Howdy,
Over the weekend I whipped up (and added a port for) 'certsync'; it's a small
tool that fetches all trusted certificates from the Mac OS X system keychain,
and then spits them out as OpenSSL-readable pem-encode certificate bundle.
The goal was to provide a replacement for curl-ca-bundle with the following
benefits:
- Uses the CAs Apple provides -- that way MacPorts doesn't have to be
in the business of distributing CA certificates.
- Also includes any custom CAs that the user has added. This is the
case for many people who use internal CAs to sign certificates for their
corporate (or personal) services.
- Automatically updates (if the launchd item is loaded) when the System
Keychain(s) or trust settings are modified.
There are a few gotchas that I could use input on, however:
- curl-ca-bundle currently lays claim to
${prefix}/etc/openssl/cacerts.pem. This conflicts with certsync, and there's no
way to have both installed at the same time.
- A small number of ports directly depend on curl-ca-bundle to ensure
that valid CA certificates are available.
- certsync can only keep the cert.pem file up-to-date if the launchd
item is enabled. Ideally that would be done by default, but that's not
currently supported.
Any thoughts on how to proceed?
I'm currently using certsync locally; to install, you'll have to:
sudo port -f deactivate curl-ca-bundle
sudo port install certsync
-landonf
_______________________________________________
macports-dev mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-dev
