[MacPorts] #63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
MacPorts
noreply at macports.org
Sun Oct 31 10:17:48 UTC 2021
#63740: [apple-pki-bundle] : extend to cover all certificates from "System Roots"
-------------------------+------------------------------
Reporter: RJVB | Owner: (none)
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Keywords: | Port: apple-pki-bundle
-------------------------+------------------------------
Cf. https://apple.stackexchange.com/questions/422332/how-do-i-update-my-
root-certificates-on-an-older-version-of-mac-os-e-g-el-capi/429778#429778
Lots of sites have been broken recently on Macs running older versions of
the OS because of an expired certificate for which no replacement is
included in this port at the moment (LetsEncrypt ISRG). Apparently Apple
do ship it in one of their OS updates because you can get it by
transferring the contents of the `System Roots` certificate store from an
up-to-date system to your out-of-date system.
This port already has a precedent for the argument that it does-but-
shouldn't include non-Apple certificates, given its name, by having a
default variant which includes GeoTrust and Digicert certificates.
Why not keep it up-to-date by including all certificates that Apple ship
in that `System Roots` store?
BTW: note how several answers in the StackExchange discussion above point
out the uncertainty inherent in downloading certificates, apparently even
in downloading from the issuer's site. If that's not being overly
paranoid, just how does this port do better than that? Has the maintainer
verified each cert. checksum against a copy exported from the Keychain on
his up-to-date system, and has this been double-checked by at least 1
independent authoritative MacPorts maintainer?
As an alternative, cannot the `System Roots` store be obtained directly
from the latest Apple updater that contains it?
--
Ticket URL: <https://trac.macports.org/ticket/63740>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list