provide latest OS root certificates via port?

Sun Oct 31 09:37:01 UTC 2021

On Fri, Oct 29, 2021 at 09:02:34AM -0700, Michael <keybounce at gmail.com> wrote:

> As a user who spent a week trying to figure out what was going on
> with more and more sites not working, making less of the information
> out there available to figure out how to solve the expired cert, it
> was really painful to find out that this was "known in advance", and
> worse, this implies that ANY "modern", "secure" OS is an inherent
> time-death, for no good reason.
> 
> Having an easy way to update certs would be wonderful.
> Finding out the hard way that not only did I need to put the DST root
> in, but that in the next year there's a couple more that will expire,
> when this was something that could have, and should have, been made
> very public in advance, was painful.
> 
> Discovering the *harder* way that adding a root key to your personal
> account is not the same as adding it system wide, meaning that the
> first information I got wasn't even accurate, only made things worse
> -- I could browse the web just fine, but stuff running as root from
> launchd was using a different set of certs that did not include this.

Yes, it was a pain. I had similar troubles with a 10.6.8 laptop.
Luckily, I read the LetsEncrypt community forum where it was explained
and various solutions given. They didn't quite work for me but they were
close enough to work something out.

And this will happen again and again as every root certificate becomes
ancient and expires. So it would be nice to have an easy way to to keep
a system's root certificates up to date, and hopefully, one day, operating
system vendors will agree. :-) It'll get on the news when everyone's smart
TVs stop working. :-)

But I agree with Bill that it's not the job of the macports project to do that.
Keeping the ports working on old macOS systems is a huge enough task as it is.
Keeping the OS-provided software itself working is something else.

However, if someone wanted to write a program that keeps a mac's root
certificates up to date, that would be a good port to have. :-)
The keychain can be modified from the command line, so it shouldn't be
too difficult. :-)

But since it seems that there are few people using old macOS systems,
it might remain a manual process.

Actually, something looks wierd with macports statistics.

On 10.14:

  > /opt/local/libexec/mpstats submit
  Submitting data to https://ports.macports.org/statistics/submit/ ...
  Error: Peer certificate cannot be authenticated with given CA certificates
      while executing
  "curl post "submission\[data\]=$json" $stats_url"

On 10.6:

  > /opt/local/libexec/mpstats submit
  Submitting data to https://ports.macports.org/statistics/submit/ ...
  Error: SSL connect error
      while executing
  "curl post "submission\[data\]=$json" $stats_url"

It has a LetsEncrypt certificate but this should work. It should be macport's
curl that has its own CA bundle.

The certificate chain does still contain "DST Root CA X3". I thought that
was getting removed.

Anyway, it looks like I didn't manage to fix my system root certificates
after all, even though "ISRG Root X1" is installed (and "DST Root XA 3" is
manually trusted just to be extra sure). :-)

/usr/bin/curl is still failing, and for some reason, mpstats must be using
/usr/bin/curl instead of /opt/local/bin/curl. That doesn't sound possible, but
that's what it looks like.

According to check_for_app in /opt/local/libexec/macports/lib/macports1.0/diagnose.tcl,
it looks like the curl that's used is the system one in /usr/bin.

I think that means that macports does require the system root certificates
to be functional (for some things at least). Is anyone else on old systems
able to run "/opt/local/libexec/mpstats submit"? I read somewhere that errors
are silently ignored during automatic submission.

Could this be why https://ports.macports.org/statistics/ shows almost nothing
for 10.{14,13,8,7,6,5,4}? Or are those numbers accurate?

cheers,
raf