

 Either is fine with me! There's also the option of doing it in the post-
 activate is a variant is set.

 > The less simple thing is that there appear to be different Apple PKI
 bundles: the one at https://www.apple.com/certificateauthority/, the macOS
 {{{System Roots}}}, and the ones on iOS.
 >
 > Which one did you install to get macOS 10.11 working again?

 The 10.11 system was done remotely with me instructing my favorite "Jane
 User" via IM so we kept it to just the ISRG certificate which solves most
 issues. On my own 10.9 system I also installed the .pem file from the
 current `port:apple-pki-bundle`. Stupidly I didn't check if any were
 absent or out-of-date first, but I did notice (on Linux) that you need
 them to connect to certain Apple sites.

 If in any way possible I'd ship the collection in an up-to-date `System
 Roots`. If the iOS equivalent has different certificates there must a
 reason why Apple make that so (and why that is not a problem) - I don't
 see what we would need them for ... and I could imagine that Apple might
 object to making them easily available on Mac.
 >
 > Also, port {{{apple-pki-bundle}}} must be updated to include all of
 {{{System Roots}}}, so I’ll issue a PR for that too.

-- 
Ticket URL: <https://trac.macports.org/ticket/63740#comment:14>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list