Howdy All -- certsync is tested and works on 10.6+, and is building successfully on all the buildbots, and a MacPorts update has now shipped with support for auto-loading certsync's startup item. I've been running certsync since May without any noticed ill-effects.
I would like to propose that we move to using certsync by default, as a replacement for curl-ca-bundle. To briefly rehash the benefits of certsync: - Uses the CAs Apple provides -- that way MacPorts doesn't have to be in the business of distributing CA certificates. - Also includes any custom CAs that the user has added. This is the case for many people who use internal CAs to sign certificates for their corporate (or personal) services. - Automatically updates when the System Keychain(s) or trust settings are modified. Thoughts? -landonf On May 13, 2013, at 21:39 , Landon Fuller <land...@macports.org> wrote: > Howdy, > > Over the weekend I whipped up (and added a port for) 'certsync'; it's a small > tool that fetches all trusted certificates from the Mac OS X system keychain, > and then spits them out as OpenSSL-readable pem-encode certificate bundle. > > The goal was to provide a replacement for curl-ca-bundle with the following > benefits: > - Uses the CAs Apple provides -- that way MacPorts doesn't have to be > in the business of distributing CA certificates. > - Also includes any custom CAs that the user has added. This is the > case for many people who use internal CAs to sign certificates for their > corporate (or personal) services. > - Automatically updates (if the launchd item is loaded) when the System > Keychain(s) or trust settings are modified. > > There are a few gotchas that I could use input on, however: > - curl-ca-bundle currently lays claim to > ${prefix}/etc/openssl/cacerts.pem. This conflicts with certsync, and there's > no way to have both installed at the same time. > - A small number of ports directly depend on curl-ca-bundle to ensure > that valid CA certificates are available. > - certsync can only keep the cert.pem file up-to-date if the launchd > item is enabled. Ideally that would be done by default, but that's not > currently supported. > > Any thoughts on how to proceed? > > I'm currently using certsync locally; to install, you'll have to: > sudo port -f deactivate curl-ca-bundle > sudo port install certsync > > -landonf > _______________________________________________ > macports-dev mailing list > macports-dev@lists.macosforge.org > https://lists.macosforge.org/mailman/listinfo/macports-dev _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev