provide latest OS root certificates via port?

[Richard L. Hamilton]

You're (probably - seems plausible but I haven't verified it myself) right that that's annoying and fixable.

But there's a big reason to think carefully about whether to do that. If something is old enough that it isn't receiving certificate updates, it probably isn't receiving security updates either. And the same applications and functionality that need current root certificates to work are also likely to be common attack points.

So at the very least, anything that makes it easier to take such a risk should come with a prominent warning, IMO.

> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com> wrote:
> 
> Hi,
> 
> Users of older Apple OSes that are no longer receiving updates probably noticed that Safari and Chrome-based browsers no longer connect to lots of sites because a crucial root certificate has expired.
> 
> Answer 1 to https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi provides an easy solution, but you need access to an up-to-date OS install.
> 
> These are not proprietary to Apple so I presume it should be possible to provide the suggested `rootcerts.pem` file via a port - possibly even install it in the post-activate. I had a look but couldn't find if such a port already exists. I think it'd help for lots of people... I'd propose a draft but I'm running 10.9 ... so thanks to anyone picking this up!
> 
> R.
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211029/8fdd5a3a/attachment.htm>