lldb ...
Rainer Müller
raimue at macports.org
Fri Sep 9 03:10:05 PDT 2016
On 2016-09-09 11:26, Jeremy Huddleston Sequoia wrote:
> Yes. The fact that we aren't doing that for the binary packages that
> we ship is quite embarrassing. We should solve this problem more
> generally such that we can ship properly signed binaries for every
> port. Users installing the binary packages that we ship right now
> are running unsigned code, and that is quite frightening. There's
> nothing guaranteeing that the package hasn't been MITMd. There's no
> way for us to revoke a certificate if it turns out that our build
> servers had been compromised, etc.
This is just not true. All of our binary archives are in fact signed
with a detached .rmd160 signature that is verified before installation
when downloading from a mirror.
This signature is for all files in the tarball and not just for the
binaries. This is already more than codesigning would provide.
If your machine is compromised in a way that the binaries can be
replaced, this is out of the scope of MacPorts and a signature on the
binary will not help in any way.
The key can be revoked by releasing a new MacPorts version, or you can
just remove it from /opt/local/etc/macports/pubkeys.conf.
>> OTOH, if portfile devs have to indicate which binary is to be
>> signed they can just as well add a PortGroup to be able to access
>> that functionality.
>
> Yeah, it would be much better if we just signed every Mach-O in the
> destroot of every port.
What do we gain from that? Everything else would still be unsigned.
>> So in your approach users who want to install a debugger port will
>> become power users, change their configuration and then what?
>> Rebuild everything if they've been building from source,
>
> No, they just need everything that the debugger executable links
> against to be signed with a trusted certificate. That is no
> different than your case either. Either way, the debugger and all
> its dependencies need to be signed by a valid certificate.
That does not seem to be the case. In my testing on OS X 10.10 Yosemite,
it is enough to sign /opt/local/bin/ggdb with a trusted certificate to
get it working.
Did this change with El Capitan or Sierra?
Rainer
More information about the macports-dev
mailing list