Opened 8 years ago

Last modified 2 years ago

#51504 new enhancement

codesigning portgroup

Reported by: RJVB (René Bertin) Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version:
Keywords: portgroup, codesign Cc: mkae (Marko Käning), yan12125 (Chih-Hsuan Yen), mascguy (Christopher Nielsen)
Port:

Description

We had a very short discussion about some kind of support for code-signing, somewhere last week.

I have since remembered that KDE PIM applications have a habit of causing do you want application akonadi_foo_agent to accept incoming connections unless they're signed even by a self-signed key.

I've thus whipped up a very rudimentary PortGroup to provide a codesign procedure that is a priori to be called during the post-activate. The principle is simple: if ${prefix}/etc/macports/codesign-identify.tcl exists, the procedure attempts to read a variable identity from it which must be a non-empty string . If that succeeds, all files passed in the argument(s) to codesign are signed, one by one.

I don't really have any suggestions how to handle errors during this operation, so I'm just ignoring them.

There is of course a rather evident source of error here: signing identities correspond to a certificate that must be stored in a keychain on the calling user's keychain list. It turns out that even with macportsuser set to myself (I know, bad) my regular signing identity isn't found, not even when I invoke the procedure from a Portfile "root" (to test with port info foo). I don't understand why that is (it is found when I sudo codesign -s identity ...) . It might thus be necessary to store the key in the/a system keychain and instruct codesign to use that chain? Other than that the procedure works, using set identity "-" to sign with an ad-hoc key.

Attachments (1)

code-sign-1.0.tcl (5.1 KB) - added by RJVB (René Bertin) 8 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 8 years ago by RJVB (René Bertin)

NB: does anyone know what the restrictions are with ad-hoc signing (man codesign just tells me to "check documentation").

Also, the procedure could get a port blacklist or whitelist feature, so that users can have the final word which ports they allow to sign applications.

comment:2 Changed 8 years ago by RJVB (René Bertin)

A further evolved version:

  • reads from a proper .conf file (${prefix}/etc/macports/codesigning.conf)
  • also reads a signing user name from that file
  • identity and username can be overridden from the arguments.

There's probably little use for specifying a username from the Portfile but well...

It turns out that a username is required unless you use the ad hoc identify ("-") or your macports user has the requested signing identity (certificate) in the keychain. It took me a while to realise that even if the MacPorts user is set to your login name (my case), "base" changes the HOME env. variable. And because of that the codesign command cannot find the signing certificate even if it's running as yourself.

Changed 8 years ago by RJVB (René Bertin)

Attachment: code-sign-1.0.tcl added

comment:3 Changed 8 years ago by mkae (Marko Käning)

Cc: mk@… added

Cc Me!

comment:4 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)

Cc: yan12125 added

comment:5 Changed 2 years ago by mascguy (Christopher Nielsen)

Cc: mascguy added

comment:6 Changed 2 years ago by mascguy (Christopher Nielsen)

Keywords: portgroup added

Add keyword portgroup, to pg-related tickets

comment:7 Changed 2 years ago by mascguy (Christopher Nielsen)

Keywords: codesign added

Related to issue

Version 0, edited 2 years ago by mascguy (Christopher Nielsen) (next)
Note: See TracTickets for help on using tickets.