> I’m using a couple of ports that deliver services (unbound/nsd, dovecot, > postfix, nginx, minIO, etc.) and the reliability of these being able to be > started and used becomes less and less over the successive macOS versions. I > have no proof, but I get the distinct feeling that unsigned code is not high > on Apple’s list of supporting. One can for instance allow them in Firewall, > but the actual working of that is often iffy (e.g. I updated unbound/nsd on a > test system yesterday, could not reach unbound while it was running, only > when the firewall was turned off — allowing it did not work, allowing worked > after a reboot). I have other ‘iffyness’ for instance with stuff started from > launchd. > > Apple has been working hard at security deep in the OS (think the separation > of volumes that make up a single file system) and they seem to take their > choices mostly for granted, exceptions do not get a lot of attention. One of > those choices seems to be code signing. Unsigned code ends up in all kinds of > poorly-managed/built exceptions, unexplainable lack of working, and even (my > feeling is) > > In other words: isn’t it at some point becoming important to have some sort > of process where we can support this? This might not be fully automated, but > for instance a wiki entry how to set it up from start to finish with some > manual actions after you have fully activated a port.
Yes indeed, code-signing will be increasingly important going forward. And some recent discussion took place via this thread: https://lists.macports.org/pipermail/macports-dev/2022-July/044424.html <https://lists.macports.org/pipermail/macports-dev/2022-July/044424.html> Relative to how we automate all of this, well, that’s still TBD. Thoughts/comments certainly welcome!
