Verifying security of downloads

Ryan Schmidt ryandesign at
Wed May 26 07:50:48 UTC 2021

On May 26, 2021, at 00:34, DaveC wrote:

> Being more aware—as we all are, now—of security on my Mac, what precautions should I be taking when downloading installs such as MP, and others (some as source code to be built “domestically”).
> Not having done anything about security when installing these in the past, I’m new to this. Are there checksums available for these? I don’t recall seeing any. Or other method to verify?

When you install any software, you are trusting the developers of that software that the software is good and correct and not malicious.

On Apple platforms, software installers are signed with a digital certificate. By installing the software, you are indicating your trust of whoever that digital certificate is issued to.

If Apple ever discovered that malicious software had been released by someone, they would revoke their digital certificate, and then you wouldn't be able to install that software anymore. Here's how that works:

The MacPorts installer is signed with the digital certificate of MacPorts manager Joshua Root; if you trust him and all the developers who contributed code to MacPorts base and those who have reviewed the commits and decided they were ok, then you can run the installer.

When you use MacPorts to install software, you trust the developers of that software, and the person who contributed the portfile to MacPorts and the people who reviewed that contribution. Most ports fetch their source code via distfiles, and those distfiles are verified with checksums that are recorded in the portfile. This ensures that when you install a port from source, you can be sure that the code you are installing is the same as the code that was used by whoever contributed or updated the port.

Most ports in MacPorts have their distfiles verified by at least two different checksum types, to guard against any one checksum mechanism becoming insecure. Some older ports that haven't been updated in more than a decade verify their distfiles with only one checksum type, often md5, which is an insecure mechanism. If such old ports are no longer needed, they should be removed. If they are still needed and can be updated to a newer version, they should be updated. If they are still needed and no new version is available, someone should fetch the distfile, verify the md5 checksum, attempt to confirm that the contents of the file have not been compromised, and then replace the md5 checksum with two or more modern checksums, such as our current default set of rmd160, sha256, and size.

A small minority of ports fetch source code via a revision control system rather than distfiles and these can be less secure. Ports that fetch a specific commit hash from a git repository are secure in that they will use that exact version of the code. (If the content of the code had changed at all in the upstream repository, then the commit hash would change too.) But most ports that fetch from git probably do so via a tag rather than a commit hash, and these may not be secure because it would be possible for someone with write access to the upstream repository to delete a tag and recreate it pointing to a different commit hash. Ports that fetch from a Subversion repository might not be secure because only a repository URL and revision integer are used when fetching. Although Subversion repositories are designed to prevent history from being altered during normal use, it is possible for an administrator to "dump" the repository to an intermediate file, use tools to alter the contents of that dump file, then load the result into a new repository. MacPorts supports several other revision control systems which may have varying security qualities. We recommend portfiles fetch using distfiles so that what's fetched can be verified with checksums. Work was begun years ago to generate distfiles automatically for ports that fetch from an RCS, which could then be checksummed as usual and would make these problems go away, but it has not yet been completed.

If when installing or upgrading a port you receive a binary package built by our buildbot system, in addition to trusting the software developer and portfile author, you trust that I have set up the buildbot servers properly and without injecting anything malicious into the files that are produced. (Prior to late 2016, you were trusting Apple, who ran our build system until then.) Our buildbot signs our binary packages with our private key. MacPorts on your computer verifies using our public key that the package was not damaged in transit before installing it.

More information about the macports-users mailing list