#42718: certsync fails to verify macports.org certificate ---------------------------+----------------------- Reporter: ryandesign@… | Owner: landonf@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.2.1 Resolution: | Keywords: Port: certsync | ---------------------------+----------------------- Comment (by landonf@…): I've attached patch-mktemp-fixes-v0, which contains a proposed fix; testing+review is much appreciated before I commit it to the repo. Based on Raimue's comments, I implemented the first option; to check for certificate validity, I actually set up a SecTrustRef with the only anchor being the certificate being tested, and then evaluate self-trust of the certificate. If this fails, the certificate is expired or otherwise untrustable, even if it's marked as trusted. This approach should resolve the observed problem. Longer-term, I think it's more reasonable to go with the second option (Only export one valid /non-expired certificate per public key), and evaluate certificates according to internal heuristics based on what OpenSSL/gnutls will actually require. However, that requires a better API/model for working with certificates, and probably has to wait for the larger work I'm doing on implementing a certsync Security.framework-backed PKCS#11 module: https://opensource.plausible.coop/src/projects/CRTS/repos/certsync -- Ticket URL: <https://trac.macports.org/ticket/42718#comment:6> MacPorts <http://www.macports.org/> Ports system for OS X