certificate update for old Macs

Richard L. Hamilton rlhamil at smart.net
Tue Jan 4 20:11:46 UTC 2022

> On Jan 4, 2022, at 14:37, Michael <keybounce at gmail.com> wrote:
> On 2022-01-03, at 4:12 PM, Richard L. Hamilton <rlhamil at smart.net> wrote:
>> The only problem with that or anything similar, is that unless you go to quite a lot of work to just download rather than install the PEM file, and convert it into something human readable WITHOUT installing it, and investigate every certificate in there, you're trusting that the site you got it from is not only legit, but is secure and hasn't been hacked to alter the file to provide some very bogus certificates that could work together with some sort DNS spoofing to get you to feed sensitive information (ie bank passwords, etc) via an untrusted site that would capture it.
> Makes sense. Now, how do you go about turning a certificate into something human readable? Serious question, I have *never* seen this discussed anywhere.

The file that the script downloads is a whole bunch of PEM files concatenated together. The script shows splitting that into separate files at the start lines. Once that's done,

for file in *.pem
	openssl -x509 -in $file -text >$file.txt 

will convert them to something you can look at. But that's the easy part. Looking at them and making sense of them and investigating each of the 169 will take you a day or two, which is why I'm not going to say much more about it. Probably IF one used a more trusted set of root certificates for comparison, one could decide which were definitely ok and which needed further investigation, but automating all that would NOT BE FUN.

Arguably the best solution is to get ahold of the certificates bundled in the latest OS version and use those, but no doubt that's often easier said than done, although you can (given enough space) download the update image on your old hardware that cannot run it, and (given enough knowledge) dig those certificates out of the update image and get them into a form that you can then import into your old system.

Realistically a lot could be fixed by just using keychain access to look for expired root certificates, and then look through one of those stashes for their replacements. Again manually, unless you want to do some very creative automating. I'm not volunteering to kill days or more doing that!

> Everyone just says "As long as the roots are good you can trust the chain", and that's never made sense to me. The whole "trust what strangers say" system seems more like "Find a way for companies to make money" than any good security system.

Everything has to start somewhere. Usually that's with an OS or browser vendor that decides which root certificates to bundle. (Do you REALLY want one planetary certificate at the tip-top provided by the UN, with all subordinate certificate issuers (government OR commercial) rooted to that? It'd be possible, but it's probably better trusting a bunch of different folks than trusting one with absolute power to break everything.) -Site or personal certificates chain back to the issuer's certificate. There are FREE CERTIFICATE ISSUERS, but they have their own problems, chiefly no budget, so jumping all the auditing hoops (or even keeping their infrastructure reliable) needed to get OS and browser vendors to included them can be a problem for them. And old OSs and the older browser versions supported on them for browsers other than the one that comes with the OS, are not supported forever because nobody is getting paid to do that, so they don't get updates for expired certificates, new certificate issuers, etc.

Programmers and such gotta eat too, have a roof over their heads, etc. Some even have little kiddies to feed, which is hardly greed, not that there's any shortage of actual greed.

Probably that site with the bunch to download is fine, but I don't have access to a list of baddies, so I'm at best ambivalent about trusting it without more digging first than I'm likely to do. At most, I'd do it to make stuff that didn't matter work on an old system, but never run anything that could lose me $$ or compromise accounts on there - so I'd have root certificates but NOT iCloud keychain access enabled nor any account passwords, personal certificates, etc on it.

More information about the macports-users mailing list