Verifying security of downloads

[Ryan Schmidt]

On May 26, 2021, at 02:50, Ryan Schmidt wrote:

> If when installing or upgrading a port you receive a binary package built by our buildbot system, in addition to trusting the software developer and portfile author, you trust that I have set up the buildbot servers properly and without injecting anything malicious into the files that are produced. (Prior to late 2016, you were trusting Apple, who ran our build system until then.) Our buildbot signs our binary packages with our private key. MacPorts on your computer verifies using our public key that the package was not damaged in transit before installing it.

Not only does it verify that a package wasn't damaged in transit but it also verifies that the package was created by us, since nobody else has our private key.

When you update MacPorts base using "sudo port selfupdate" you receive the update via rsync. When you update the ports tree using "sudo port selfupdate" or "sudo port sync", what happens depends on how you've configured MacPorts.

The default way to update base and the ports tree is to use rsync to download a tarball which is expanded after verifying the accompanying digital signature, the same kind we use for packages, so that you can be sure that the updated ports collection or base was produced by us, regardless where you might be downloading from.

A long time ago, MacPorts would rsync not a tarball but a directory of files, for which there was no integrity checking. That's why we switched to signed tarballs, and if your MacPorts install predates our switch to use tarballs here, MacPorts will advise you how to change your configuration to fix it.

If you configure MacPorts to fetch ports from our git repository instead, then updates to your ports collection are secured by the methods that git employs for that.

It's also possible to configure your ports tree to update via a compressed tarball downloaded via http(s). There is no integrity checking when using this method.