[MacPorts] #51504: codesigning portgroup
#51504: codesigning portgroup -------------------------+-------------------------------- Reporter: rjvbertin@… | Owner: macports-tickets@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Keywords: | Port: -------------------------+-------------------------------- We had a very short discussion about some kind of support for code- signing, somewhere last week. I have since remembered that KDE PIM applications have a habit of causing `do you want application akonadi_foo_agent to accept incoming connections` unless they're signed even by a self-signed key. I've thus whipped up a very rudimentary PortGroup to provide a `codesign` procedure that is a priori to be called during the `post-activate`. The principle is simple: if `${prefix}/etc/macports/codesign-identify.tcl` exists, the procedure attempts to read a variable `identity` from it which must be a non-empty string . If that succeeds, all files passed in the argument(s) to `codesign` are signed, one by one. I don't really have any suggestions how to handle errors during this operation, so I'm just ignoring them. There is of course a rather evident source of error here: signing identities correspond to a certificate that must be stored in a keychain on the calling user's keychain list. It turns out that even with `macportsuser` set to myself (I know, bad) my regular signing identity isn't found, not even when I invoke the procedure from a Portfile "root" (to test with `port info foo`). I don't understand why that is (it is found when I `sudo codesign -s identity ...`) . It might thus be necessary to store the key in the/a system keychain and instruct `codesign` to use that chain? Other than that the procedure works, using `set identity "-"` to sign with an ad-hoc key. -- Ticket URL: <https://trac.macports.org/ticket/51504> MacPorts <https://www.macports.org/> Ports system for OS X
#51504: codesigning portgroup --------------------------+-------------------------------- Reporter: rjvbertin@… | Owner: macports-tickets@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: | --------------------------+-------------------------------- Comment (by rjvbertin@…): NB: does anyone know what the restrictions are with ad-hoc signing (`man codesign` just tells me to "check documentation"). Also, the procedure could get a port blacklist or whitelist feature, so that users can have the final word which ports they allow to sign applications. -- Ticket URL: <https://trac.macports.org/ticket/51504#comment:1> MacPorts <https://www.macports.org/> Ports system for OS X
#51504: codesigning portgroup --------------------------+-------------------------------- Reporter: rjvbertin@… | Owner: macports-tickets@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: | --------------------------+-------------------------------- Comment (by rjvbertin@…): A further evolved version: - reads from a proper .conf file (${prefix}/etc/macports/codesigning.conf) - also reads a signing user name from that file - identity and username can be overridden from the arguments. There's probably little use for specifying a username from the Portfile but well... It turns out that a username is required unless you use the ad hoc identify ("-") or your macports user has the requested signing identity (certificate) in the keychain. It took me a while to realise that even if the MacPorts user is set to your login name (my case), "base" changes the `HOME` env. variable. And because of that the codesign command cannot find the signing certificate even if it's running as yourself. -- Ticket URL: <https://trac.macports.org/ticket/51504#comment:2> MacPorts <https://www.macports.org/> Ports system for macOS
participants (1)
-
MacPorts