Signing packages without violating restrictions/laws

[Brandon Allbery]

On Mon, Apr 18, 2016 at 4:12 PM, Mojca Miklavec <mojca at macports.org> wrote:

> Apparently USA export
> restrictions forbid exporting software that does cryptography


Umm, ITAR's had an OSS exemption for years. Are you reading old information?


> (and
> some other countries might have import restrictions).
>

Sadly still true.

I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages.
>

The law is often a blunt object, especially when formulated by those who do
not understand the thing being regulated.

My main question is: what options do we have (if any) to make package
> verifications work out of the box (and without violating any
> import/export restrictions) on Mac OS X? (The code signing is done on
> Linux.)
>

It's nigh impossible to keep up with all relevant laws worldwide; the best
you can do is obey the laws in the jurisdiction(s) providing the software
and warn potential users that they must check their appropriate local
regulations --- then try to help them on a case by case basis.

By glimpsing through some parts of the source code in MacPorts I see
> mention of "productsign" and "openssl" to do the job, but I didn't yet
>

productsign is used in creating signed OS X installer packages, and you
simply can't do that sensibly on Linux.

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-dev/attachments/20160418/9a13d075/attachment.html>