provide latest OS root certificates via port?

[Giacomo Tufano]

TBH, there is no need to download the entire package of root certs from a new version of macOS. Installing the updated root certificate you need should be enough. For the case of the expired intermediate certificate of Letsencrypt (that causes most of the problems in my personal experience) installing the root certificate for ISRG X1 in the keychain from the CA itself should fix the problem without creating new packages (and maintaining them). In the case of Letencrypt, from this page https://letsencrypt.org/certificates/ <https://letsencrypt.org/certificates/> you need to install https://letsencrypt.org/certs/isrgrootx1.pem <https://letsencrypt.org/certs/isrgrootx1.pem> to fix the problem with Letsencrypt “expired” certificates (this works even on old iOS versions). This is just a stopgap for what I think it’s the more critical problem now.
Of course: ymmv, just a quick note, you should not install root certificates when a stranger tell you to do so from a link on the Internet, etc. etc.

Ciao,
gt


> Il giorno 29 ott 2021, alle ore 18:45, Richard Bonomo TDS personal <bonomo at tds.net> ha scritto:
> 
> 
> Well, some of us are reasonably competent in managing risk, but cannot afford to be buying new computers.
> So the Apples I have, or are on loan to me, have to be kept going.
> 
> On a more pathologic level, I am also in possession (extended load) of a µVAX workstation that I should try
> to get working again.  There is no such thing as a support contract for that, and DEC does not exist any more.
> 
> Rich
> 
> ----- Original Message -----
> From: "Richard L. Hamilton" <rlhamil at smart.net>
> To: "macports-users Users" <macports-users at lists.macports.org>
> Sent: Friday, October 29, 2021 11:25:56 AM
> Subject: Re: provide latest OS root certificates via port?
> 
> 
> 
>> On Oct 29, 2021, at 12:02, Michael <keybounce at gmail.com> wrote:
>> 
>> As a user who spent a week trying to figure out what was going on with more and more sites not working, making less of the information out there available to figure out how to solve the expired cert, it was really painful to find out that this was "known in advance", and worse, this implies that ANY "modern", "secure" OS is an inherent time-death, for no good reason.
>> 
>> Having an easy way to update certs would be wonderful.
>> Finding out the hard way that not only did I need to put the DST root in, but that in the next year there's a couple more that will expire, when this was something that could have, and should have, been made very public in advance, was painful.
>> 
>> Discovering the *harder* way that adding a root key to your personal account is not the same as adding it system wide, meaning that the first information I got wasn't even accurate, only made things worse -- I could browse the web just fine, but stuff running as root from launchd was using a different set of certs that did not include this.
>> 
>> Some sort of "Warning! This system is considered extremely vulnerable" is fine. But we see ATM's running windows XP, voting machines running Vista, etc. Old systems being used past their expiration date is normal.
> 
> The ancient (and inadequately audited and reviewed, even if not ancient) software on ATMs and voting machines should be a scandal. Although they are (supposedly) more physically controlled than user desktops/laptops are, and are at least INTENDED to be limited to specific kiosk-like functions and nothing else, so they're FAR less exposed (software-wise) than a browser accessing potentially anything, including once-legit sites that had been hacked to become nasty.  The risks are (IMO) NOT THE SAME.
> 
>> Or do you think that 50 year old FORTRAN programs on 370 systems should be retired and the entire financial system forced to rewrite code used all around the world?
> 
> A heck of a lot had to be fixed for Y2K, and some things that couldn't be fixed were either replaced or tossed (including a few that were tossed simply because nobody would take responsibility to affirm that they didn't use dates, even though it was obvious). Been there, done that. It was only a big yawn-fest due to a LOT of hard work. Same thing will happen again in 2038 for any 32-bit Unix/Linux code, btw. That won't be modern desktops (just about all of which are already 64-bit, some now 64-bit only), but a heck of a lot of embedded devices may still be running that old code then. Fortunately I'm retired, so assuming I'm still around, I won't have to deal with THAT mess.
> 
>>> Sometimes, one has to work with what one has.
>> 
>> Exactly.
> 
> Ok, sometimes. In a retro computing museum. Or in a nonprofit with no budget. But for anything serious, one REALLY should be aware of the risks, even if that means going back to pen, paper, and snail mail rather than taking the risks. Or else realizing that EVERYTHING they do where the information or transaction has any value at all, is at greater risk of being corrupted or exploited by hostiles if they're doing it on that old system, at least if that system has Internet access.
> 
> But basically EVERY computer, even if the physical box could last longer, has support issues past 5 years old, CERTAINLY if one doesn't have a paid support contract. I have a box that's industrial enough that it's 20+ years old and has only had a drive or two (mirrored, so never any data loss) replaced, but I can't (ok, won't) afford a support contract for it (there probably is still support for an older OS version that could still run on it, those things were built like tanks!), so I know I'm taking my chances. In other words, no system seller is going to be on the hook to support an old system forever as part of the purchase price; if they'll provide extended support at all, you'd better expect to pay extra for that, every year. EVERYTHING costs, 'cause everybody has to make a living, including the rich people and the little people at the rich people's companies. Magic no problems forever does NOT exist.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211029/75a35a69/attachment.htm>