Howdy All --
certsync is tested and works on 10.6+, and is building successfully on all the
buildbots, and a MacPorts update has now shipped with support for auto-loading
certsync's startup item. I've been running certsync since May without any
noticed ill-effects.
I would like to propose that we move to using certsync by default, as a
replacement for curl-ca-bundle. To briefly rehash the benefits of certsync:
- Uses the CAs Apple provides -- that way MacPorts doesn't have to be
in the business of distributing CA certificates.
- Also includes any custom CAs that the user has added. This is the
case for many people who use internal CAs to sign certificates for their
corporate (or personal) services.
- Automatically updates when the System Keychain(s) or trust settings
are modified.
Thoughts?
-landonf
On May 13, 2013, at 21:39 , Landon Fuller <[email protected]> wrote:
> Howdy,
>
> Over the weekend I whipped up (and added a port for) 'certsync'; it's a small
> tool that fetches all trusted certificates from the Mac OS X system keychain,
> and then spits them out as OpenSSL-readable pem-encode certificate bundle.
>
> The goal was to provide a replacement for curl-ca-bundle with the following
> benefits:
> - Uses the CAs Apple provides -- that way MacPorts doesn't have to be
> in the business of distributing CA certificates.
> - Also includes any custom CAs that the user has added. This is the
> case for many people who use internal CAs to sign certificates for their
> corporate (or personal) services.
> - Automatically updates (if the launchd item is loaded) when the System
> Keychain(s) or trust settings are modified.
>
> There are a few gotchas that I could use input on, however:
> - curl-ca-bundle currently lays claim to
> ${prefix}/etc/openssl/cacerts.pem. This conflicts with certsync, and there's
> no way to have both installed at the same time.
> - A small number of ports directly depend on curl-ca-bundle to ensure
> that valid CA certificates are available.
> - certsync can only keep the cert.pem file up-to-date if the launchd
> item is enabled. Ideally that would be done by default, but that's not
> currently supported.
>
> Any thoughts on how to proceed?
>
> I'm currently using certsync locally; to install, you'll have to:
> sudo port -f deactivate curl-ca-bundle
> sudo port install certsync
>
> -landonf
> _______________________________________________
> macports-dev mailing list
> [email protected]
> https://lists.macosforge.org/mailman/listinfo/macports-dev
_______________________________________________
macports-dev mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-dev
