Opened 8 years ago
Last modified 2 years ago
#51504 new enhancement
codesigning portgroup
Reported by: | RJVB (René Bertin) | Owned by: | macports-tickets@… |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | portgroup, codesign | Cc: | mkae (Marko Käning), yan12125 (Chih-Hsuan Yen), mascguy (Christopher Nielsen) |
Port: |
Description
We had a very short discussion about some kind of support for code-signing, somewhere last week.
I have since remembered that KDE PIM applications have a habit of causing do you want application akonadi_foo_agent to accept incoming connections
unless they're signed even by a self-signed key.
I've thus whipped up a very rudimentary PortGroup to provide a codesign
procedure that is a priori to be called during the post-activate
.
The principle is simple: if ${prefix}/etc/macports/codesign-identify.tcl
exists, the procedure attempts to read a variable identity
from it which must be a non-empty string . If that succeeds, all files passed in the argument(s) to codesign
are signed, one by one.
I don't really have any suggestions how to handle errors during this operation, so I'm just ignoring them.
There is of course a rather evident source of error here: signing identities correspond to a certificate that must be stored in a keychain on the calling user's keychain list. It turns out that even with macportsuser
set to myself (I know, bad) my regular signing identity isn't found, not even when I invoke the procedure from a Portfile "root" (to test with port info foo
). I don't understand why that is (it is found when I sudo codesign -s identity ...
) . It might thus be necessary to store the key in the/a system keychain and instruct codesign
to use that chain?
Other than that the procedure works, using set identity "-"
to sign with an ad-hoc key.
Attachments (1)
Change History (8)
comment:1 Changed 8 years ago by RJVB (René Bertin)
comment:2 Changed 8 years ago by RJVB (René Bertin)
A further evolved version:
- reads from a proper .conf file (${prefix}/etc/macports/codesigning.conf)
- also reads a signing user name from that file
- identity and username can be overridden from the arguments.
There's probably little use for specifying a username from the Portfile but well...
It turns out that a username is required unless you use the ad hoc identify ("-") or your macports user has the requested signing identity (certificate) in the keychain. It took me a while to realise that even if the MacPorts user is set to your login name (my case), "base" changes the HOME
env. variable. And because of that the codesign command cannot find the signing certificate even if it's running as yourself.
Changed 8 years ago by RJVB (René Bertin)
Attachment: | code-sign-1.0.tcl added |
---|
comment:4 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)
Cc: | yan12125 added |
---|
comment:5 Changed 2 years ago by mascguy (Christopher Nielsen)
Cc: | mascguy added |
---|
comment:6 Changed 2 years ago by mascguy (Christopher Nielsen)
Keywords: | portgroup added |
---|
Add keyword portgroup, to pg-related tickets
comment:7 Changed 2 years ago by mascguy (Christopher Nielsen)
Keywords: | codesign added |
---|
Related to issue
NB: does anyone know what the restrictions are with ad-hoc signing (
man codesign
just tells me to "check documentation").Also, the procedure could get a port blacklist or whitelist feature, so that users can have the final word which ports they allow to sign applications.