On 2016-09-09 11:26, Jeremy Huddleston Sequoia wrote: > Yes. The fact that we aren't doing that for the binary packages that > we ship is quite embarrassing. We should solve this problem more > generally such that we can ship properly signed binaries for every > port. Users installing the binary packages that we ship right now > are running unsigned code, and that is quite frightening. There's > nothing guaranteeing that the package hasn't been MITMd. There's no > way for us to revoke a certificate if it turns out that our build > servers had been compromised, etc.
This is just not true. All of our binary archives are in fact signed with a detached .rmd160 signature that is verified before installation when downloading from a mirror. This signature is for all files in the tarball and not just for the binaries. This is already more than codesigning would provide. If your machine is compromised in a way that the binaries can be replaced, this is out of the scope of MacPorts and a signature on the binary will not help in any way. The key can be revoked by releasing a new MacPorts version, or you can just remove it from /opt/local/etc/macports/pubkeys.conf. >> OTOH, if portfile devs have to indicate which binary is to be >> signed they can just as well add a PortGroup to be able to access >> that functionality. > > Yeah, it would be much better if we just signed every Mach-O in the > destroot of every port. What do we gain from that? Everything else would still be unsigned. >> So in your approach users who want to install a debugger port will >> become power users, change their configuration and then what? >> Rebuild everything if they've been building from source, > > No, they just need everything that the debugger executable links > against to be signed with a trusted certificate. That is no > different than your case either. Either way, the debugger and all > its dependencies need to be signed by a valid certificate. That does not seem to be the case. In my testing on OS X 10.10 Yosemite, it is enough to sign /opt/local/bin/ggdb with a trusted certificate to get it working. Did this change with El Capitan or Sierra? Rainer _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev