#56378 closed defect (wontfix)
clamav - freshclam blocked by little snitch as code signature is not valid
| Reported by: | facelikeapig | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.4.3 |
| Keywords: | Cc: | ||
| Port: | clamav |
Description
seems freshclam is not code signed, I cannot download latest virus definitions as little snitch blocks connection (freshclam not code signed)
Change History (7)
comment:1 Changed 6 years ago by pmetzger (Perry E. Metzger)
comment:2 Changed 6 years ago by facelikeapig
I see your point, and I partially agree, however, if I were to allow the tool (freshclam) to freely connect to the network, it sort of defeats the purpose of little snitch, as it could no longer recognise a binary had been maliciously altered. That is the purpose of code signing. Note, I do not have issues with other binaries installed by macports that also connect to the internet.
comment:3 Changed 6 years ago by kencu (Ken)
I guess you could try signing it. I don't know if you need a paid Apple Dev account for this or if you can do it for free on your own machine - I've had a Dev account for 20+ years now. I remember some discussion about this last year from Jeremy.
comment:4 Changed 6 years ago by pmetzger (Perry E. Metzger)
Regardless,
- Allowing particular binaries to make particular connections (like to fetch new virus definitions) seems fine, and if you want clamav to work you're going to have to allow that. Further, just because something is signed doesn't mean it can't do mischief. Indeed, executables with buffer overflows in them can be made to run entirely arbitrary Turing-equivalent programs. See, for example, this famous paper: https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf
- I don't think that MacPorts is going to sign things. I don't even think, given the model under which MacPorts works, with users downloading and building their own code, that we reasonably could do this. One does indeed need a paid Apple Dev account, and we can't reasonably require that all MacPorts users have one.
I think I'll be closing this.
comment:5 Changed 6 years ago by pmetzger (Perry E. Metzger)
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:6 Changed 6 years ago by facelikeapig
Thanks for your advice, I will look into code signing freshclam.
comment:7 Changed 6 years ago by mf2k (Frank Schima)
| Keywords: | freshclam removed |
|---|
MacPorts doesn't do code signing. This also doesn't seem like a problem with the port, it sounds like you need to alter your little snitch configuration not to block this particular tool.