On 2016-09-16 10:18, Jeremy Huddleston Sequoia wrote: > Yeah, this contradicts what I'm seeing as expected. Given that > you've signed /opt/local/bin/ggdb with an entitlement, it should be > CS_RESTRICT which should imply CS_HARD. The lack of a code signature > would trigger !CS_VALID which would prevent the process from loading > the unsigned libraries.
There is actually no entitlement data in the code-signature itself. The access is granted by embedding a Info.plist into the binary: $ otool -P /opt/local/bin/ggdb /opt/local/bin/ggdb: (__TEXT,__info_plist) section <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleIdentifier</key> <string>org.gnu.gdb</string> <key>CFBundleName</key> <string>gdb</string> <key>CFBundleVersion</key> <string>1.0</string> <key>SecTaskAccess</key> <array> <string>allowed</string> <string>debug</string> </array> </dict> </plist> Probably that is why these rules are not enforced? Rainer _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev