On May 26, 2021, at 00:34, DaveC wrote:
> Being more aware—as we all are, now—of security on my Mac, what precautions
> should I be taking when downloading installs such as MP, and others (some as
> source code to be built “domestically”).
>
> Not having done anything about security when installing these in the past,
> I’m new to this. Are there checksums available for these? I don’t recall
> seeing any. Or other method to verify?
When you install any software, you are trusting the developers of that software
that the software is good and correct and not malicious.
On Apple platforms, software installers are signed with a digital certificate.
By installing the software, you are indicating your trust of whoever that
digital certificate is issued to.
If Apple ever discovered that malicious software had been released by someone,
they would revoke their digital certificate, and then you wouldn't be able to
install that software anymore. Here's how that works:
https://eclecticlight.co/2020/10/16/how-does-your-mac-know-when-apple-revokes-a-developer-certificate/
The MacPorts installer is signed with the digital certificate of MacPorts
manager Joshua Root; if you trust him and all the developers who contributed
code to MacPorts base and those who have reviewed the commits and decided they
were ok, then you can run the installer.
When you use MacPorts to install software, you trust the developers of that
software, and the person who contributed the portfile to MacPorts and the
people who reviewed that contribution. Most ports fetch their source code via
distfiles, and those distfiles are verified with checksums that are recorded in
the portfile. This ensures that when you install a port from source, you can be
sure that the code you are installing is the same as the code that was used by
whoever contributed or updated the port.
Most ports in MacPorts have their distfiles verified by at least two different
checksum types, to guard against any one checksum mechanism becoming insecure.
Some older ports that haven't been updated in more than a decade verify their
distfiles with only one checksum type, often md5, which is an insecure
mechanism. If such old ports are no longer needed, they should be removed. If
they are still needed and can be updated to a newer version, they should be
updated. If they are still needed and no new version is available, someone
should fetch the distfile, verify the md5 checksum, attempt to confirm that the
contents of the file have not been compromised, and then replace the md5
checksum with two or more modern checksums, such as our current default set of
rmd160, sha256, and size.
A small minority of ports fetch source code via a revision control system
rather than distfiles and these can be less secure. Ports that fetch a specific
commit hash from a git repository are secure in that they will use that exact
version of the code. (If the content of the code had changed at all in the
upstream repository, then the commit hash would change too.) But most ports
that fetch from git probably do so via a tag rather than a commit hash, and
these may not be secure because it would be possible for someone with write
access to the upstream repository to delete a tag and recreate it pointing to a
different commit hash. Ports that fetch from a Subversion repository might not
be secure because only a repository URL and revision integer are used when
fetching. Although Subversion repositories are designed to prevent history from
being altered during normal use, it is possible for an administrator to "dump"
the repository to an intermediate file, use tools to alter the contents of that
dump file, then load the result into a new repository. MacPorts supports
several other revision control systems which may have varying security
qualities. We recommend portfiles fetch using distfiles so that what's fetched
can be verified with checksums. Work was begun years ago to generate distfiles
automatically for ports that fetch from an RCS, which could then be checksummed
as usual and would make these problems go away, but it has not yet been
completed.
If when installing or upgrading a port you receive a binary package built by
our buildbot system, in addition to trusting the software developer and
portfile author, you trust that I have set up the buildbot servers properly and
without injecting anything malicious into the files that are produced. (Prior
to late 2016, you were trusting Apple, who ran our build system until then.)
Our buildbot signs our binary packages with our private key. MacPorts on your
computer verifies using our public key that the package was not damaged in
transit before installing it.
