Opened 3 years ago

Last modified 3 years ago

#53411 new enhancement

macports-base codesigning ?

Reported by: juju4 (Julien) Owned by:
Priority: Normal Milestone:
Component: base Version: 2.4.0
Keywords: Cc: neverpanic (Clemens Lang)
Port:

Description (last modified by ryandesign (Ryan Schmidt))

I'm using macports on Macos 10.11+10.12 and Google Santa (https://github.com/google/santa) which allows to whitelist and blacklist binaries. It can be done both by path+checksum and certificates.

It seems with most port selfupgrade/sync of macports, I got a change with /opt/local/libexec/macports/bin/tclsh8.5 and a few others. hopefully it's legit. but as it is not signed, I have to whitelist it again each time.

Is there any work to get macports base binaries signed? ideally, base and all binaries distributed by project are codesigned by macports and any locally compiled port is compiled by local user if identity is available.

I see that it has evolves positively in recents months for ports

So why not bring it to base :)

That would be a very helpful improvement to security.

Thanks

Change History (4)

comment:1 Changed 3 years ago by neverpanic (Clemens Lang)

Cc: neverpanic added

comment:2 Changed 3 years ago by ryandesign (Ryan Schmidt)

Description: modified (diff)

comment:3 Changed 3 years ago by jmroot (Joshua Root)

Just signing the output of compiling arbitrary unaudited source isn't really much of an improvement to security. Plus you really need to use a Developer ID to make Apple's stuff entirely happy.

That's not to say something of this kind might not be useful, but it needs careful design to ensure it's actually improving security and not just giving a false sense of it.

The installer pkg is already signed BTW; does using that to upgrade make any difference for your tools?

comment:4 Changed 3 years ago by juju4 (Julien)

I'm mostly talking about macports-base and port command which I hope developers review regularly. For sure an audit, would be best. But signature is not in anyway linked to an audit. I'm pretty sure most of signed apps either on Mac App Store or iOS App store were never really audited.

It's more about distribution and origin of the file, like a gpg --verify. If the installer is signed, why not using the same signature for executables binary files attached to it? installer signature is installed but there is none at binaries execution.

In my setup with a whitelising configure. certificates is the way to ensure files are coming of the same origin and can be as trusted as they were before. If I don't trust it, blacklist corresponding certificates. Currently without certificate signature, I have at each base update to whitelist again some files (mostly tclsh) by hash else it is blocked. That's what I currently do.

Note: See TracTickets for help on using tickets.